Cybersecurity: What Needs to Change Now
October is National Cyber Security Awareness Month in the United States. This year’s campaign emphasizes cybersecurity as part of a deliberate strategy and a shared responsibility, not just a checkbox item.
At Cisco, we believe two key things must change in the security industry. First, we need to acknowledge that security is a strategy, and one that senior leaders in all organizations must embrace and own. Second, IT vendors—and all other vendors that are now embedding information technology in their offerings—must produce products, services and solutions that customers can trust.
Given Cisco’s global security footprint, we see a lot of data on Internet attacks, infected websites, malware, and actor activity. This gives us unique insight into what is affecting businesses, including our own. We’ve had the opportunity to be “on the ground” for every major breach in the last couple of years, with team members of mine on site helping the people who need help.
This has added to our insights on the state of cybersecurity and we’ve noticed increasingly sophisticated tactics from malware authors and online criminals over the past several years. Recent Cisco security reports detail hackers’ progress in the shadow economy, along with security professionals’ fight to stay ahead of the adversaries.
What’s new and disturbing is the growing ability of threat actors to compromise systems and evade detection. In the first half of 2015, hackers’ calling card is their willingness to evolve new tools and strategies—or recycle old ones—to dodge security defenses. Through tactics such as obfuscation, they are slipping past network defenses and carrying out their exploits long before they’re detected—if ever.
Two things to change for better cybersecurity
In commercial or privately held companies, it is no longer acceptable to put cyber risk in one risk bucket with every other type of business risk. So the first thing that needs to change is to require senior leadership (boards, CEOs, executive management) to manage cyber risk as a separate category altogether. For now, it needs that level of attention.
Because cybersecurity itself is largely unknown to most board of directors’ members and executive officers, an investment in having knowledgeable sources – such as law enforcement or private experts – participate is the key. The industry must start managing cyber risk very differently than other risks boards are accountable for. In essence, we have to throw out the playbook. The way we’ve been addressing risk over the past two to three decades doesn’t work in the current landscape.
Boards urgently need to educate themselves about cyber security. To start, they should be asking these specific questions:
- Which threats are relevant to our business?
- What’s connected, how does it work, what are the critical services, and who runs it?
- Is cyber part of the plan and, if so, who is accountable for it?
- Do we have a formalized response process and capabilities?
- Do we have a disclosure process that we follow?
- What are our law enforcement and government relationships?
- Is our system of controls equal to risks?
- What else do we need to know?
CEOs must understand cyber risk much like they’ve understood financial risk to date, and like they’ve understood business risk in the context of business operations. And CIOs must be able to articulate all of this in a meaningful way. They need to be able to say, “Here’s how we’re approaching it, and why we’re approaching it this way.”
Demand verifiable trustworthiness from IT vendors
That’s why Cisco created the Cisco Secure Development Lifecycle (Cisco SDL) to ensure that security is central through the entire product development process. Cisco SDL is a repeatable and measurable process we’ve designed to fortify the resiliency and trustworthiness of our offerings, allowing our customers to deploy high-quality products that they can trust. Increasingly, enterprises worldwide require trust to be integrated throughout the product lifecycle of the solutions they deploy, based on a transparent and open culture of the supplying company, to include its policies, processes, value chain and partners. This is the second change that will make a significant difference.
Implicit trust is a thing of the past. In today’s environment of constant change and digital disruption, assuming trustworthiness is no longer acceptable—we require verifiable, trustworthy network architectures built on secure software and secure hardware backed by prudent value chain security practices.
All of this isn’t easy, but it’s essential. At Cisco, we are committed to securing and protecting our customers and their data. We take active measures to safeguard the security and reliability of the network, and we adhere to a secure development lifecycle (SDL) in the development of our products and services. And we go to great lengths to protect the security of our value chain.
This is what it takes to create and deliver trustworthy products. In an increasingly digital age, we’re seeing security and trust becoming a critical part of the procurement decision.
These days, trust may be the last word that comes to mind in connection with the Internet. This must change. Trust must be established at the top and must run all the way through the product lifecycle. Business leaders must take an active role in cybersecurity and accept accountability. Cyber Security Awareness Month is a great start, and to progress even further we must translate awareness into action. Looking ahead, we must make sure that our infrastructure, processes, policies, products and services have the flexibility, transparency and trust to address the challenges of tomorrow.
I invite you to explore what Cisco is doing to provide the trust and transparency needed for its customers to manage risk at our Trust and Transparency Center.