As we wrap up National Cybersecurity Awareness Month in the U.S., cybersecurity continues to be a top-of-mind issue for business, government and consumers alike. In February 2016, President Obama announced a Cybersecurity National Action Plan to improve the United States’ cybersecurity posture. The non-partisan Commission on Enhancing National Cybersecurity was created and charged with making recommendations for actions that can be taken over the next decade to strengthen cybersecurity in both the U.S. public and private sectors.
The Commission has conducted a series of public forums in which they invited business, academic and government leaders to address cybersecurity issues. I was honored to be invited to provide testimony at a recent public meeting of the Commission. I focused my testimony on cybersecurity not as a standalone issue, but as an element of an intertwined platform of collaboration, function and security—a comprehensive security strategy.
A comprehensive security strategy demands an architecture that designs, deploys and monitors the right security in the right place at the right time. The key to doing so lies in addressing security across the value chain: the end-to-end lifecycle for hardware, software or services that deliver value.
I offered the Commission three foundational elements we apply at Cisco to build our value chain security strategy:
- Retain a third-party value chain member’s flexibility to deploy the right physical security, operational security and security technology, in the right stage of its own ecosystem. This allows for the proprietary innovation that our ecosystem members bring to the table.
- Apply a risk-based approach to the deployment of value chain security in order to ensure economic and operational viability. Namely, evade the pitfall of perfection being the enemy of progress.
- Avoid proliferation of certification or accreditation schemes or guidelines. Leveraging those already in place should allow swifter implementation, broader adoption and further security enhancement. These include standards such as ISO 27001 “Information Security Management,” ISO 27036 Part 3 “ICT Supply Chain Security,” ISO 20243 “Mitigating Maliciously Tainted and Counterfeit Information & Communications Products,” and NIST SP 800-161 “Supply Chain Risk Management Practices” among others.
These foundational elements allow an enterprise (public or private) to build a flexible security architecture for the value chain. Layering physical and operational security with security technology and development can allow value chain members to effectively collaborate and drive comprehensive security. Inclusion of value chain security across the third-party ecosystem can serve to increase assurances of cybersecurity within the context of the broader security strategy programs of business and government alike.
In a connected world that demands a comprehensive approach to security, a public-private partnership is an essential element for our collective success. The Commission has completed its public hearings and is anticipated to make its recommendations to the President on December 1, 2016. Full statements of those invited to testify are available on the NIST site.
To learn more about Cisco’s Value Chain Security Program, visit http://www.cisco.com/c/en/us/about/trust-transparency-center/built-in-security/value-chain-security.html.