Cisco CSO John Stewart rates speed of change as his biggest challenge

An Interview with John Stewart, CSO Cisco

Complexity comes in many forms, says Cisco’s chief security officer, John Stewart, who rates the speed of change as his top challenge.

“The pace of change inside IT systems is on a steady and up on to the right trajectory,” he says, rattling off a list that includes switching on and off systems, virtualising them, delivering mobility, application management and context switching.

“Complexity is it’s own threat. If not carefully managed, it ends up being one of the gaps where the seams end up being exposed and you find yourself vulnerable unexpectedly.” But there are problems you can eliminate and those you can’t. And the latter group includes increasingly sophisticated criminal elements.

You're never going to solve it. It's a containable item but never solvable because it's just part of the way life works

Some risks are more easily dealt with, such as systems visibility and the cost of ensuring they remain protected as new products are integrated, says Stewart. "I need to have a far more detailed understanding of my operation," he says. Stewart's key investments for 2011 will focus on improving log-file analysis of NetFlow (internet) protocol traffic, configuration management and scanning systems.

Meanwhile, Stewart would like to reduce the costs of securely integrating new technologies. "It’s expensive for my time, it’s expensive for my team’s time.” To counter this, Stewart would like to realise an ideal state of interoperability, where glueing together complex IT systems is as simple as Lego.

“We have to fix this. Otherwise, we just keep finding a new problem and building a product that doesn’t always integrate. Consumers of all these point-based solutions go after it a little bit differently and it’s more complex.”

With a vested interest in the continued adoption of Cloud services, Cisco is using increased demand for security in tenders to differentiate its business pitch.

“It’s increasingly the case. We’re seeing it in requests for information and proposals. Security is becoming part of the negotiating process for providing a service. “One of the important measures is a universally well understood controls practices framework, such as ISO 27001,” he says.

“It can translate to a very transparent way of talking about what controls are in place, and it can be audited through both an external auditor or your internal auditing team.”

Some harbour concerns for security and privacy under data centre infrastructure that spans several jurisdictional territories, but Stewart sees a potential for policy-driven trade-offs. If a customer’s data was managed across separate jurisdictions, they could choose, for example, that a subset of their data does not to fail-over to another location in the event of a disruption. “It’s a question about how much resiliency you want for one location and whether you’re willing to sacrifice some of the resiliency of a Cloud service that could fail over to another location,” argues Stewart.

As a choice, you’re taking a risk,but you’re also mitigating one ofyour own risks.

Cisco’s aim is to create the ability to construct “electronic versions of plain English policy”, which could be projected to other Cloud service providers.

“So that if you move workloads from inside your own data centre into, say, a service provider who is running a Cloud, the same policy controls are brought with it, and essentially both operations run the same.” According to Stewart the conflict between CSO’s and CIOs has largely disappeared.

“I don’t think that’s where we’re at anymore. There are phenomenal ways in which security enables productivity.” “If you are able to do your job from wherever you are,and not endanger the organisation or customers as a result, you’ve essentially taken security as a connectivity play, and enabled productivity.”

Follow CSO Australia on Twitter: @CSO_Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags John Stewartrisk managementservice providerISO 27001securitycloud servicesciscoCSO

More about CiscoISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CSO staff

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts