Cisco Blogs

No Such Thing as Implicit Trust

February 19, 2015 - 6 Comments

News has not been kind to US headquartered technology companies over the past year.  From an erosion of faith because of a company’s geographic location, to a series of high profile breaches that are calling into question trust in your IT systems. Technology providers and governments have a vital role to play in rebuilding trust.  And so do customers—who need to demand more from their technology providers.

In my recent trip to Europe, and speaking to some balanced, thoughtful, and concerned public officials, it got me thinking.  Why do we trust the products we use? Is it because they work as advertised? Is it because the brand name is one we implicitly believe in for any number of reasons? Is it because the product was tested and passed the tests? Is it because everyone else is using it so it must be okay? Is it because when something goes wrong, the company that produced it fixes it? Is it because we asked how it was built, where it was built, and have proof?

That last question is the largest ingredient in product and service acquisition today, and that just has to change. Our customers are counting on us to do the right thing, and now we’re counting on them. It’s time for a market transition: where customers demand secure development lifecycles, testing, proof, a published remediation process, investment in product resilience, supply chain security, transparency, and ultimately – verifiable trustworthiness.

We saw some of this coming, and these are some of the principles I hear customers mention when they talk about what makes a trustworthy company and business partner. Starting in 2007, with a surge that began in 2009, we’ve systematically built these elements into our corporate strategy, very quietly, and now we want the dialogue to start.

I’m challenging customers to take the next step and require IT vendors to practice a secure development lifecycle, have a supply chain security program, and a public, verifiable vulnerability handling process.

I recently recorded the video blog above discussing what it means to be a trustworthy company.  I hope you will share your thoughts and experiences in the comment section.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Hi John,

    I’m a journalist in Australia. This is probably not a question for your department, but why is Cisco not developed interfaces for the latest OSX on Mac?

    This is perplexing for journalists wishing to work remotely given the number on Mac platform.

  2. the recent threats like Shellshock , hacking in to the SIM cards at industrial scale , putting malware in Hard Disk Firmware (no one ever know that is possible) show that there is no way to make sure one vendor products/solutions is immune to threats VS the other vendors. It also shows that you cannot judge about a vendor corporation with advanced players in APT domain because those companies are American. but for me as Information security professional I am looking for IT company that can show me and my customers the way to find that we are compromised and give us solutions to mitigate the risks. always loyal to Cisco because of its value and great solutions but after those accusation against Cisco products I am under constant pressure to move away from Cisco (but I don’t do that and show them threats landscape are far from what they think) and replaced those large , robust , well designed , with cheap , poor features products from unknown vendors. I see some good response from Cisco to let their customers know about the threats and mitigation techniques (Like Cisco IOS/IOS XE integrity assurance documents) but those are not enough at all. we need some integrity tools to built in the software/hardware , more technical documents (like what Cisco did in recent Cisco Live 2015) and other ways that show Cisco is going address those threats.

    • Thanks for the response Ali. We believe that we just need to say what we will do, do it, and then prove it as the best way to do it. So, we’re doing just that with all the efforts in Trustworthy, and there’s definitely more to come.

  3. This brings to mind John Chambers comment that there are two types of companies. One who have been hacked and the other who have been hacked but dont know about it yet!
    Esp with ioe security is the new buzzword.

  4. I could not agree more with the comments on transparency. That’s the key to making sure that failures are brought to light as quickly as possible (fail fast) and remedied.

    What I wonder is how the fact that Cisco is doing the right things and leaning in to this problem can be contrasted with other companies in an easily digestible way. Determining which companies are being honest and attempting to implement security mechanisms is such a huge lift for any consumer and/or integrator of technology. While transparency makes checking under the hood possible, it is still a huge undertaking to analyze even a single technology from a single vendor. This is only exacerbated given the myriad of technologies that must plan in concert to accomplish seemingly basic tasks these days.

    I just wish there was a ubiquitous trusted vetting source out there that could really offer that quick insight into a company using sound, secure development principles. I realize the complexity and diversity of software makes implementing a catch-all, standardized approval mechanism extremely difficult if not impossible, but even offering simple guarantees ( i.e, a sticker denoting that all DiT is encrypted) might be enough to spur consumers to make better purchasing decisions and therefore put pressure on the producers to be more sound.

    Regardless, glad to see that Cisco is doing more than its part to help bring these issues to light!

    • Thanks for the comments Brian. I believe trust and designing it all in is a differentiation for Cisco. I feel confident our customers don’t want the cheapest solution; they want assurance and integity given the implications. They want to know that the company they buy from at least TRIES to avoid security issues. That’s the business we’re in, and that’s how we’re going to change this world.