There is no easy answer for securing a global workforce of 75,900 employees.
It's a challenge Cisco contends with daily, enabling a distributed remote workforce without compromising the integrity of a secure network.
CIO Dive spoke with Steve Martino, SVP and chief information security officer at Cisco, to learn more about security strategy as it has morphed into a service-based provider.
Martino joined Cisco in 2007, and became CISO in 2011. He leads Cisco's security strategy, navigating risk in an environment where threats are ever-present and human error is assured.
CIO Dive asked Martino five questions.
This interview has been lightly edited for clarity and brevity.
CIO DIVE: What kind of pressure is Cisco facing with securing products and working with cross-company teams?
MARTINO: The overall mission of security and trust is to work across the enterprise with all parts of product engineering, product operations, IT, supply chain, human resources, etc. We have a corporate role to partner with the business in four areas.
No. 1, is every product we build. Is it built in a secure way? Is it designed in a secure way? Is it coded in a secure way? Is it manufactured in a secure way? Is it shipped in a secure way?
... There's a bunch of product capabilities that we sell to our customers in the form of a software delivered service or cloud. So our second mission is make sure all of those are built and operated in a secure fashion.
The third mission is, we run a $50 billion corporation. We have a number of IT systems and services that we deliver to our employees. Some of those are customer facing, like ordering tools, or those kinds of things...
The fourth mission we have is to ensure that all of the data that we have — whether it's employee data, customer data, partner data, entrusted data — that if the customers are putting [data] into our services or platforms, is that secure? And are we aligning to the privacy expectations of our customers, and of the various countries and regulations that we have to comply with?
How do you prepare an organization for the inevitable — that bad events are going to happen? How do you insure against that with different stakeholders, whether that's customers, shareholders or even just internal business units?
MARTINO: I feel lucky — I guess I'll use that word — or fortunate, that our CEO has created our company mission in a way that clearly calls out the importance of security. Our mission is that we securely connect everything to make anything possible for our customers.
By saying 'we securely,' it puts a mindset to the company that everything we do must have a security element, we must be thinking about it. That really helps me in my role align the company around the security imperatives that we must be doing.
... No. 2, I think security is a team sport. Cyber is a team sport. It's not me, policing, me doing everything to protect the company, I have to get everybody in the boat with me. Whether they're building products or they're building IT systems, or they're designing processes, business processes.
If they can partner with us and and think about it that way, then we're going to have all the rope, you know oars rowing in the same direction at the same time. We do that through establishing partners.
So in engineering, our product organization, we have security advocates, their job is they're part of that organization. They're building products. But their job in that role in that organization is to think about, is this product secure. They're our conduit, if you will, from these are the policies, these are the standards we want to do, which are coming out of our organization.
... I think all security strategies need a balance. You can do as much as possible to prevent to protect to defend whatever your word you want to use on that. But if you think you're going to be able to defend 100% of the things, 100% of the time, you're wrong. Things will go bad. Things will happen.
Why? Because we have the humans in the process, they make mistakes. We have multiple vendors that also have humans in the process that we need to partner with and work with whether they're IT vendors or suppliers to parts or whatnot. They make mistakes. And so things are going to go wrong there.
Thirdly, you have dedicated, well-funded adversaries that want to exploit anything they can exploit.
So you need a balance of, I'm going to do as much as I can to do it right. To build it right, design it right, operate it right, to defend it, to have the defense's to prevent phishing emails from coming in or malware from coming in or whatnot.
But you also have to have proactive processes to identify when something goes wrong, whether it's somebody made a mistake in coding a product or somebody misconfigured a server that's exposed to the internet or whatnot, or piece of malware did find some way to get in.
You have to be proactively doing that and I think every organization needs to look at their security strategy from how much am I spending on defense? How much am I spending on proactive detection and containment and response to issues?
That often is much closer to 50/50 than most organizations, I think, believe.
How did your security strategy at Cisco take shape and what were your priorities when you started? How have they evolved over time?
MARTINO: I think your your question about how they evolve over time is important because you can't really just set it and forget it, right. It is an evolution as the business evolves.
If I take Cisco as an example, I've been doing this job over about nine years... the business of Cisco was primarily building technology and selling it to our customers, who then operated it.
Today, a material part of our business, multibillion dollars of revenue of our business, is now delivered as a SaaS service. And that means not only do we build it, we operate it on behalf of our customers...
Our business is now not a traditional product business. It's an integrated offer, the service that we're delivering to our customers.
Whether that's 'how I do hotel rooms and manage my hotel customers' ... there's this digital component and things are all integrated.
I think what that means for the CISO is that understanding and aligning your security strategy to what the business is trying to do, what those risks are, and helping them understand that and make those tradeoffs.
... I think our job as a CISO is to securely enable the business to do what they need to do. That's the way that I have shaped the security strategy [and] got my team aligned.
It's not that we're defenders or protectors or a police force. We're securely enabling the business to do what they need to do and that mindset, I think, is the most important strategic thing that a CISO must decide: What is their role and how do I get alignment of that role within the culture and organization that I'm within?
What was the process of implementing technology to make remote work viable? What was the timeline? And what were the perceived vs. real risks you dealt with implementing it across such a large workforce?
MARTINO: ... One of the sort of first moves was to move from... corporate-owned devices, [which] were the only thing you could use to do any of your work. You had to be in a physical location or a virtual physical through a VPN and that was the old days.
As workers were more and more mobile, as they used more mobile devices [and they] became more part of their personal culture, their lifestyle and it just didn't make sense to us to have to tell a user, there's your phone for Cisco work, there's your phone for personal work. Oh, you can only use your laptop for Cisco work. You can't send a personal email — those days are long gone.
... today every telephone, every mobile device is an-employee owned device globally. We asked them, if they want to use it for work, we say that's great. Here's the conditions, there's nine things you must do to your mobile device in order to use it for personal and work.
They're basic things: got to have a screen lock, got to have your password, you have to encrypt, make sure that the technology allows you to encrypt the disk, you have to do some basic things. They're not super invasive, they're not rocket science. They're basic kinds of things that you should probably do anyway. And a couple extra so that we can have visibility to issues that might happen. We can help you defend against those etc.
And if you are that tall, you can ride the ride and use that personal device for work. And that applies to a laptop, mobile phone or tablet, you can do that.
So over time over the last five, six years, we've made that simpler. We've automated it...
One of the fascinating things is right around the holidays, the number of new cell phones and tablets to get registered and onboard it onto our network is amazing...
So now they can use it to do their Cisco work as well as their personal life. And we have automated that so they can do it on that holiday morning when they unwrap the present. That's part of that securely enabling, making it easy, making it possible for them to do that.
What keeps you up at night in terms of security and threats, and how do you see those evolving?
MARTINO: I don't really like the question what keeps me up at night, but what is it I am worried about? What am I concerned about? ...
The thing that I worry about, to get to your to the net of your question is, what haven't I thought about? What haven't I considered? What don't I know?
So a part of our security program is investing in reaching out to my peers, to local authority, to organizations and listening, and being able to take that in and say, here's what somebody saw, do I need to worry about it? Does it apply to my environment?
And trying to always sense the outer environment and understand how trends are changing what's happening, etc. So that I can adequately or rapidly prepare for that. That's the thing that I worry about: Am I doing enough there?