During National Cyber Security Awareness Month, I often reflect on a fundamental epiphany Cisco had a number of years ago:
Cybersecurity must be a part of everyone’s job.
Since then, we resolved to overhaul the way we approach cybersecurity in the products we produce and our corporate culture, i.e., the “people” factor.In both cases, we were already taking major steps to protect our network, data, systems and products, but it wasn’t enough. Since then, we’ve dedicated ourselves to the goal of embedding security into everything we do – a dedication that not only impacts our internal operations enterprise-wide, but also extends to our customers, vendors and partners.
With a holistic model, security is no longer solely “an information security team thing.” Before we made the transition, it was common to hear statements like “information security is keeping us from doing what we need to do” and “we’re always seeking permission from the security team just to do our jobs” from employees. In essence, there was an “us against them” dynamic in play because we designated our information security team as the sole “owner” of cybersecurity.
That is no longer the case.
Instead, all of us own cybersecurity. From the new college hire to the C-suite, every employee participates in awareness and education programs to truly understand how best practices related to computer/device usage and product development affect our business. Specifically, we focused intently upon the two aforementioned areas – products and people:
Products: In evaluating how we could do cybersecurity better, we realized that we weren’t fully integrating security into our product development lifecycle. Instead of “bolting on” security after a product was built, we started baking it in to our offerings. We knew that designing strong security features into our products and cloud services throughout every step of the process would make our products safer as a whole, thus adding value to them.
To support this goal, every product or cloud service Cisco ships goes through Cisco’s Secure Development Lifecycle (CSDL) process. This process ensures that from design to development, testing and delivery, security is baked in – not bolted on.
People: At the same time, we launched many programs to ensure all employees are security aware. We have numerous education and awareness programs intended to encourage a company-wide “security is my job” culture. Our “Ninja” program serves as a centerpiece. Everyone in our company has the opportunity to go through this training and earn “belts” – white belts for beginners, until they ascend to black belt status for experts. This training provides tiers of instruction that starts as general security knowledge at the white belt level and becomes more role specific as the training continues. To date, we’ve had more than 35,000 of our approximately 75,000 employees receive white belts!
While security must be a part of everyone’s job, there must also be a leader. Within Cisco, our Security and Trust Organization plays a leading role in the implementation of a holistic approach to security. For us, it makes sense to bring previously disconnected areas together, and the results of this combination show. For example, the security measures that the developers incorporate into products are made significantly more effective when married with associated activities within our supply chain.
Today, there are more than 650 employees within the Security and Trust Organization who lead within Cisco. They work to ensure security is everyone’s job. Furthermore, they help us hold ourselves accountable for the trustworthy product development, security of our enterprise, value chain security, data protection, privacy and transparency that earn the verifiable trust of our customers, partners, shareholders and employees. Through that organization, we’re proving that – in all matters related to cyber defense – the unified “whole” is greater than the isolated “parts.”
We’re all in on cybersecurity at Cisco. It is not an afterthought; it is not just “something the information security team does.” Nor is it acceptable for it to be the source of internal “us against them” friction. Our employees are embracing the concept that security isn’t something to dismiss or work around. It’s what we do.
About the Author
Anthony Grieco is the senior director of Cisco’s Security and Trust Organization. Cisco is a National Cyber Security Alliance (NCSA) board member company.