What Every Company Must do to Safeguard Business Data and Resources

April 9, 2007

News@Cisco spoke with John N. Stewart, Cisco vice president and chief security officer, about how security issues are getting more severe, and what organizations can do to safeguard valuable business assets. As the head of the Cisco Corporate Security Programs Organization, Stewart provides leadership and direction to multiple security teams, strategically aligning with business units and the IT organization to generate leading corporate security practices, policies, and processes. The following is a modified excerpt from a News@Cisco podcast interview with Stewart. (The podcast is available at: http://newsroom.cisco.com/dlls/podcasts/audio_feeds.html#MP3_040907).

Are security threats getting worse, and if so, what are you most concerned about?

John N. Stewart: Attacks are getting more sophisticated. We grew used to the idea that a virus or worm was the metric of how good or bad our information security was. That was the old age of 'how fast can I write a virus that spreads, doesn't do any material damage, per se, but gets out there and is reported in the newspaper.' These were not necessarily fatal—they were designed to be seen. And it worked, because virus and worm threats got everyone's attention.

Today, we have moved into an era where stealth and target attacks are the greater problem. It's a focused adversary in electronic espionage and insider threats. These aren't new, but they are taking a different form. We are seeing targeted attacks directed at particular companies, almost tailored to their infrastructure, designed for their people or processes—and it is happening because so much about that company is public. These attacks are designed to infect and stay quietly under the radar, then at some given time, take valuable information out of a company. There is far more malicious intent than what we have dealt with in the past.

What security practices do you recommend for enterprises, and why are these important?

John N. Stewart: I believe that every security program has to start with awareness and education. You have to start by training people. Especially with cyber security, it is a constant learning process. You have to be ready for business changes from a security standpoint. For example, there are more people requiring remote access than ever before, which means you have to take the right steps to protect your organization. It is vital that organizations improve education and make their teams aware of new security issues and risks.

At Cisco, we talk about what happens, about real-life scenarios, how we protect information that is sensitive, and then review what's happened in the last 90 days and 180 days. Every Friday morning, more than 30 executives at Cisco get a voicemail briefing about what happened in the last seven days—it lets everyone know if there is an area of concern that we need to address. Executives become the biggest advocates in making sure that we do whatever is necessary to fine tune our best practices. It is something they embrace. It is also important to make security a top priority for all employees in the organization.

At Cisco, your focus is on the enterprise. What recommendations can you offer to help medium and small businesses start thinking about security differently?

John N. Stewart: Small and medium sized businesses are affected by security issues, just like enterprise customers, but they have fewer resources to manage security by themselves. Often, the IT person becomes the security person. We are entrusting the most sensitive operations of the business to systems and network administrators, database administrators; yet we think of IT as a cost center, a place where maybe we could reduce costs. In fact, these people have tremendous responsibility and the work they do really protects a great deal of the company. You absolutely must invest in your people, so that they know how to work through the issues. This involves a great deal of education and training, which never stops in this industry.

What approach should organizations take when planning for security?

John N. Stewart: First, don't put off planning for security, because it's not worth the risk to wait until next quarter or the one after that. More companies are treating security as a risk category, asking how much do I have at risk, how much do I want to counter that risk, how much risk do I want to take? There is no one default answer, because it is situational.

A philosophy at Cisco is to plan for something going wrong, and then work hard to make sure it doesn't. Because inevitably, at some point, it will. Many companies have learned to be prepared to respond to threats, and not avoid them. This is absolutely the crux of crisis management—to relate back to the plan for a crisis once you're in it.

How does security influence business strategy?

John N. Stewart: At Cisco, we take a holistic approach, so that security becomes engrained in the culture. I talk with many of my colleagues and we discuss our roadmaps. The roadmaps may differ, where an area of risk for one of my peers will be different from mine or the next person's. But the fact that we are marching steadily down our path, handling certain risks in a certain time frame, shows that we incrementally demonstrate the progress of mitigating the risk. This is invaluable. I hope we are getting to the point where security is becoming a natural part of our culture.