Customers Deserve Transparency to Manage RiskContributors: Russ Smoak
Our commitment to customers is to be open and transparent, especially as it relates to issues that could negatively impact their business. At Cisco, our leadership made the decision over twenty years ago that we would clearly communicate with customers about technical or other issues that could potentially expose their organizations to risk. It is one of the many ways we act as a trusted partner to our customers. Over those last twenty years, our team and security vulnerability process has evolved to meet customers’ needs. Ultimately, we want our customers to have the information they need to protect their networks.
We get called out from time to time about vulnerability disclosures we make. Yet… our policy remains unchanged: when security issues arise, we handle them openly and as a matter of top priority, so our customers understand the issue and how to address it. To fulfill this promise we follow a strict process to manage the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco solutions and networks.
With that in mind, we’d like to address some of the most common questions and misconceptions we hear from our customers and the media about our vulnerability disclosure process.
What is a vulnerability and how are they identified?
A security vulnerability is an unintended weakness in a product or service that could allow an attacker to compromise the confidentiality, integrity or availability. Cisco invests significantly to proactively discover vulnerabilities, and as a result, two out of every three vulnerabilities disclosed in a Security Advisory are found internally. However, that leaves one out of three still on the table, which is why we have a Product Security Incident Response Team (or PSIRT), a global team dedicated to investigating and reporting vulnerabilities around the clock. In addition to our own teams, Cisco collaborates with independent researchers, industry organizations, vendors, customers, and other sources related to solution or network security. Regardless of how they are found, all vulnerabilities are investigated and publicly reported per our policies.
How is the severity of a vulnerability classified and reported to the public?
If a vulnerability is found, we follow a well-established, trusted disclosure process for public reporting. There are several ways our customers can receive the latest security vulnerability information from Cisco. To classify vulnerabilities, Cisco uses a vendor neutral, industry standard method to evaluate the potential severity, determine the urgency, and priority for response. With vulnerability types ranging from informational to critical, we take a conservative approach when it comes to disclosing vulnerabilities that may heighten risk for our customers. What may be considered medium to the industry could be business critical to some of our smaller customers in different verticals.
Why does Cisco disclose so many security vulnerabilities?
We recognize security vulnerability publication and remediation is disruptive, and our goal is always focused on reducing the number of vulnerabilities (more on that below). With that acknowledgement, it is vital to remember a few factors that drive the purpose behind our vulnerability disclosures. Most importantly, we have a high bar for transparency. It may appear that we disclose more vulnerabilities than our industry peers…because we do. We publish internally found, medium security vulnerabilities with a goal of helping customers understand and manage their risk. This is different than nearly every peer in the industry because we believe it is in the best interest of our customers.
What does Cisco do after it fixes a vulnerability?
We tag every vulnerability with a Common Weakness Enumeration, a category system for software weaknesses and vulnerabilities. This tagging system helps us spot trends across our broad portfolio of over 600 product lines. We use this information, and root cause analysis, to build specific programs that add either technology, process or policy enhancements to our Cisco Secure Development Lifecycle. This cycle of continuous improvement is central to doing better by our customers.
Over the last twenty years, Cisco has demonstrated that we walk the walk when it comes to the handling and disclosing of vulnerabilities that effect those who use our solutions. We will continue to do our part. We will continue to use a holistic security approach beginning when a solution is conceived, developed, manufactured, and deployed. We will continue to provide the resources necessary, so our customers know what they need to do to safeguard against cyber criminals. Regardless of how the world of cyber threats evolve, our customers can count on our commitment to be transparent. In this manner, we can manage risk together.
Do your part.
- Ask your technology vendors their policy on vulnerability disclosure. Do they disclose internally found vulnerabilities that might jeopardize your security? Do they have an incident response team that aligns to industry standards?
- Any person or organization that is experiencing a product security issue should contact the Cisco Product Security Incident Response Team. We highly recommend all our customers be aware of Security Advisories and stay current to protect their networks. For more details on Cisco’s commitment to transparency, be sure to visit the Trust Center.
- The security landscape is constantly evolving. That is why organizations should have a strategy for cyber resilience in place to regularly safeguard their assets and data from threats.