Ecosystem team-ups multiply security weaknesses, says Cisco

edna-conway

The digital transformation is impelling companies to grow their partnering ecosystems, leaving data vulnerable not just in their own infrastructure, but in each of their partners’ too, according to Edna Conway, chief security officer of global value chain at Cisco Systems Inc.

“As we digitize, we embrace more and more members of this third-party ecosystem and that adds an inherent complexity,” Conway said.

She recently spoke to Stu Miniman (@stu), host of theCUBE, SiliconANGLE Media’s mobile live streaming studio, at SiliconANGLE’s Boston, Massachusetts, studio to discuss the far-reaching security impacts in a rapidly expanding ecosystem that includes Internet of Things. Conway shared data and insights on how companies should look to leverage technology, operations and people to solve the threats facing business. (*Disclosure below.)

Many technology companies are moving away from single hardware or software products toward solutions or platforms that combine elements from many different partners, she said. Cisco, for instance, a company many associate with networking hardware, is increasingly wading into software-led solutions and services.

This approach is all about serving customers who have complex needs that require multi-pronged solutions. “Take that platform of looking at the customer first and then begin to think about integrity,” Conway said, describing Cisco’s work securing its value chain and those of its customers.

“The concerns, ironically, of the security community are actually the concerns of the customer base,” she said. These are namely automation and, especially, simplification of security.

Customers are also sick of butting up against security when they try to implement new technologies, she added. A whole bustling ecosystem of partners may have different or even conflicting security protocols, which could jam the entire process of collaborating together.

“That leads us to a path of trying to drive a singular architecture and pervasive security,” Conway stated.

Getting on the same page

In the short term, the drive to better security might mean an agreement among a particular partnering ecosystem to be consistent across security standards and procedures. The importance of getting all partners on the same page with security is paramount, Conway said.

“We’re hovering around 80 percent of the breaches being due to third parties when they’re attributable,” she stated.

It is in the interest of every company in the ecosystem to have a comprehensive and lucid security strategy, so it should be an easy sell to get them on board, she added.

Cisco examines threats from third parties, such as manipulation, espionage and disruption. This is its first strategy. “And then we break it down to a set of exposures and an architecture that makes it something that is useful and can be deployed across the entire ecosystem itself and allows us to reach out to the enterprise partners who own the commercial relationships with those third parties,” Conway said.

Picking your battles is the first piece of advice on securing the ecosystem, according to Conway. “Determine who the key third parties are in your ecosystem — it’s a daunting task if you say ‘all.’ Key — it’s a risk-based approach,” she said. Then, bring them into the fold in a collaborative and mutually supportive way. “We’re engaging with them in an architecture that says, ‘We’re doing this together,’ rather than saying, ‘You caused this.'”

Companies need not tell their partners how to go about meeting the security standards in a granular way. Some of them may have best-in-class security teams, so why not give them elbow room, Conway said. Assessing against these standards ensures that everyone is hitting the mark and is essential to keeping the house clean, she added.

“If you’re doing it really well and now you’re making security part of business, you actually blend security into the methodology by which you’re measuring that supplier or partner’s performance,” she said.

In fact, once security becomes consistently and effectively integrated across the ecosystem, companies can confidently market their high security standard to customers. “I think we know we have success when security starts to build in business. It becomes a differentiator,” she said.

New security world order

And for the long view in security? “I think we’re going to see a de facto standard of care imposed on this,” Conway said. Much like the healthcare industry has the Health Insurance Portability and Accountability Act, cybersecurity will develop universal or near universal standards that companies cannot wriggle out of, Conway stated.

Actually, regulations and legislation are already present in cyber security, though not to the same stringent degree as HIPPA in healthcare. But a different and more pervasive code will become the norm in coming years, Conway explained. Something akin to the way negligence and malpractice are immediately understood by doctors, patients, legislators and regular citizens will take hold, she added.

“What I’m talking about is a business and societal baseline standard of care around security that’s going to be expected of us,” she said.

Cisco is continuing to work with governments and public-private partnerships around the world to move the needle forward on security standards. The Cisco Annual Cyber Security Report is out now. More info on Cisco’s security efforts is available at Trust.cisco.com.

Watch the full video interview below. (*Disclosure: Some segments on SiliconANGLE Media’s theCUBE are sponsored. Sponsors do not have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE