Cisco EVP: We need to lift everyone above the cybersecurity poverty line

It's going to become a human-rights issue, Jeetu Patel tells The Register

RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

"It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

"This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

This idea of a cybersecurity poverty line — essentially were those below the poverty line don't have the budget or human resources to implement security measures — was coined by Cisco's head of advisory CISOs Wendy Nather during an earlier RSA Conference.

Lifting all companies above the poverty line should matter, even to those already there, as people and organizations become more interconnected because of software dependencies, shared data, hybrid work and the like, Patel said.

"We are living in a holistic ecosystem where the weakest link can break down the entire chain," he explained. "A small supplier for an auto manufacturer that gets breached could shut down the entire production line of an auto company."

Plus, "everyone's an insider," Patel added. 

If we don't take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you're above the security poverty line, but you'll still be exposed

Physical walls and software perimeters no longer separate people and information as either inside or outside the organization, he said. This also expands the potential attack surface as people and devices connect and share data with others that are outside the traditional enterprise perimeter.

"And if we don't take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you're above the security poverty line, but you'll still be exposed," Patel said.

Establishing security protocols across an organization requires a sufficient budget to buy products and employ security professionals with the capabilities to defend against threats. However, influence also plays a role in separating the security haves and have-nots, added Shailaja Shankar, SVP of Cisco's Security Business Group.

"Large organizations that are above the poverty line have been able to negotiate great terms with their suppliers in this interconnected system," she told The Register. "But when you are a small player, it is very hard for you to negotiate and you just take what your providers give you."

Shared risk, shared defenses

As to how the industry ended up with a significant number of organizations below that line, there's plenty of blame to go around. It's the internet's fault for making us more interconnected, it's claimed. Complexity is also an issue: as security architectures become increasingly sophisticated, they also become more complex.

And yes, the Cisco execs also admitted that the vendor community bears responsibility, too, for selling a plethora of products that don't interoperate or always live up to their protection promises.

Similarly, it's going to require a collective effort to dig out of this mess. Part of involves security vendors providing expertise and donating and collaborating to share threat intelligence. 

To this end, Shankar pointed to Cisco's Talos threat intelligence team operating security products 24-7 for critical infrastructure customers in Ukraine and providing free cloud security products to organizations in the war-torn country as examples of what her company is doing. 

Plus, she added, Cisco's a founding member of the Cyber Threat Alliance. "We partner with more than 30 different global security vendors and we share threat intelligence that allows us to protect the customers and defend this digital ecosystem," Shankar said. "Shared risk requires shared defenses."

Business models also need to shift, Patel said. "People will start thinking about protection, not at the individual organization level, but at the supply chain level — thinking about the ecosystem at large rather than just what's in my domain," he said. 

This extends to vendors providing free or low-cost security to nonprofits and NGOs, and larger firms' using their buying power to help smaller organizations improve their security posture, Patel added. 

"I just don't think this is an overnight thing, but I think the recognition is starting to hit people pretty hard," Patel said. "One small supplier that makes a small component that might cost seven cents in a $100 item can literally hold up the entire production line because they had a breach. That is a profound impact because billions, hundreds of billions, if not trillions of dollars could actually stop the function if that was systematically attacked by the bad actors." ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
    The next wave of security maturity is measuring effectiveness, she told The Register

    RSA Conference When Sandra Joyce, EVP of Mandiant Intelligence, describes the current threat landscape, it sounds like the perfect storm. 

    The threat intelligence firm, which is being acquired by Google Cloud, made its annual cybersecurity predictions for the year ahead. And this year, they all materialized at once.

    "We predicted supply-chain attacks four years ago," Joyce said, in an interview with The Register at the RSA Conference. "We predicted deployment of wipers during wartime. And now we're watching all of these things happen at the same time, and in amounts that are greater than ever and at frequencies of scale that are more than ever."

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022