Cisco CSO: Enterprise Security and the Global Value Chain (CxOTalk #356)

Cybersecurity and information security are
complex and crucial topics. That’s why we’re speaking with one of the
world’s experts. She’s going to explain the issues to us around
security in our hyperconnected world, Edna Conway from Cisco. Edna, welcome to CXOTalk. Well, thank you so much for having me, Michael. I think it’s an interesting topic. You know, as Cisco’s chief security officer
for its global value chain, I think it’s an opportune time to really have a conversation
about the fact that we live in a world of “we.” There is no longer a “them” and “us.” That’s how we live today. I love that. We live in a world of “we.” Edna, what does that imply for security? It implies both challenges and opportunities. When you think about the world in which we
reside today, and when I say “reside,” it really is at an individual level, at a government
level, and at an enterprise or business level. We are all utilizing platforms, third-party
services, and devices that enable us to work, live, entertain ourselves, feed ourselves,
and do a host of other things. What we may not be doing quite as well is
embracing fundamental principles of how we expect those services and devices to behave. We often say when we’re raising children,
“When you’re going to go out on the street, you need to look both ways.” How do we teach the children who are digital
natives to actually thrive, not survive but thrive in a connected world? that’s the challenge
that we all have. At a business level, it takes it up a notch
to a different set of environments than those we utilize individually. Edna, how do we even begin to approach the
complexities of this very important topic that literally affects every single one of
us today? You know there are many approaches that you
could take. Let’s talk about one that certainly I and
others in the industry have utilized and Cisco has a serious commitment to thinking about
things comprehensively: a unified architecture approach; a way to think about pervasive security. When you think about what I do, and let me
elaborate on that a little bit, I’m a little bit different than what you might hear from
a chief information security officer who is thinking about securing the information, data
flow, and technology that enables the exchange of information inside of an enterprise. What I’m doing is thinking about securing
the offers that we have for our customers. All of us have that at any business level. What do those offers consist of? Well, they might, for some of us as they are
at Cisco, be hardware or they might be software. They might be services. They might be cloud offers. We begin by thinking, if we want to secure
our enterprises, we also need to secure what we deliver to our customers. As individuals, we are those customers. Sometimes, as enterprises, we’re customers
of other enterprises. Start there. One, who am I serving as a customer? Two, what am I delivering to them? Then you get into the nitty-gritty, the really
exciting part, and the challenging part. Who is part of what I’ll call the third-party
ecosystem that at any point during the lifecycle of any one of those things that we are offering
to our customers? Who are they and what are they providing to
us? We could talk a little bit more about that,
but I want to make sure that we understand the fundamental premise of who are they and
what are they doing for us is where we start. You should elaborate on that. When you say, “Who are they and what are they
doing for us?” explain and keep it brief because I want to
go into that third part about the ecosystem, which is, I think, where the world starts
to really change. Let’s use a consumer example. Imagine you’re buying a connected refrigerator. There’s a brand name on that connected refrigerator,
without a doubt. Right? You think that’s who you’re dealing with and
that may be true. They are part of who they are. What are they providing to you? They’re providing a refrigerator. Well, a refrigerator’s purpose is to keep
things frozen and to keep things cool. But you might ask, “Well, it’s connected. It’s connected through my Internet service
provider in my home, but where are they keeping the data? How are they connecting? Who is managing that data?” Better yet, if it’s a connected refrigerator
that you can integrate with your mobile phone that takes pictures, that lets you see that
you don’t have eggs anymore in your refrigerator while you’re out at the supermarket, the reality
is you also want to begin to say, “Who is hosting that data, who is keeping the pictures,
and who has control over the access?” That might be a series of folks who are actually
not the OEM from whom you purchased the refrigerator. Your title is value chain, Chief Security
Officer for the Global Value Chain. When you talk about all these different components
of where is the data traveling, where it is coming from, where is it going, and where
is it residing at every step of the way, is that the value chain? What’s the term that you would use for that? Is it ecosystem? What’s the term? The value chain is the set of third parties
who are at any point in any stage of the lifecycle—remember, I live in the information communications technology
world, so the lifecycle of ICT—any of those third parties who participate, whether virtually
or physically. Let me give you some examples. Imagine the lifecycle starts with the first
idea you have for a new product, a new solution, or a new feature set in your code or a new
offering that you’re going to put up on the cloud and invite people to become tenants
of and utilize. Then you start to think about how you’re going
to plan around that and how you’re going to order what you need to deliver it. Then you start to source what you need in
order to deliver it. Then you actually make it. Make could be, make hardware in a factory. It could be, make in developing the code and
bringing in third-party code modules. It could be, make; I’m building a data center
and I’m building a cloud offer that’s going to give you compute or storage capacity. Now, I’ve designed and developed it with a
first idea. I’ve planned and ordered. I’ve sourced and I’ve made. Fantastic. You still haven’t given anything to your customers. You then, actually, have to deliver it. How is it delivered? In what modality using what kind of technology? Sometimes, it may be delivered because it’s
tangible via transportation. Then, after it’s delivered, how is it going
to be utilized by your customer? How are you going to service it? How are you going to support it? At some point, how are you going to end-of-life
it, whether it’s to shut down access to a tenancy on a cloud or take back tangible equipment
that has been used for a period such that it now needs to be replaced with new and more
innovative technology? That’s the lifecycle. The value chain is all of the people as well
in that third-party ecosystem who are involved. I’ll give you an example. Somebody who could be in the lifecycle is
a third-party cloud service provider who provides storage capacity for your cloud offer. It could be somebody who provides integrated
chips and circuits for what you’re building. It could be somebody who is actually providing
logistics, warehousing and transportation services for your tangible equipment. It could also be a third-party licensor of
their software that you’re embedding into your code to provide features and functionality
that they deliver in your overall software solution. The value chain is this complex and very often
hidden, with a lack of transparency in many cases, set of actors all along the way. Is it that value chain or could we also, say,
more imprecisely, use the term ecosystem that brings the complexity and the real challenge
to modern security? I think there’s complexity in how we design
and develop ourselves as well. If you look at some statistics, and we can
all mine them, and there are wonderful sources out there, but if you just look, for example,
at the data that comes out of the Verizon incident report, the breach report every year,
I’ve evaluated that over the last nine or ten years. Let’s be honest. We can’t always attribute a particular incident
to a particular actor. But when we can, we’re talking about almost
a decade. We’ve hovered between around 72% and close
to 80% of the time it comes from a third-party. We’re not necessarily moving the needle. The third-party ecosystem is growing. We’re actually connecting to more and more
of them, so we’re doing better but we’re growing the denominator of the fraction. While I don’t want to, in any way, minimize
the importance of secure development in your own enterprise practices, thinking about who
those third parties are and what you expect of them is absolutely fundamental to ensure
you can look at a customer and say, “You know what? I value our customer relationship. Most importantly, I want you to,” here’s the
big word, “trust. Trust me as a provider. Trust my processes and, in order to earn that
trust, I am embracing the third-parties in my ecosystem to make sure what I’m delivering
to you is safe, secure, and free from a host of threads,” that we can talk a little bit
more about today. Arsalan Kahn, on Twitter, says that it seems
like the notion of the security value chain is similar to supply chain, the concept, only
involving data. Lots of people use value chain and supply
chain in the same ways. From my perspective, the supply chain is actually
a subset of the value chain. For many enterprises who actually deliver
services or products and make them, there is a fundamental supply chain operations organization. It is not just about data. Supply chains make things like drugs, like
vehicles, like Cisco gear. There is a supply chain that supports the
infrastructure for your enterprise. Please understand that it is a great question
and let me clarify. It’s about hardware. It’s about software. It’s about data infrastructure and it’s about
offers that sit out there on the cloud. It’s about all of it. We can’t think about it in isolated patches. Edna, you spoke about trust and we’ve got
all of these partners in this chain of the creation, the movement, the storage of data
and going across silos that previously were not traversed. Tell us about this concept of trust. Trust is earned by looking at least with regard
to information and communications technology; looking at your customer and saying, “I have
a plan. I have an architecture that focuses on fundamental
threats.” What are those fundamental threats? There are three, in my view, only three. They’re enormous. They are worthy threats for our attention,
but there are three. We want to make sure that the information
and communications technology we use, whether tangible or virtual, is actually free from
any kind of manipulation. No one has altered it in a way other than
we authorized or intended it as the providers of that technology. The second real fundamental threat is espionage. We want to make sure, whether it’s a nation-state,
an individual, an enterprise, or an industrial actor, that the information that passes, is
stored on, or is actually computed on are information and communications technology
not observed by those other than the individuals, enterprises, or partners who we intended to
see and use it. Then the third one is actually disruption. We want to make sure that what we’re relying
on is not going to be disrupted by an equipment failure, by a breach of software, or any other
effort. We can talk a little bit in a little while
about what that means in a world where information technology and operation technology are converging. Three threats: manipulation, espionage, and
disruption. Okay. That seems on the surface. How do we penetrate, to use a security term,
these domains in order to get under the surface of the implications of what you’ve just said? I think it’s reaching out your arms and coming
up with a flexible and elastic architecture that you can use that allows you to have a
conversation with and validate the practices utilized by the members of that third-party
value chain. You can imagine that because they’re different
and, in fact, in some cases very diverse, what you ask of them and what you might expect
of them would be equally very divergent. Not every security requirement can actually
apply to every third-party. I’ll give you an example. If I am talking to somebody who is providing
me with third-party software, I’m going to talk to them about specific code practices,
perhaps penetration testing, static analysis, dynamic analysis. I’m going to do a host of evaluations. I’m going to talk to them about what their
vulnerability triggers are and what their patch process is. If I’m talking to somebody who is making me
a printed circuit board on which other components are going to be placed by somebody else in
the ecosystem, I’m going to talk to that printed circuit board supplier about what they’re
doing to secure access to the information about my highly proprietary circuit board
plans and designs. In fact, in that world, the highest amount
of intellectual property is retained inside something called Gerber files. I’m going to have specific discussions and
goals about securing Gerber files and who can see them, use them, and access them. If I asked somebody who was providing anything
else other than a printed circuit board about Gerber files, I’ll be honest, Michael, with
you. They might actually look at me and say, “I’m
not sure what you’re referring to,” or they might look at us and say, “Well, gee. I heard there’s a Gerber food company. Why are you talking about that? It’s baby food, isn’t it?” We need to understand our colleagues that
are involved. This can be done with one flexible architecture. The way we’ve chosen to do it is to have 11
fundamental domains in our architecture but then actually write goal-based requirements
and those goal-based requirements are customized based on the nature of what that third-party
partner provides to us. All of a sudden, we’re in sync as we’re talking
about what’s being delivered. Number two, another important point that I
said there are goal-based requirements. Sometimes the best way to achieve security
is to let those with whom you are partnering deploy security in the way that best suits
their business and their operations rather than saying, “Do it this way.” How about, “Achieve this goal. I may be agnostic as to how you achieve the
goal, but I want the goal to be achieved and I want to be able to validate that the goal
has in fact been achieved”? Can you give us an example of that because,
at a high level, of course, that’s the right way to work with partners, in general, and
employees as well if you trust them and you think they’re capable? Give us an example in the security world. A couple of examples; let’s think about it
in terms of, let’s talk about information and access. How are you deploying role-based access control
in your organization? Does everybody need to see everything? Absolutely not. We all learned when we were children in school;
the best way to keep something a secret is to not tell a lot of people and make sure
you understand whether or not the person you’re telling it to is “trustworthy.” How do you assess that? You assess what their practices in the past
have been, what their behavior patterns are. Do they have a way of writing things down
on a piece of paper and putting them in a secure location? These are the kinds of criteria that you look
at for role-based access control, which is absolutely essential. Not everyone needs to know everything or see
everything; the number one practice in a secure, hyperconnected world. You might do something really different with
somebody who, for example, is running a manufacturing floor. In that case, you might say, “What I really
want you to do is have the realities of physical security. Let’s talk about what pervasive security means
because lots of people think information security operates in a vacuum. It does not. Security, as we sit here today in a hyperconnected
world, is one that is requiring a layered approach. I’ll ask a question. Do any of us actually connect to the Internet
simply by taking a sip of a beverage or breathing in? No. We still use devices. When you think about that, that means that
what we need to do is think about physical security, operational security—so we’ll
go back to that manufacturing floor—information security—without a doubt is there at the
table, but it is a piece of pervasive security—as well as behavioral security because we all
know that the ticket to success, in many cases on security, is educating our humans. The problem with security is that often we
have talented humans who seek to either do harm or those who are not well educated and
inadvertently and non-maliciously engage in behavior that causes security problems or
breaches. Let’s go back to the manufacturing floor for
a minute, Michael, because that’s very different than what we talked about with what we would
do with software. I might say, “I want to know who you let in
and out of the factory. Does everybody need to go into every part
of the factory? How do you segregate that? how do you deal with the parts that are going
to go on, for example, a printed circuit board assembly that is absolutely critical, manipulatable,
and contains a high percentage of intellectual property? I’m hoping you deal with those in a very different
way. Let’s talk about that.” You can, in a nonprescriptive way, say, “I
want them separated. I want you to inventory them. I want to know when they’re used. I want to know when they’re scrapped,” because,
as we all know, counterfeit is a risk of those threats. Counterfeit frequently comes from the mining
of scrap. Those are examples of what you would ask of
that manufacturer might include different things than what you would ask of that software
supplier. All of these components need to be in place,
but I would imagine that that is dependent upon the partners’ resources. In fact, Arsalan Kahn again comments on Twitter. He says, “What about when you’re dealing with
smaller companies that don’t have the resources?” How do we manage that? We live in an imperfect world. It is an imperfect world, and there are lots
of ways to do it. They are equally imperfect but we are striving
to do it. Some are international standards. Some are setting baseline requirements. I’m sitting here today in Massachusetts at
a facility that Cisco has here, having brought together members of something called the Charter
of trust, which is something that we are a part of. It is a private-private partnership, no public
in it. We are looking together at what we call ten
fundamental principles of trust. We have been deeply working on what we call
Principle II’s focus, which is securing the digital supply chain. When you think about the fact that, in that
whole ecosystem, you might have small and medium businesses, that architecture can be
flexibly deployed. Here’s a glaring example. Imagine that some facilities that are large
enterprises might have things like biometric controls and integrated role-based access. A smaller facility might actually have a human
guard with a clipboard with a set of pictures of the four people who are able to go into
a particular area and do work there. One might sound more sophisticated than the
other. But if implemented correctly, the more traditional
way and the cheaper way, which might work for a small and medium business because it
doesn’t have to scale beyond the four individuals who can walk into that room and do specific
work, is perfectly acceptable. I think what we need to do is look at private-private
partnerships and public-private partnerships. You know here in the U.S. the DHS has been
looking at a lot of effort to think about securing and minimizing risk around our information
and communications technology value chains. When we look at that together, what we always
keep in mind is the full spectrum of the size of an enterprise and the volume of complexity
in individual resources that all of us have to bring to bear. Streamlining it to, what are the five or six
things that you can do that are the most risk improving is really a useful and helpful way
to think about it. Start small. Start fundamental. Build from there. Again, a lot of this has to do with the fact
that data is traversing silos that previously it did not. Can you explain why does that dimension add
complexity to all of this and what are the kind of silos, data silos that are being broken
today? When I say convergence, we have been seeing,
for years, critical infrastructure and hardcore industrial controls operated in an environment
that was often separate and isolated from information technology environments. But when we bring those two together, things
like IoT devices, let’s think about sensors, perhaps, that are now connected to the operation
of a piece of functional industrial equipment and, in fact, linked to an ICS SCADA system. We’ve got supervisory controls that work in
industrial environments with an information technology connected to the Internet overlay. Fabulous efficiencies. People can know when machines need to be repaired. They can know when they are not performing
up to par. You can do that real-time, perhaps, as you’re
walking a factory floor on a mobile device. Here’s the risk that we now need to think
about. We are traversing, to use your word, to silos
that will often, in fact, not only separate but frequently the reference was air-gapped. They were not even physically connected. Now, a breach through the IT can actually
serve as an attack surface to get into the functional operational equipment. What we need to think about is actually a
new day and age of partnership around pervasive security. We need lots of experts at the table to think
about this together because frequently IT people don’t speak operational technology
and vice versa, but we can come together and develop a new lexicon and new practices and
understand one another better. I’ll give you a glaring example of that if
you remember years and years ago when we first came up with quality control. Quality management systems today, when you
speak of them, everybody goes, “Yes, of course.” Well, I remember a day and age when people
put out banners that proudly displayed that they were a 9001 certified facility and company. Today, that’s part of doing business. We are at the precipice of utilizing the vast
array of hyper-connectivity to change the way we actually experience life, work, enterprise,
and operations, but we need to speak with one another in a new model. There are still new, burgeoning standards
that are growing and both the private and public sector needs to be at the table at
all sizes: small, medium, and large. We have a couple of questions, some really
good questions, from Twitter. Zachary Jeans asks a question from a different
perspective, from a business perspective. He says, “How has the movement to open office
floor plans and the breaking down of business silos negatively impacted organizational security?” That’s a fantastic question. Isn’t it? It’s a great question. We’re talking about data silos and he’s talking
about business silos and cultural silos. What’s the impact on security of that? If you think about the way humans behave in
productivity, we all have different styles. There has been this move to and there’s been
much written about it, I might add, the open floorplan, which is designed to really allow
simultaneous collaborative creativity. The downside of it, when you think about it,
is you also need some time and space to think. We all have laptops, I suspect, or some kind
of device. What happened with that was, you now see the
privacy screens that go on our screens, right? We’re all sitting there because we know that
within probably about a four-inch perimeter from our eye lens, there is probably someone
else who has the capacity to view that same screen. Yes but, hey, spies are everywhere. [Laughter]
Well, the other thing is, it may just be you don’t really want somebody to see what you’re
writing or it might be, I’m working on something that is a merger and acquisition potential
and the last thing we want is that information to get out into somebody’s hands because somebody
is going to engage in insider training as a result of it. How do you deal with that? I think it requires something that all of
our parents raised us with, sometimes a little degree of common sense. Depending on what you’re working on, we all
have open enterprises with what are called audio privacy rooms or certain work that you
can only do in certain places. But the question is one that I do think is
very important and it’s also why role-based access control in an IT system is fundamental
because you can only get into that which you need to know in order to perform your function. I’m the chief security officer for the value
chain. I do not need to get into the HR tools. I do not need to see people’s salaries. I do not need to see their healthcare information. “Are you enabling collaboration in a physical
way in an open business environment and, simultaneously, leveraging technology or other practices to
close down some of the security risks that might arise because of the new models?” is
what we ought to be thinking about, so thank you so much for asking that question. Edna, thank you for your insightful answers. We have another question. Again, this is from Arsalan Kahn. Arsalan Kahn is on a roll today with another
great question he has, which is, “You’re talking about security architecture. Where does security architecture fit or not
fit with enterprise architecture?” The reality is, enterprise architecture is
a little bit different. I think security is a fundamental part of
the enterprise. When you’re thinking about enterprise architecture,
you’re thinking about your business holistically. What am I doing from a risk and brand perspective,
from a people management perspective, from an actual enticing the right kinds of people
and getting them to stay? That’s an enterprise type of question. There are more, plenty more. What I think we want to do is, we want to
start to have security at the table with business. I’ve been on a journey for the last probably
15 years to get security compliance, sustainability, and risk to actually speak the language of
business so that, rather than being the outside experts who say, “Do this, that, and the other,”
let’s have a set of goals that we want to achieve together that actually feed the business. What I’ve seen over the last, for sure, five
to eight years is that security can become a business differentiator and it can be absorbed
into your enterprise architecture. It can also be embraced as part of your enterprise
risk management. It is one of many risks. When you become part of the enterprise family,
you are at the table. You are thought of consistently in every aspect. I think they are different. It is a great question because it recognizes
that security is not the end-all and be-all. It is a way to bring safety and security to
our new operation or operating models as individuals and to make decisions. But, ultimately, an enterprise has its own
architecture. Continuing then on this theme of security
and the business, this is CXOTalk, so let’s talk about the boards of directors and the
relationship of the board to security. How does that work? How should it work? Michael, you and I have chatted about this
briefly. I think we’re seeing a move in boards slowly
to embrace diversity, but I’d like to challenge all of the enterprises out there to think
about, what is the diversity of thought that you need at that governance table? What does it look like in 2019, and what does
it need to get us to where we’re going to be in 2030 and beyond? I’ve seen a trend that is slowly changing
where, look, you need people who have had P&Ls. You need people who have been CEOs, people
who have been CFOs. These are fundamental, core functions within
an enterprise that need to be at the governance table to guide, to ask the right questions. Remember, when you’re at a board, you’re not
the operator. You are governing and guiding. What I think we need more of is, we need to
see security and risk practitioners at the table, at the board level, to bring that kind
of perspective to the enterprise management so that we are thinking about branching off
into a new division, a new product portfolio, a new service. Fantastic. What does that look like? What is the total available market? How are we going to approach it? Is there a geographic way in which we’re going
to approach it? Here’s a novel thought. If you have a risk person sitting at the table,
they’re going to sit there and say, “Well, where do we want to start? Do you want to start where the largest TAM
is or do you want to start where the lowest risk is? If it’s high IP containing, do you want to
put it into a market where there’s high respect for IP or a place where there’s low respect
for IP, which brings a whole other degree of risk? If you’re going to go everywhere, what is
the blanket of security that you’re going to deploy because you’re the first to the
market, you know there are going to be fast followers, and you don’t want to be eaten
alive? That’s a board-level conversation. If you don’t have the right people sitting
at the table thinking about that, fundamentally, then you’re missing the opportunity to gain
the richness of diversity of thought and you are also missing the opportunity to give guidance
in a far more broad and meaningful way. What advice do you have to security professionals
to gain the expertise, the business expertise, so that the board will call upon them to participate
in these governance conversations that you’ve just described? I think we, in security, need to embrace other
areas of expertise as we think about our security community. I can think of folks who are renowned in the
security area who may not necessarily have started out as technical and may still not
be the most technical folks. When you bring great communicators, great
legal minds, or great folks who can think about operational practicality, then you have
a security community that automatically learns how to speak the business language because
they have business partners as part of their immediate family. It’s not like we’re teaching them something
that already isn’t innate. Right now, we have all seen the statistics
with regard to the absence of available talent in the security arena. Perhaps what we ought to consider doing is
embracing those who have the capacity to learn, bring their own unique expertise, and begin
to—I’m going to use a harsh word here—invade security into the mindset and operations of
everyone, then we will see people like myself. My undergraduate degree is in Medieval and
Renaissance Literature. It doesn’t really have the ring of security
to you, does it? No, that’s definitely not a career path I
would have predicted. [Laughter]
[Laughter] We have this opportunity to not only bring other disciplines into security,
but we also have to start as security professionals to understand what matters in business. At the end of the day, we all have stakeholders. We all have shareholders, public/private NGOs,
and governments have, in essence, shareholders. They’re called the citizenry of the nation
that brings to the coffers of the government, through their tax dollars, the ability to
serve those citizens. What we need to do is understand what that
language is. It’s fairly easy if you do a rotation. Send somebody who has only done information
security to go do a six-month project in a factory or to work with a finance person more
closely in the course of developing something new in their infosec arena. What you will see, whether in a collaborative,
open workspace or in a private room is an evitable growth in synergy and a sharing of
language and the ability to speak with and for one another. Then you walk into that board ready, capable,
and speaking the right language. Can you put your finger on one or two things
that are the common issues you see all the time strategically that companies should just
doublecheck? Know with whom you’re working. Understand what they’re doing for you. Make sure you know who has access to what
and determine whether they need to have it. Embrace your workforce both directly as well
as your value chain partners to ensure that they understand what your mission is, which
is to deliver to customers the highest integrity, the highest quality, secure and safe services
and solutions, and bring their expertise to the table and work on it together. Edna Conway, thank you very, very much for
taking your time today to be with us on CXOTalk. My privilege. We’ve been speaking with Edna Conway. She is the chief security officer for the
Global Value Chain at Cisco. Before you go, please subscribe on YouTube,
hit the little subscribe button at the top of our website and sign up for our newsletter,
and tell a friend. Thanks so much, everybody. I hope you have a great day. We will be back next week with another awesome
episode of CXOTalk. Take care, everybody. Have a good one. Bye-bye.

Leave a Reply

Your email address will not be published. Required fields are marked *