Hewlett Packard Enterprise continues driving CISA Secure by Design to protect enterprises against emerging threats

April 24, 2025 | Fidelma Russo, Executive Vice President & General Manager, Hybrid Cloud & Chief Technology Officer
In this article
  • HPE shares progress on Secure by Design nearly one year after signing pledge to transparently collaborate, encourage industry
  • Organizations must implement security at each phase of the software or product lifecycle to help minimize disruption from the most sophisticated cybersecurity threats

Nearly one year ago, Hewlett Packard Enterprise voluntarily signed CISA’s Secure by Design pledge. When committing to the pledge, companies are encouraged to share their progress one year on for the benefit of all. In that spirit, I want to give an insider’s look outlined in the technical paper we published today and highlight some of our progress towards implementing the seven goals of the pledge. The pledge has benefited not only HPE, but more importantly, our partners and customers, valued suppliers, and the IT industry at large. 

Costs from threats are on the rise

Cybercrime incurs direct financial losses as well as indirect. Examples include system downtime, productivity losses, fines, ransomware payments, and decreased customer and talent interest due to reputational damage.  

Combined, the costs of inaction are staggering. In 2025, the cost of cybercrime could reach $10.5 trillion annually. The global cost of cybercrime, which includes direct monetary losses as well as indirect losses such as reputational harm and lost productivity, is expected to increase to $13.82 trillion by 2028, up from $9.22 trillion in 2024. 

While advances in AI and machine learning can help cybersecurity teams detect and respond more quickly to incidents, they also bring potential risks, such as adversarial attacks and biases

Going beyond software and hardware

The Secure by Design pledge calls upon organizations to prioritize security in every phase of the development lifecycle, from initial design to deployment and maintenance. By adhering to these principles, organizations can better protect their assets, data, and customers from potential cyberattacks. 

To mitigate the effects from rising security threats, organizations must commit to doing more than designing software and hardware products. And while advances in artificial intelligence (AI) and machine learning can help cybersecurity teams detect and respond more quickly to incidents, they also bring potential risks, such as adversarial attacks and biases. 

To thwart the most sophisticated threats, security must be built in, not bolted on. At HPE, we incorporate security into existing processes, from auditing and testing, to patching and bug fixing, to communicating vulnerabilities and remediation with our partners, customers, suppliers, and technology partners. By creating teams dedicated to security, regularly updating our organizational governance to deal with ever-changing cybersecurity risks, and holding ourselves accountable to meet established criteria, we can more readily outmaneuver the most sophisticated cybercrime schemes.  

This is the approach we use at HPE, and we share in the spirit of transparency so that others may learn.   

To thwart the most sophisticated threats, security must be built in, not bolted on

Implementing security at each product lifecycle phase

In addition to incorporating security into end-to-end processes, organizations must implement security at each phase of the software or product lifecycle to help minimize disruption from the most sophisticated cybersecurity threats.  

One way we have demonstrated how we think of security from chip to cloud is with our latest HPE ProLiant Compute Gen12 portfolio of servers, announced February 2025. HPE Integrated Lights Out (iLO) 7 introduces an enhanced, dedicated security processor called secure enclave. Designed from the ground up, this family of servers is the first with quantum computing-resistant readiness and to meet the requirements for high-level cryptographic security standard, the FIPS 140-3 Level 3 certification. 

HPE is committed to releasing additional products with quantum computing-resistant capabilities and helping customers secure their IT estates from increasingly complex cyberattacks, including malware and ransomware that are executed by bots and those who use AI to do harm. 

Our commitment to the pledge

We have made tremendous progress on the seven goals of Secure by Design. For a detailed review of our progress, discover our technical paper. Highlights include:

  • Multi-factor authentication: GreenLake cloud platform offers MFA through Okta.
  • No default passwords: HPE ProLiant Compute iLO and HPE Aruba Networking Access Points have unique passwords assigned for each instance in the factory.
  • Reducing entire classes of vulnerability: GreenLake developer standards require all new components to be implemented in memory-safe language.
  • Security patches: GreenLake cloud automatically applies security patches.
  • Vulnerability disclosure policy: Our Security Response Policy makes it easy for customers to report bugs, vulnerabilities, and any security issues detected throughout the lifecycle.
  • Transparency in vulnerability reporting (CVEs): Our official list of HPE Security Bulletins covers all CVEs that impact products affecting customers, including software and firmware and third-party components from other suppliers.
  • Gathering evidence of intrusion: Audit logs for infrastructure products include required controls to prevent Personal Information being included to safeguard privacy. GreenLake cloud offers 12 months of logs at no additional cost to customers.

Security milestones

For many decades, HPE has been committed to incorporating security into our organization and the software and hardware used by our customers. As far back as 1995, Hewlett Packard Labs added a dedicated security lab. Some of our recent notable security milestones include:

  • HPE Alletra Storage MP B10000 allows organizations to manage data without external exposure, making it ideal for mission-critical applications and regulated environments.
  • HPE Aruba Networking AI-based network detection and response (NDR) capabilities detect changes in network traffic patterns, connection status, or dynamic device attributes that are indicative of compromise.
  • GreenLake cloud continuously applies more than 2,200 separate security controls to protect customers and their data in real-time, addressing the expanding attack surface and securing the hybrid cloud environment.
  • HPE ProLiant Compute servers were the first industry standard servers with silicon root of trust to verify firmware updates.
  • HPE Cyber Resilience Vault provides industry leading ransomware protection with air-gapped and immutable data copies on secure hardware.

Call to action

Today we are publishing our technical paper, including our security governance structure and details about internal processes and controls. Going forward, we are committed to regularly sharing our insights and progress in this critical area. By being transparent, we hope to encourage others to commit to the Secure by Design pledge so that collectively, we can create more secure digital infrastructure across the globe.

Share this article
Related news
  • Hewlett Packard Enterprise redefines cloud-based security with expansive solutions for zero trust networking and private cloud operations
  • HPE expands AI-powered automation, introduces monitoring for third-party devices and end-user experience from HPE Aruba Networking Central
  • Hewlett Packard Enterprise drives agentic AI era with an intelligent, unified data layer for AI