Cisco EVP: We need to lift everyone above the cybersecurity poverty line

It's going to become a human-rights issue, Jeetu Patel tells The Register

RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

"It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

"This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

This idea of a cybersecurity poverty line — essentially were those below the poverty line don't have the budget or human resources to implement security measures — was coined by Cisco's head of advisory CISOs Wendy Nather during an earlier RSA Conference.

Lifting all companies above the poverty line should matter, even to those already there, as people and organizations become more interconnected because of software dependencies, shared data, hybrid work and the like, Patel said.

"We are living in a holistic ecosystem where the weakest link can break down the entire chain," he explained. "A small supplier for an auto manufacturer that gets breached could shut down the entire production line of an auto company."

Plus, "everyone's an insider," Patel added. 

If we don't take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you're above the security poverty line, but you'll still be exposed

Physical walls and software perimeters no longer separate people and information as either inside or outside the organization, he said. This also expands the potential attack surface as people and devices connect and share data with others that are outside the traditional enterprise perimeter.

"And if we don't take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you're above the security poverty line, but you'll still be exposed," Patel said.

Establishing security protocols across an organization requires a sufficient budget to buy products and employ security professionals with the capabilities to defend against threats. However, influence also plays a role in separating the security haves and have-nots, added Shailaja Shankar, SVP of Cisco's Security Business Group.

"Large organizations that are above the poverty line have been able to negotiate great terms with their suppliers in this interconnected system," she told The Register. "But when you are a small player, it is very hard for you to negotiate and you just take what your providers give you."

Shared risk, shared defenses

As to how the industry ended up with a significant number of organizations below that line, there's plenty of blame to go around. It's the internet's fault for making us more interconnected, it's claimed. Complexity is also an issue: as security architectures become increasingly sophisticated, they also become more complex.

And yes, the Cisco execs also admitted that the vendor community bears responsibility, too, for selling a plethora of products that don't interoperate or always live up to their protection promises.

Similarly, it's going to require a collective effort to dig out of this mess. Part of involves security vendors providing expertise and donating and collaborating to share threat intelligence. 

To this end, Shankar pointed to Cisco's Talos threat intelligence team operating security products 24-7 for critical infrastructure customers in Ukraine and providing free cloud security products to organizations in the war-torn country as examples of what her company is doing. 

Plus, she added, Cisco's a founding member of the Cyber Threat Alliance. "We partner with more than 30 different global security vendors and we share threat intelligence that allows us to protect the customers and defend this digital ecosystem," Shankar said. "Shared risk requires shared defenses."

Business models also need to shift, Patel said. "People will start thinking about protection, not at the individual organization level, but at the supply chain level — thinking about the ecosystem at large rather than just what's in my domain," he said. 

This extends to vendors providing free or low-cost security to nonprofits and NGOs, and larger firms' using their buying power to help smaller organizations improve their security posture, Patel added. 

"I just don't think this is an overnight thing, but I think the recognition is starting to hit people pretty hard," Patel said. "One small supplier that makes a small component that might cost seven cents in a $100 item can literally hold up the entire production line because they had a breach. That is a profound impact because billions, hundreds of billions, if not trillions of dollars could actually stop the function if that was systematically attacked by the bad actors." ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
    The next wave of security maturity is measuring effectiveness, she told The Register

    RSA Conference When Sandra Joyce, EVP of Mandiant Intelligence, describes the current threat landscape, it sounds like the perfect storm. 

    The threat intelligence firm, which is being acquired by Google Cloud, made its annual cybersecurity predictions for the year ahead. And this year, they all materialized at once.

    "We predicted supply-chain attacks four years ago," Joyce said, in an interview with The Register at the RSA Conference. "We predicted deployment of wipers during wartime. And now we're watching all of these things happen at the same time, and in amounts that are greater than ever and at frequencies of scale that are more than ever."

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • Threat and risk specialists signal post-COVID conference season is back on
    Well, we'll see in a week or so

    RSA Conference For the first time in over two years the streets of San Francisco have been filled by attendees at the RSA Conference and it seems that the days of physical cons are back on.

    The security conference trade has been more cautious than most when it comes to getting conferences back up to speed in the COVID years. Almost all cons were virtual with a very limited hybrid-conference season last year, including DEF CON, where masks were taken seriously. People still wanted to mingle and ShmooCon too went ahead, albeit later than usual in March.

    The RSA conference has been going for over 30 years and many security folks love going. There are usually some good talks, it's a chance to meet old friends, and certain pubs host meetups where more constructive work gets done on hard security ideas than a month or so of Zoom calls.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Intel offers 'server on a card' reference design for network security
    OEMs thrown a NetSec Accelerator that plugs into server PCIe slots

    RSA Conference Intel has released a reference design for a plug-in security card aimed at delivering improved network and security processing without requiring the additional rackspace a discrete appliance would need.

    The NetSec Accelerator Reference Design [PDF] is effectively a fully functional x86 compute node delivered as a PCIe card that can be fitted into an existing server. It combines an Intel Atom processor, Intel Ethernet E810 network interface, and up to 32GB of memory to offload network security functions.

    According to Intel, the new reference design is intended to enable a secure access service edge (SASE) model, a combination of software-defined security and wide-area network (WAN) functions implemented as a cloud-native service.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading

Biting the hand that feeds IT © 1998–2022