Baking Security into the Culture at Cisco – A Tip of the Hat to the Security Knowledge Empowerment Team

November 4, 2011 - 2 Comments

“Security must be built into every aspect of our systems architecture and be seamlessly compatible with our business architecture.”

– Rebecca Jacoby, Cisco Chief Information Officer

When Cisco’s CIO Rebecca Jacoby and I agreed that security would be built into every aspect of our IT systems architecture, we knew this was no small task. To some degree, security requirements were bolted on, not baked in, and what “security” meant was different from person to person in our organizations. We knew that we had to raise awareness and knowledge about security—not just among the security practitioners in our IT organization, but also with the IT generalists and those architecting applications and systems. That way, systems would be designed and embedded with security from day one.

Realizing the scale and magnitude of the task before us, I went looking for the right person to drive this effort to raise awareness and champion the importance of “baking security in” to our IT initiatives. With her 24+ years of security experience, Michele Guel, along with Brook Schoenfield and Vinay Bansal, were any leader’s definition of a “dream team.”

Indeed, the team was recently honored by the SANS Institute with a National Cybersecurity Innovation Award for their efforts. While Michele Guel (in picture below, on the left) accepted the award, she would be the first to acknowledge that it was a cross-functional team effort, and the fact that the whole organization understood the importance of security and embraced the effort is what lead to the success of the program.

Michele, and the others, devised a program that would ensure that security was not going to be just a check-box item, nor an onerous task best left to the “security guys.” When the team was done, they had achieved a widespread understanding that security is something to build in from the start and not something to bolt on after the fact.

The program, Security Knowledge Empowerment (SKE), was designed to provide security exposure, education, and experience for Cisco’s internal IT staff. It was delivered via classroom instruction, based on SANS Security Essentials, with individual and group mentoring and shadowing, and a security specialist working closely with each student.

While the cost in time (up to 180 hours per student during a 3 month period) and money ($2499 each for SANS GSEC material and certification) was significant, we at Cisco strongly believe in investing in the development and growth of our people. This philosophy is particularly important with our internal IT groups. We also believe that a holistic, systemic approach to security—one that starts with our people—yields the best results. Because of the scale of what we have to accomplish with limited resources, investing in the proper course of action up front has always paid off in the end.

At Cisco, we try to provide examples for our IT team in which things work properly. We are deploying SKE to IT architects, engineers, and program managers throughout Cisco, and our senior security architects actively share the program with customers, partners, and other organizations. While all of these actions require additional effort, we believe these extra steps help distinguish Cisco as a trusted security partner from just a “good enough” security vendor.

Read more about the Cybersecurity Innovation Award in today’s press release from the SANS Institute. Once again, congratulations to Michele Guel, Brook Schoenfield, Vinay Bansal, and the rest of the team for driving this effort.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. So you send your security people on security training. Spend tonnes of money with SANS…and they give you an award.
    What about your voice engineers? Route Switch? Wireless?
    No, they just get no training and carry on doing what they do!

    • (really?),
      If you know SANS well, which I do since I was there when it began out of FedUNIX, they are a peer review organization that comes to a POV on rewards based on input beyond their own. re: my voice engineers, route/switch, wireless… the SKE program is about IT architecture, not security specific practitioners, so all of the teams are eligible for training, certifications, and support. Its also about community contribution, which it sounds like you agree is a good idea so I expect you will be contributing to improve it.

      thx for the comments, j