In the past few years, the security industry has invested heavily in the detection and containment of attacks and breaches as a primary focus of innovation. To help protect Cisco, its customers, products, services and partners, we have embarked on a journey to build security and trust into every aspect of our business, including the culture of our workplace itself. The rapid evolution of the threat landscape has made this trust journey a necessity. Exploits are more frequent, better financed, more sophisticated and are causing more damage. Technology shifts like mobility and BYOD are the new normal and have resulted in more points of access for malware, resulting in a larger attack surface. In order to be more effective against the broad range of security threats, the industry must focus on foundational security being present in critical systems. By ensuring that trustworthiness is built into the technology, processes and policies involved in your IT systems, you can reduce risk and the attack surface while enabling more effective overall security.
What it means to be trustworthy
Cisco takes a comprehensive approach to security and trust. Our commitment starts with industry-leading, trustworthy products and services but also includes other critical elements. Our approach spans people, processes, policies and technology. But before we go any further, it’s important to define what “trustworthy” means.
Trustworthiness includes, but is not limited to:
- The use of secure design practices in the development of our products
- Investments in next-generation technologies to enhance the security of our product portfolio
- Security and data protection in employee training
- Leadership in and adherence to industry standards (FIPS, Common Criteria, ISO) and best practices
- Secure processes and policies to protect customer data, our Cloud, Cisco’s global enterprise, and our value chain
- Transparency and accountability in vulnerability management through Cisco’s Product Security Incident Response Team (PSIRT), a dedicated global team that manages the receipt, investigation and public reporting of security vulnerability information.
Building the pillars of trust
Let’s dive a little deeper into each of those areas, which represent the six foundational pillars upon which Cisco’s trust initiative is built.
- Trustworthy Systems: The foundation of a secure environment is an infrastructure that you can trust – every component, every box, every piece of software. That’s what we call a trustworthy system, and we developed the Cisco Secure Development Lifecycle (CSDL) as a replicable and measurable process designed to increase the resiliency and trustworthiness of Cisco products.
- Value Chain Security: The threats to today’s complex value chain include manipulation, espionage and disruption. Cisco is leading the way in establishing a secure value chain via a layered approach, deploying a combination of security technology, physical security and logical security process, designed for each stage of the value chain. At the heart of that approach is a Master Security Specification, which covers key security domains in a flexible manner. We also work across the industry in public–private partnerships to establish a limited set of security policies and standards benefiting the IT value chain and, of course, our customers.
- Information Security: We have decades of experience building out a security architecture, governance and incidence response practice. We continue to strengthen our security posture by way of deploying technologies for stronger authentication/authorization for privileged users, developing processes for classification and protection of critical data, securing our infrastructure with advanced threat detection/mitigation capabilities, instituting policies for trusted device for differentiated access and security metrics programs for governance.
- Data Protection: Cisco embraces our role as a trusted data custodian with great pride. We’ve created a documented data protection program that includes a unified and coordinated incident response process. Additionally, all of our employees certify their role in protecting data as a part of being code of business conduct (COBC) certified. Other processes include TRUSTe certification, and we work to ensure transparency about our interactions with governments as it relates to customer data by publishing a report documenting Law Enforcement Requests for Customer Data.
- Cloud Security: Cloud offerings at Cisco follow our highly regarded CSDL using multiple perspectives—the offering, people and environment—to ensure that a wide variety of risk levels and threats are accounted for. These cloud offerings are protected, as a result, during both the design and operations by security-centric practices and technology. Everything from constant penetration testing, to active monitoring, to secure development process adherence drives increasing security in Cisco’s cloud offers.
- Transparency and Validation: Transparency means being proactive about sharing information for our customers to assess trust for themselves, while validation means enabling others to confirm this for themselves. We publish a report every six months on lawful government requests for data, and we are developing programs to enable customers to technically verify for themselves security measures across our product portfolio.
Trust isn’t an ultimate goal that one finally achieves. Trust is a lifelong process of improvement. At Cisco, it’s a journey – an ongoing series of commitments, processes and priorities we are making throughout the fabric of our company and how we do business, both in our workplace culture and how we show trustworthiness to our partners and customers. To encourage trustworthy processes, procedures and outcomes throughout the industry, I encourage organizations to expect more from their own partners and IT vendors. By asking for and expecting them to demonstrate that they are trustworthy, transparent and accountable, we can all embark on this trust journey together.
Nice blog post. People forget that security is at the very core of everything we do. If our foundation has leaks, then it doesn’t matter how secure every other layer/process is, breaches will happen. It’s not a matter of IF but WHEN they will happen.