What Do We Owe One Another in the Cybersecurity Ecosystem?

Posted on in Presentations

We have never been more connected than we are at this moment in time. This ecosystem radically increases our shared cybersecurity risk and demands collective defense. It’s not enough to volunteer to share information or give free training to organizations below the Security Poverty Line; what more do we truly owe one another?

Video Transcript

>> ANNOUNCER:  Please welcome Executive Vice President and General Manager Security and Collaboration, Cisco, Jeetu Patel.


   >> JEETU PATEL:  Hello, everyone. Isn't it great to be in a live audience? Yeah.


   You know, a little trivia about Rohit. So, Rohit and I used to work together and when I had my daughter, he was the first coworker – I used to live in Chicago at the time and we were working in California so I was going back and forth – and when I was on paternity leave, he was the first coworker that came out there to see my daughter. So, it’s so nice to share a stage with him.


   I know. Look at that.


   So, you know, it's great to be in person but I used to have a superpower and I have kind of lost it. I used to have a superpower which was seven minutes flat, I could pack my bags to go for a weeklong trip. I don't know if any of you folks feel this, but I’m feeling it right now because yesterday it took me about seventy minutes of staring at my suitcase and I still forgot a bunch of things. My entire product line for my hair was like – I left it at home, so it took me a while to get ready. So, if – today if you feel like I'm a little disheveled, it is because I left my hair line products at home.


   I'm feeling a little disrespected here. That wasn't a joke. That was the truth.


   Anyway, it’s good to be here. And you know, if you take away the jokes though and just actually take – rewind back a few years and what it was like and just booking travel. And the amount of work that you have to do. You have to make multiple calls. You would have to go on multiple websites. You would have to go to multiple companies and deal with making sure that you get your hotel done right. You went to your car rental place. You also got your, you know, kind of flights booked. Today, you don't have that issue.


   Today, you actually go to a single site and you have got this fluidity of exchange of data and everything is pretty interconnected and you’re able to go out, in a matter of minutes, just go out and get your, you know, reservations booked.


   And this kind of interconnectedness is something that most of us have learned to expect in our day to day life, whether it be within your personal situation or at work. And what you are starting to see is that there is a tremendous amount of benefit of having this interconnectedness, but what you also see is there is a fair amount of security challenges that come allonge with it.


   And so, if you look at, you know, malware or phishing attacks or ransomware, these are growing at double and triple digit kind of, you know, rates as you move forward. And this interconnectedness itself is actually – it’s not just something that’s impacting you but every single member of the supply chain, your customers, your suppliers, your partners. When there is something that happens to them, it impacts you, right?


   And so, there is this kind of ecosystem that we are living in right now, and in this interconnected world, there is a simple but massively overlooked problem that I want to spend this session talking about.


   But before we do that, what I wanted to do was make sure that we talk about three specific trends that our 300,000 customers are actually sharing with us. And by the way, this is going to be kind of a stacking of trends. So, Rohit went through three trends. I am going to go through three trends. I’m sure there’s the next person that’s going to come that’s going to go through three trends and you can then stack, rank us, and tell us which one is better.


   But the reality is that there is a key set of trends that we actually have that are – that are becoming challenges in the industry that we really have to think about collectively as a society rather than individually.


   So, let’s talk about the first trend. The first trend is the fact that we as businesses are competing as holistic ecosystems, not as individual organizations by ourselves.


   What that means is that you yourself might be materially impacted in the way that your production line works, in the way that your supply chain works, in the way in which your demand cycle works based on what happens to the other members in the ecosystem.


   Now, what you’re starting to see over here, and a great example of this is a top auto maker recently, they had to stop their entire production line because one small component parts manufacturer was not able to, you know, protect themselves because they had a potential security breach. And so, you had to have the entire production line stopped.


   Now, what specifically are companies doing about this is they are starting to take a much more measured approach around risk and making sure that they can assess risk and say, well, you know, if I'm going to have vulnerabilities, the reality is, is you have newer and newer vulnerabilities that keep coming up every single day. But of the known vulnerabilities – here’s a statistic that’s fascinating – of the known vulnerabilities that an organization knows, only 20% of them actually get remediated and patched and fixed. Only 20%.


   Think about that.


   And so, what we need to do is make sure that we take a much more risk-based approach to vulnerability management. That is what’s happening and it’s what more and more companies are doing. And they’re starting to make sure that they take a more informed decision based on which specific vulnerabilities do I need to patch based on the highest amount of risk rather than first in, first out so that I can make sure I have a better security posture. So, that's the first trend.


   And associated and tied very closely to that first trend is the second trend, which is everyone is an insider. And what I mean by everyone is an insider is firstly, humans are pretty easy targets to go after for cyber criminals. And attacks are becoming much more bespoke and personalized.


   They are going after Jeetu Patel rather than going after the entirety of the population that you might have. And so, they are getting much more personalized and more and more of these individual targets, whether they be, you know, employees, but you don’t just have employees anymore. You have employees and contractors. But you have suppliers and customers and partners. So, the amount of people that can go out and impact your security posture is getting larger and larger and larger.


   And so, everyone is an insider. You are starting to see that. But specifically what is starting to happen, and here is another interesting statistic, is 56% of the breaches that happen, happen because of an unknowing employee negligence act rather than something that is actually malicious in intent. 56%.


   Now, if you really start thinking about this and go, no one's going to be working to plan to be negligent when they come into the office. No one says, hey, I'm coming into the office and I'm going to be negligent today. Right? But mistakes happen. And the reason for that is because the friction is too high and because of the friction being high, the efficacy goes down. And so, you have to make sure that those get balanced.


   In fact, an example over here is the Metropolitan Police, there was an employee that accidentally deleted 87 million – 8.7 million records and slowed down prosecutions that impacted 17,000 cases. Just out of pure negligence, right?


   And so, when you start thinking about these pieces, the way that we are actually going out and attacking these problems is through zero trust. We’re saying, well, let’s make sure that we actually have the least privileged access that we can provide to people, and so there is a zero trust mechanism that is in place.


   And customers continually are needing to assess behavior and grant continuous assessment of risk and then grant trust rather than making sure that that only happens at the time of log in.


   So, what you are now starting to see happen is rather than saying I'm only going to verify whether you are who you say you are and give you access at the time of login, I'm going to assess your behavior on a regular basis. And if you are doing something that’s anomalous in nature, even though you might have logged in, even though you have access, I'm going to make sure I can intercept.


   And so, that's what’s happening from a, you know, zero trust standpoint.


   And the third major trend that you are seeing is something that we have all have lived over the course of the past couple of years and it is around hybrid work. People are going to work in mixed mode. Sometimes they are going to work in the office. Sometimes they are going to work at home. Sometimes they are going to be somewhere in between. And when you actually see this mixed mode of working, what is going to happen is you are going to be accessing data and systems from any device, whether it be managed or unmanaged. You are going to be accessing applications that are either sanctioned or unsanctioned. And you are going to be accessing them from networks, whether either secured or unsecured.


   And you need to make sure that while you are accessing that, what do we specifically need to do so that we can make sure that the risk of breach is low, the risk of intellectual property theft is low?


   And this puts a lot of pressure on the SecOps team. It puts a lot of pressure on the NetOps team. Right? And so, specifically, what are we doing to go out and address this trend? And what’s starting to happen is rather than point solutions, you are starting to see integrated architectures take more and more prominence in this market.


   When I talk about innovative architectures, I'm talking about networking and security coming together rather than being specifically separate islands by themselves.


   And to simplify management, we need to make sure that the management is simplified not just for the SecOps person but also the NetOps person, and ideally do it in a way that’s fluid, and also make sure that user has the lowest amount of friction, because what you have now started seeing is what Rohit was talking about, you don't have to tradeoff security for convenience. What you’re starting to see happen is when the friction does down, your efficacy automatically goes up.


   So, you’re starting to see this integrated architecture come into place.


   Those are the three major trends that we’re seeing in our customer base, which is businesses are competing as ecosystems. Everyone is behaving like an insider. And hybrid work is here to stay and is actually causing far more challenge in how you can secure an organization with a tremendous amount of pressure.


   So, what do we start to do about this entire area and what is the big challenge that we are starting to see have happen that I talked about earlier?


   Well, the big challenge we see is that we need security resilience just like you need business resilience and just like you need operational resilience. There is a need for security resilience. Because there is a massive ripple effect. And the weakest link in your supply chain can bring down the entirety of your entire ecosystem.


   So, what is happening today? Well, we have this construct that Wendy Nather, who, by the way, gave a great – she was participating in the rap music earlier on. She’s right there. She is the Head of Cisco's Advisory CISOs. And she coined this term called the security poverty line.


   What does the security poverty line mean? It means that there’s a baseline level of minimum security posture that every company should maintain. And when companies don't have the right level of resource or knowhow to go out and maintain that, that’s when they fall below the security poverty line. And what that does is puts the entirety of the ecosystem at risk, right?


   And so, what we want to do is make sure that when this happens, you don't ignore the smaller companies, the not for profit companies that are participating, because 60% of small businesses that do have a cyber-attack actually go out of business in six months.


   And so, if you are below the security poverty line and you are actually participating in an ecosystem, not only are you going out and putting yourself at risk, but the entire ecosystem is at risk.


   Now, we collectively have to make sure that this problem gets solved. And so, to talk a little bit more about that, what I wanted to have was my partner in crime, Shailaja Shankar, who is the SVP and GM for the security business, to come over here and talk about the dimensions of the security poverty line and specifically what we need to do collectively as a group to make sure that we can go out and address the issue, because if we don't address the least prepared in the world, for going out, preventing for themselves, the most prepared will suffer.


   So, with that, let me make sure that I invite Shailaja Shankar on stage. Shailaja, come on up.


   >> SHAILAJA SHANKAR:  Thank you, Jeetu.


   The security poverty line is real. It is present. It's complex. And it's multidimensional.


   When you think about the security poverty line, there are multiple factors for us to consider. Number one, first and foremost is budget. Organizations that are running on razor thin margins will be hard pressed to invest in security the way large organizations are able to invest in them.


   Then the second factor is the expertise. When – even when organizations are aware that they are at risk, they may not actually be – they may not actually be – have the dedicated skills, they may not have the expertise, they may not have the experience to actually go attack the problem head on.


   And the third aspect to consider is capability. When you think about a capability, you are really thinking about knowing what it is to – knowing what needs to be done and being able to actually doing it. It's about the knowing-doing gap that we are trying to bridge.


   So, what you will find in this domain is organizations, while knowing what needs to be done, they may be faced with constraints. So, constraints in the form of outsourced software or outdated hardware or even regulatory controls that they have to address. All of that puts a – puts them on the back foot in being able to address them in the time that they need to address.


   And finally, influence. Large organizations are able to negotiate the right kind of terms with their vendors, suppliers, and partners the way the the small organizations are not able to address.


   So, when you put all this together, the budgetary constraints, lack of skillset and expertise, and the capability gaps, as well as the influence that these small organizations are not able to overcome, these tend to have far reaching implications.


   So, let me give you a specific example. Think about the ransomware attack that we saw with Blackbaud. Blackbaud is one of the world’s largest organizations. They deal with education, administration, fundraising, and financial management systems.


   That one ransomware attack on Blackbaud has impacted over a thousand organizations, and many of them happened to be nonprofit organizations. Think about the ripple effect of that.


   When I think about nonprofit organizations, I actually think of them as critical infrastructure. When nonprofit organizations are not able to attend to the victims of violence, they are not able to be there in times of disaster, and when they are not able to feed the hungry even, then we are all impacted.


   So, I'm not suggesting by any means that the nonprofit organizations are the only ones that are below the security poverty line. You must consider the critical infrastructure.


   Again, let me give you a real world example. Most of the nation's drinking water and water waste management systems are municipality owned. So, think about the margins under which those businesses are running, what – their operating revenues are really very, very low. And it is really hard for them to invest what is needed to invest in cybersecurity.


   And compound that with what happened with another real life example. The Department of Justice recently indicted a former employee of a rural water management authority. And that former employee was allegedly – or he was accused – or allegedly – allegedly accessing or attempting to access the computer to tamper with the disinfectant levels of the water.


   So, think about how the digital world is connected to the real world and how a lack of knowledge, lack of capability, lack of expertise, lack of budget impacts not just businesses but also impacts societies at large.


   So, we must stand together. Jeetu alluded to it earlier.


   Let me quote a Native American proverb.


   "We do not inherit the Earth from our ancestors; we borrow it from our children."


   We must think of the future. We have to work together. This interconnected problem requires an interconnected approach to solving it.


   Shared risk calls for shared defenses. As an industry, we owe it to each other. I feel it’s our civic duty to do this.


   For the past thirty years, Cisco has been at the forefront of connecting people and data. And Cisco is committed to making the world a safer place, a more secure place. Here are just a few things that we are doing to attack this problem – to address this problem.


   We are helping in times of crisis. We have partnered with thirty-plus critical infrastructure organizations and running security products 24/7 supporting critical customers in Ukraine. This is us lending our expertise to – to an area where the expertise is needed the most.


   We are sharing intelligence. As a founding member of the Cyber Threat Alliance, we partner with more than thirty-three global security vendors. We share our intelligence.


   The focus here is to make sure that customers of all these companies are protected while we are also defending the digital ecosystem.


   Next, we are helping to bolster the critical infrastructure. Here let me give you another real world example.


   We recently partnered with another county water authority in the rural part of the United States with the goal of automating the monitoring of the utilities industrial network. There, while at the same time, we are also helping them reduce the water loss in a water scarce environment. That is helping the critical infrastructure with the – with the help that they needed.


   Now, we are taking it a step further. We have recently announced a five year, $15 million partnership with NetHope. We are strengthening their efforts in cybersecurity in the non-governmental agencies. We are also doubling down our security product charitable grants going to the nonprofit sector.


   For the first time in this program, we are also including our cloud products. We are including secure access by Duo. We’re including Secure Endpoint, and also our Umbrella Cloud Security products.


   The challenges facing the organizations that are below the security poverty line are so large that no single organization can actually address.


   I welcome you all to work with us. I welcome you all to join us in making sure that we do the right thing for this interconnected world.


   Join us in contributing what is needed to help these organizations get prepared and help them respond in times of crisis or in case of a breach.


   I say it again because we do this because we owe it to each other. We do it because it is our civic duty. Together, we can do great things. Together, we can make the world a better place, we can make the world a safer place, and we can most certainly make the world a secure place.


   >> JEETU PATEL:  And folks, we are in a hyper competitive industry right now. I think there is a bunch of vendors in the space, in this room. There’s a bunch of customers that are in this room. And when we talk about competing with one another, competition is good because it makes us all better. But the real competition isn't each other. The real competition are the bad actors. And let's make sure that we can all join forces.


   I think there has to be a business model shift to make sure that people below the security poverty line are also kept secure so that the entire ecosystem is safe.


   Collectively, we think we can defeat our adversaries. We’re going to do our part at Cisco. We are looking forward to partnering with everyone. And thank you all for taking the time to come attend this. And make sure you go take a look at our booth as well.


   And Shailaja Shankar, ladies and gentlemen.


   >> SHAILAJA SHANKAR: Thank you. 

Jeetu Patel


Executive Vice President and General Manager, Security and Collaboration, Cisco

Shailaja Shankar


Senior Vice President and General Manager, Security Business Group, Cisco

Share With Your Community