Feature Story

Securely Speaking: A Conversation with Chris Young

A conversation with Chris Young, SVP of the Security and Government Group, to discuss critical issues of the day as well as Young's first 12 months at Cisco.

For companies, a data breach can result in an incalculable dollar amount of brand destruction and loss of sensitive and proprietary information. Yet, many individuals fail to observe security best practices on a daily basis (for example, creating "1234" passwords).

Identity theft can be just as devastating to individuals' personal lives. However, many people convince themselves that cyberfraud always happens to someone else and never to them—until it is too late.

As Cisco moves more and more services to the cloud and as employees BYOD (Bring Your Own Device) to work, education and awareness around security and mobility is more imperative than ever.

With National Cybersecurity Awareness Month winding down, the CEC News Team caught up with Chris Young, SVP of the Security and Government Group, to discuss critical issues of the day as well as Young's first 12 months at Cisco.

Young, who joined Cisco from VMware in November 2011, is responsible for Cisco's overall security strategy and the integration of the company's product security and cybersecurity into one platform. He oversees a team of more than 2,000 employees combining the Security Technology Group, the Global Government Solutions Group, and Cisco's own security operations team into a single entity.

Security is one of Cisco's top foundational priorities. Under Young's leadership in this area, the company is intently focused on developing industry-leading security products and solutions, and managing a cross-portfolio security strategy and architecture.

Chris Young at-a-Glance

In November 2011, Chris Young joined Cisco from VMware, where he served as SVP and GM, responsible for strategy, products, engineering, and delivery across all of VMware's end-user computing solutions.

Previously, he served as SVP, Products at RSA, the security division of EMC. He built the company's identity protection and verification business, which today protects more than 200 million online accounts.

Young has also served as VP of safety and security premium services for AOL, and he founded and served as president of Cyveillance, a technology provider leveraging search technologies to help companies manage business risk.

As an expert in topics related to information-centric security, Young is a regular speaker at security industry events. He has also testified in front of the U.S. Senate Judiciary Committee on the subject of cybersquatting.

Young holds a bachelor of arts degree, cum laude, from Princeton University and a master's degree in business administration, with distinction, from Harvard Business School.

Cisco: You're approaching your one-year anniversary at Cisco. In the past 12 months, what have you learned at Cisco—both about the company itself and how Cisco approaches security as one of its foundational priorities?

Young: I came to Cisco because I believe that we have a unique opportunity to deliver security end to end for our customers. Increasingly, our customers are frustrated about their overall security posture. They are struggling with how to secure mobile devices, applications in the cloud, and their most sensitive data.

Cisco's strong position in the network and the data center put us in the unique position to deliver a solution that really helps our customers tackle the problem. Cisco has tremendous security expertise and capability across the company, and right now we are working to bring those teams together to go after the problem holistically.

Executives across the company have shown their support, and while we still have work to do, the momentum is building.

Cisco: What is Cisco doing to address the ever-changing threat landscape and to integrate more effective security into our own products?

Young: Cisco's advanced research team of security experts continually monitors the ever-changing threats and market landscape to provide both security warnings on vulnerabilities and mitigation solutions that are delivered directly through our appliances.

We see nearly 30 percent of daily email traffic globally across our email appliances and we see tens of billions of daily web page requests across our web gateways. We have one of the world's largest sensor bases for security, and we are using that to our customers' advantage in many cases.

By analyzing vast amounts of real-time data across a spectrum of traffic, including web, email, network, cloud, and endpoints, Cisco is able to identify and deliver critical, real-time security updates to network and security devices. This helps protect organizations from threats as they are occurring, and provides reputation-based information in order to significantly enhance the accuracy and effectiveness of local tools analyzing network traffic.

Even our internal security team will tell you that since they implemented our Web Security appliances, they are saving money, seeing fewer infected machines and have improved our overall security posture at Cisco.

Cisco: In advance of the Secure Data Center launch in September, you went on a security tour to meet with external stakeholders. What were the main themes and discussion points that emerged during and after that tour?

Young: Today, data centers are under pressure from multiple angles. It's widely understood that the data center sits at the core of IT and therefore is key to how IT can deliver service and value back to the business.

One angle of challenge to IT in the data center is coming from the business, because the business itself is under pressure. Companies today are facing a more competitive environment where speed of innovation is important. This means that the ability to do more with less—and faster—is increasingly important.

Then you have the technology trends that are driving change. Cloud, for instance, has fundamentally impacted IT with all the associated risks that come with it. With the increase in data—whether big data or video—more opportunities exist to leverage data for business intelligence. However, this has caused a huge spike in the past in energy, which is why power and cooling is one of the key challenges data center managers face.

Finally, more employees choose to bring their own device and IT is beginning to recognize both the risk and the opportunity. Within those data centers our customers are running their mission critical applications and storing their sensitive information. Therefore, they are looking for Cisco and others to provide security solutions that protect that information and those applications. Our new security offerings for the data center will help our customers provide better security for their applications and data.

These are the main themes that have emerged as we've talked to the CIOs and CSOs who are expected to solve business challenges by leveraging these trends.

Cisco: October is National Cybersecurity Awareness Month. With October winding down, what are the most critical reminders for employees during the other 11 months of the year?

Young: I would say the most important thing is to be aware—educate yourself on the basics of cybersecurity: keeping your operating system updated, run up-to-date antivirus software, use strong passwords and change them frequently.

One piece of advice I always give to people is to use a different browser for banking and sensitive transactions than you use for general browsing. Don't allow that browser to accept cookies or javascript. It's not foolproof, but practices like that can certainly cut down on your risk of a malware infection.

Cisco: The holiday shopping season is quickly approaching, and each year more and more people shop online. What best practices should employees remember in order to avoid cybercrime?

Young: In the busy holiday season, online shopping offers tremendous convenience. But we need to balance convenience with some basic precautions. Your personal information is like cash to scammers, so make sure you know to whom you are giving this information. If you need to create an account with a merchant, use a strong password, and don't use that password for any other accounts. You'll also want to be sure the merchant site is using SSL—look for the ‘s' after the https or the lock symbol in your browser. And with all those accounts you set up, remember that reputable sites will not ask you to confirm your password or credit card information over email.

It may seem like a waste of time to read a merchant's privacy statement when you are caught up in last-minute shopping, but before you submit an online order, take a look to see how your personal information will be used and what the merchant will be collecting. In a nutshell, think of your personal information as money and be careful where you spend it.

Cisco: Related to the previous question, explain for employees how security at work and security in their personal lives are inextricably tied together?

Young: There are many examples where work and personal security are starting to blend. Social media sites are becoming a part of our daily routine and we use them in our personal lives and at work. Part of the fun and benefit of social media is staying in touch with your friends, colleagues (present and former) and family and sharing information. But it can be difficult to validate the security of these third party sites and services. You may access a compromised social media site from a Cisco device, opening the door for a malware attack within our corporate network or the loss of our proprietary information. Keeping up with friends and family is fun, but keep your Cisco family in mind, too. Think before you click, whether on your own device or on a Cisco device, because the results may impact both.

Above all, stay familiar with the Code of Business Conduct and Information Security policies. These documents provide guidance on how to navigate the blended personal and work environment that we are starting to see.