Managed cloud services may be helping all kinds of businesses expand into new operational areas – but it’s CISOs that are in the firing line as they face the challenge of securing not only their own infrastructure, but the customer-facing services that lie at the heart of the company’s digital transformation.
It’s a big remit that has proven to be a welcome challenge for Steve Martino, Cisco VP and Chief Information Security Officer. s if it wasn’t enough building and executing a coherent information-security strategy within Cisco Systems – a $US50b business with over 77,000+ employees and operations in more than 110 countries – Martino has the added challenge of extending that strategy across cloud infrastructure running the nearly 30 managed services that are core to Cisco’s future growth.
“Businesses are making digital components so critical to their success that security has to be a core competency for them,” Martino told CSO Australia in the leadup to his appearance to the Cisco Live! conference in Melbourne.
“Our goal is to grow that part of our business faster than any other part of our business. But if you’re going to be an as-a-service vendor, not only are you going to build it but you are going to operate it 24x7. The way you build, deploy, and sell it has to change; you have to extend your core competencies so you can operate at trust and scale for your customers.”
Cisco’s managed services – many of which, like OpenDNS and Webex, came to the company through acquisitions that expanded upon its core business theme of communications – are running from a growing cloud infrastructure platform whose security has become yet another of Martino’s core focuses.
With the company evolving and customer usage accelerating, that responsibility brings its own challenges. “It’s a work in progress because the business is changing,” Martino explained, “and you have to keep evolving with the business.”
While business leaders may well recognise the value of new lines of business, a growing onus to protect customers’ private data has put much of that responsibility on the CISO’s shoulders. This has increased the need for CISOs to be more assertive about their role in relation to the rest of the company.
“A decade ago, you saw CIOs needing to become business partners and talk about business strategy and enablement,” Martino said. “Today, because security is such an integral part of every business and every new strategy, the CISO now has to step up to also sit at the table.”
That seat at the table may garner the attention of the business executive, but it’s no excuse to sit still: with the cybersecurity climate changing continually, the new security posture has forced CISOs to continuously push security awareness through every part of the business.
Any successful security program will have at least three key aspects, Martino notes. These include finding ways to get internal staff to take ownership for security – “if they don’t own it then it doesn’t matter,” he says – as well as ensuring the right controls are in place, both to prevent staff from making mistakes and to stop outside attackers from being able to compromise a company and its key data.
The third aspect of a successful strategy, he added, is to understand one thing: “you have to know that things will go wrong,” he said. “People make mistakes, whether it’s people clicking phishing emails when they shouldn’t or a sysadmin leaving a port open. You have to plan that it will go wrong, and you need a way of finding it very, very quickly and containing it.”
"That need had become more pressing as the mainstreaming of cybersecurity changed the types of threats about which CISOs need to be most aware, Martino noted: the commercialization and professionalization of hacker businesses had seen many high-threat operations being cobbled together by malicious operators with “little to no technology competency”.
“That has now emerged, I think, as the biggest threat for most businesses,” he explained. “Five years ago we were mostly worried about hackers – primarily hobbyists, enthusiasts, and people trying to make a few bucks on the side. But now there is an infrastructure of businesses that supply componentry, intelligence, and information to cybercriminals like an analyst might to do.”
Facing this threat, Martino said, CISOs need to push for an integrated defence strategy more than ever. This means more focus on not only linking technology and improving visibility across security tools, but also on drawing operational, technological and even government partners into the effort to present a unified front against security threats.
Pushing security from the customer perspective is often a way to engage with recalcitrant business units, Martino says, noting that customer expectations are “very critical” and that digitally driven businesses need to make sure they’re “living up to those expectations in a trustworthy way. That trust, once lost, is almost never recoverable.”