Cisco Blogs

Imagine Our Collective Impact on Cybersecurity

April 18, 2018 - 3 Comments

I just had a heart-to-heart talk with a few thousand of my fellow security professionals at the RSA Conference. We had a lot to discuss. As I walked off the stage, I was thinking about all of the people in our industry who weren’t in attendance, and all those who aren’t in our industry, yet still should be aware. If you happen to be one of either of these groups, you deserve to know what we talked about. Actually, it’s imperative that you know.

In past years, and even in some keynotes this year, the messages we hear have been too similar. Despite our efforts, we don’t seem to be gaining ground. Organizations continue to be vulnerable to devastating attacks. Adversaries penetrate our defenses and their total addressable market rises, costing businesses and individuals trillions of dollars each year. Executives are losing their jobs and board directors facing potential personal liability are demanding more.

We’re just not doing enough. It’s our job — not just us security professionals, but all of us — to upgrade the rule of law, measure efficacy, build security above everything, and change the game. What is it going to take to change this dramatically? I shudder at some of the thoughts that brings.

Ok, that’s the bad news; but there’s also plenty of good news. Perhaps the best is this — we can do something, in fact, we can do many things. I feel the best place to begin is by envisioning the world we want, setting our intention, then get after it.

First, imagine a world in which we’re always ahead — able to anticipate our adversaries’ attacks globally because we can see them quickly, know how best to counter them and have the tools to get it done. To do that, we need to look beyond what’s right in front of us, beyond just our own perspectives and approaches to see what others around the world are doing and the positive impact they are realizing.

We have to ask ourselves if the measures they are taking will bring value to our own environments. The answer, in many cases, is “yes.” I have had the opportunity to exchange ideas with security and government leaders all over the world and I can assure you that we can learn a lot from what they’re doing — their perspectives and approaches.

Now imagine a world where we have the best security teams ever because they were built on inclusion and diversity, and their combined differences, broader skills and perspectives, produce safer and more secure organizations. Considering that half of the world’s population is female, yet only 11 percent of cybersecurity professionals are women, just think of what we could accomplish if we tapped into the other 89 percent.

Our adversaries are male and female, different ethnicities, different social backgrounds, and different nationalities. That means they may have the advantage. We need to even that playing field to be safer, and there are numerous programs that can help to shift the balance to us if we only take action to make a difference.

We’re going to change that. The Cisco Cybersecurity Talent Initiative is aimed at developing the most diverse talent pipeline possible. Cisco Networking Academy is transforming today’s brightest minds into a formidable workforce across sexes, ethnicities, and nationalities. The Multiplier Effect Pledge is a differentiator, where industry leaders can disrupt the status quo by sponsoring extraordinary job candidates with diverse backgrounds and challenging their peers to follow suit.

Finally, imagine a world in which trust is more than just a word. Trust is one of those ephemeral words – you know when you have it, and you know when you don’t. The lack of trust is preventing us from reaching our goals.

As part of the honest discussion we’re having at RSA this week is that the very systems that we need to trust right now — the global financial systems, critical infrastructure like energy, water and transportation, the telecoms, etc. — are the ones being attacked. We need to bring trust back to those areas and maintain it. It’s all about knowing that we can trust what has been built, the companies that built it, and that they stand ready to care about the things we do, and that includes Cisco.

Our trusted partners must consider your security not only their job, but their mutual responsibility. We need to demand more from our security vendors. From a technical standpoint, we need to insist on secure development lifecycles and completely secure value chains for every element that goes into their products. At the business level, we need to insist on better relationships, greater transparency, and complete accountability when things are good and when not.

So where does this all leave us? We’re at a historical moment in time and have a significant decision to make. All of us. We can stay on the same track we’re on now and continue to get the same results, or we can commit to blazing a new, different path — one that makes an impact and nets positive results.

We need to do more and must start doing some things very differently.

This isn’t a government problem… this isn’t a company problem… this is a set of world problems – the safety and integrity of systems, the protection of data, protecting life, building safety and security in.

If you’re wondering how to do any of this, here are a few ideas: Know thyself and thy adversary. Measure the time it takes to detect an adversary in our environments and continuously work to lower it. Demand more from our technology. Demand more from our workforce. Demand more from our vendors, including for them to prove why they should earn our trust.

Don’t settle; get angry at the problems, gain resolve and go. Don’t feel stymied by not knowing how to take action, what to do or where to start. Refer to the webcast of my keynote where I share a number of ideas and do your part.

Every positive action we take matters. I can’t stress that enough, and each step is vital. Our collective actions will enable us to break this cycle and change the trend line. It will help us to deliver greater impact, leading to better results. It will prevent me from delivering the same keynote again next year. More importantly for you all, it will spare you from having to listen to it.

Security above everything.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. We in the Security area are always playing catchup. Having a solid base on which to build is vital. Knowing how to avoid Buffer Overflows and ensuring input data is sanitized (and sanity checked) are essential, and easily done. One just needs to know about it, and perhaps apprenticeships or some form of standards based qualification should be mandatory for all software creators (commercial or open source) – just because you can write software easily does not mean that you should – without knowing some of the pitfalls.

  2. Changing behaviors is difficult from any aspect, but with security we seem to have a bubble around are heads. Businesses and even consumers often fail to take it seriously until a direct impact. Taking security seriously can avoid those impacts. You are correct, we all need to step up.

  3. Things will not get better until there is the proper incentive, and the only incentive that will change things is liability:

    Dan Greer on software liability – the relevant section starts at about the 26:00 mark, text below:

    "[Software vendors]… must live with normal product liability,
    just like manufactures of cars, blenders, chain-saws and hot coffee.

    How dire the consequences, and what constitutes "used normally" is for your legislature and courts to decide, but let us put up a strawman example:

    A sales-person from one of your long time vendors visits and delivers new product documentation on a USB key, you plug the USB key into your computer and copy the files onto the computer.

    This is "used normally" and it should never cause your computer to become part of a botnet, transmit your credit card number to Elbonia, or copy all your design documents to the vendor. If it does, your computer's operating system is defective."
    3. Source code liability — CHOICE

    Nat Howard said that "Security will always be exactly as bad as it can possibly be while allowing everything to still function,"[NH] but with each passing day, that "and still function" clause requires a higher standard. As Ken Thompson told us in his Turing Award lecture, there is no technical escape;[KT] in strict mathematical terms you neither trust a program nor a house unless you created it 100% yourself, but in reality most of us will trust a house built by a suitably skilled professional, usually we will trust it more than one we had built ourselves, and this even if we have never met the builder, or even if he is long since dead.

    The reason for this trust is that shoddy building work has had that crucial "or else …" clause for more than 3700 years:

    If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death.
    — Code of Hammurabi, approx 1750 B.C.

    Today the relevant legal concept is "product liability" and the fundamental formula is "If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes." For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer. Poul-Henning Kamp and I have a strawman proposal for how software liability regulation could be structured….