Cisco's Chief Security and Trust Officer John N. Stewart talks about his career in security and some of today's biggest challenges.February 23, 2017
As Cisco's Chief Security and Trust Officer, John N. Stewart spends much of his waking hours thinking about security, hackers, and how to assure customers we're there for them.
We recently spoke with John about how a movie inspired his career path and the security vulnerabilities that keep him up at night.
Focus Magazine: Your title is Chief Security and Trust Officer. What does that mean?
John N. Stewart: In the evolution of the computer security industry – and I've been in it for 29 years – you had generally a head of network security, then it was head of information security, then it was maybe chief security officer, then there was chief information security officer, and then perhaps chief risk officer. Trust officer is a somewhat rare addition to the title.
A few years ago, Cisco was going through some pretty challenging times where there was a considerable number of questions being asked about our proximity and cooperation with governments or lack of cooperation with governments. In essence, some were understandably worried that maybe we were close to the United States government and might have put in backdoors in our products, or were allowing law enforcement officials to tap into communications, or we were reducing the cryptology effectiveness of something we built. So I was asked, essentially, to formalize and assert the trust principles for Cisco.
The team and I are charged with the electronic protection of Cisco, and that's inclusive, by the way, of the online properties that we run on things like WebEx as well as the traditional systems that we have in our data centers. I took on the mantle, almost seized the mantle perhaps because nobody else had, of assuring that engineering was following – and is following – a development life cycle that includes security checks for everything we build. I have a personal commitment to be directly affiliated with a number of government leaders to help assure them on our trustworthiness as a company. It also so happens that more and more countries are putting cyber as part of their national strategy, partly related to digital, partly just related to the attacks and the worries that most countries are now having, and I have always been in a role like that, as has my team.
John Stewart talks to David Ulevitch, VP/GM of Cisco's Security Business Group about the findings from the Cisco 2017 Annual Cybersecurity Report.
Focus Magazine: How did you get interested in IT security?
John N. Stewart: It basically started when War Games came out in 1983, and Matthew Broderick was talking about the ‘Whopper' and computing. It was a fascinating movie, and I was like, ‘wow, is that really possible?' I was already using computers for a few years by then. Since the statute of limitations has expired on this, I can share that I was figuring out ways to copy software illegally at the time because I didn't have any money. I mean, we grew up without a lot of extra money, and there might have been a computer at a school or a library, but it's not like I could afford all the software.
So that spark was lit, but the real 29 years and beyond started at eighteen when I went to college. I was at Syracuse University when the Robert Morris Jr Internet worm launched in 1988, and I happened to be lucky enough to be working in the computing center at the time because Syracuse was the "hub to the spoke" of Cornell on the Internet in those days. The worm broke out at Cornell, and then it essentially blew SU up pretty fast. Nobody really had an Internet security conversation going on at the time, but I'd been generally interested already in the broad topic. Candidly, I just immersed myself in all things ‘online security' and my interests and passion grew from there.
Focus Magazine: You're probably like a lot of people in the security business who became a hacker to stop the hackers.
John N. Stewart: I totally believe that you have to have a little of it in you to be super-effective at the job.
Focus Magazine: How long have you been at Cisco?
John N. Stewart: I've been here actually twice; I first joined in 1994, left in '97, and then returned in 2002. In the ‘94 to ‘97 phase, there wasn't a corporate website, a software download center, a self-help tools site on the web, and there were a few of us that basically put all of that online, including the e-commerce site, a software center, the help tools, the documentation – the whole shootin' match.
Focus Magazine: How many lifetimes ago does that feel like?
John N. Stewart: Many! In fact, I sort of a laugh because saying it now you think, ‘you mean to tell me Cisco at some time didn't have a website?' I mean you almost don't believe it; most people thought Cisco was born with one.
Focus Magazine: How much has IT security changed in your career?
John N. Stewart: The seriousness of doing it well has gone up linearly with the criticality of the systems and the information that companies of all types are having to assure or protect. That's definitely changed quite a bit.
Additionally, it's gone from the security geek in the back room, to a security team that oftentimes were viewed as a pain in the neck to most other people in a business because they were considered the ‘no' group, to this kind of current phase where many companies have got IT and security teams working very collaboratively and are ratcheting up to today's mode where security is actually a business requirement.
The IT guys also used to be the geeks in the back room, and now they're becoming essentially the empowered team of running the company. I still have a little geek in me, though I'm not as geeky by any stretch.
It used to be a technology conversation. Now, to really be really good, you have to at least appreciate world affairs, politics, legal requirements, and you have to have a little business experience. There's this heterogeneity of disciplines that you have to include into your thinking that wasn't there when I started.
Focus Magazine: What are some of the biggest challenges to security?
I think the biggest challenges security has had and still does have is a solution today might actually be your problem tomorrow because of the creative nature of humans to find weakness in solutions.John N. Stewart: I think one of the biggest challenges that security has had –and still does have – is that a solution today might actually be your problem tomorrow because of the creative nature of humans to find weakness in solutions. It's actually easier to break than to fix, tear down than build, and those corollaries definitely apply for cyber.
The second one is that the consequence factors are not in proportion to you having to be successful. You could electronically attack me. I may never know who you are, how you did it, then you may never have any consequences, yet the company has to deal with the consequences of it, from a shareholder and customer perspective. So the consequence factors are a bit out of whack. We're not able to have the balance that says you may not want to do that because people are going to break in your front door and put you in handcuffs. That's not true today... at least not enough.
The third, I feel, is that for the most part historically, we've been worried about information being stolen or illegally copied, or some sort of service being disrupted. Now we have to worry about something that actually is destructive and comes and wipes systems clean and could take days, weeks, months to resolve if it got really out of control. That keeps you up at night, because most of the systems are run on detection. This has to be about prevention, because if not, something really bad could happen.
Last, it's difficult for anybody – including security professionals – to keep up with the speed that new challenges arise in this domain. To keep up with the pace of it is one of the hardest parts of this industry.
Focus Magazine: What can people at home do to be more safe and secure online?
John N. Stewart: Everybody should visit staysafeoline.org. And to every person who uses technology: when you see that little note on your phone or on your computer or television that says, ‘hey, new software is available...' and you wonder if you should upgrade? Upgrade! Yeah, it's going to disrupt your life for all of four minutes. Sorry, you're not going to be able to do a Facebook post for a minute. Very often, the reason they're coming out with those security fixes is because someone's already using it against somebody else.
Help others and learn from others too. If you're lucky to have your parents, often, at least at this stage, they will know less than you do. And your kids, if you're lucky to have them, more often than not, may know something you don't. Your parents need to know about protecting their identity. Your kids need to be aware that just because they think they're talking to somebody online that's their age and a friend, doesn't mean they are. This is not about paranoia; it's about being aware of the risks so that you can do what you want to do while making the best, safest choice. My kids are now 23 and 17, but for a long time, they didn't have social media. As I overheard my son put it to one of his friends: ‘I don't have that. My dad's a security guy.' Sorry son... welcome to being born as my kid.
Question: What work are you most proud of at Cisco?
John N. Stewart: I'm proud of the number of great people that have worked in our organization and the ones that work with us today. We've got an outstanding group of people that have in some cases extended out and have helped to make the world a better place... sometimes for Cisco in another organization; sometimes for Cisco customers; and sometimes as a Cisco customer or for some other part of the industry. My team fights bad guys every day, shares what they know with our customers, and then gets up again tomorrow to do it again. They're just amazing.
I'm proud that we have the best security company in the world. That was one of my goals when I came back. It's largest by revenue, largest by breadth of offer, and, with all humility, definitely the most effective one for enterprise customers, bar none.
I'm proud of the fact that we have trust principles as a corporation, that we hold our head high and hold ourselves accountable when things go wrong, and that we're transparent about it. We show up first to help and then figure out the rest later. Sometimes it's money we have to figure out later, sometimes it's contracts, but we're always there to help. We will always be there for our customers.
I'm proud that we walked the walk on diversity. We have some incredible programs for Women in Cyber, and my leadership team and I really worked at gender diversity. I'm proud of that and the numbers show we really can change things, and by the way, still get better than we are.
The final piece of what I'm really proud of is that we took it upon ourselves – without and frankly before our customers started telling us – to do secure development for everything that Cisco builds. It's not that we were demanded to do it, and we certainly weren't forced into it through regulation, or market, or laws, or penalties. We took it on ourselves to start it because it's the right thing to do. It's now been almost ten years after we started that customers are beginning to look for it, so we got ahead of a couple of curves.
Focus Magazine: What do you do when you're not staying up late thinking about security?
John N. Stewart: I love being outdoors, be it working in my yard or skiing up in Tahoe. I'm also a part owner of a winery and a wine label, so another obvious passion of mine is wine.
But in the absence of all of that, it's where creativity and learning intersect where you'll probably find me. It could be creativity for making food. I love cooking for the same reason. I'm endlessly curious. Though I won't necessarily remember everything I learn, I like learning something new every day. I'm also, now, comfortable including being highly uncomfortable. In my work and play, I'm constantly around really smart people that know exactly what they're doing. And those times when I'm learning something and I don't know what I'm doing, I actually enjoy being uncomfortable. The uncomfortable part is not the fun part, but the fact that I can learn something from people is a nonstop journey for me.