Security

CSO

Cisco EVP: We need to lift everyone above the cybersecurity poverty line

It's going to become a human-rights issue, Jeetu Patel tells The Register


RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

"It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

"This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

This idea of a cybersecurity poverty line — essentially were those below the poverty line don't have the budget or human resources to implement security measures — was coined by Cisco's head of advisory CISOs Wendy Nather during an earlier RSA Conference.

Lifting all companies above the poverty line should matter, even to those already there, as people and organizations become more interconnected because of software dependencies, shared data, hybrid work and the like, Patel said.

"We are living in a holistic ecosystem where the weakest link can break down the entire chain," he explained. "A small supplier for an auto manufacturer that gets breached could shut down the entire production line of an auto company."

Plus, "everyone's an insider," Patel added. 

If we don't take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you're above the security poverty line, but you'll still be exposed

Physical walls and software perimeters no longer separate people and information as either inside or outside the organization, he said. This also expands the potential attack surface as people and devices connect and share data with others that are outside the traditional enterprise perimeter.

"And if we don't take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you're above the security poverty line, but you'll still be exposed," Patel said.

Establishing security protocols across an organization requires a sufficient budget to buy products and employ security professionals with the capabilities to defend against threats. However, influence also plays a role in separating the security haves and have-nots, added Shailaja Shankar, SVP of Cisco's Security Business Group.

"Large organizations that are above the poverty line have been able to negotiate great terms with their suppliers in this interconnected system," she told The Register. "But when you are a small player, it is very hard for you to negotiate and you just take what your providers give you."

Shared risk, shared defenses

As to how the industry ended up with a significant number of organizations below that line, there's plenty of blame to go around. It's the internet's fault for making us more interconnected, it's claimed. Complexity is also an issue: as security architectures become increasingly sophisticated, they also become more complex.

And yes, the Cisco execs also admitted that the vendor community bears responsibility, too, for selling a plethora of products that don't interoperate or always live up to their protection promises.

Similarly, it's going to require a collective effort to dig out of this mess. Part of involves security vendors providing expertise and donating and collaborating to share threat intelligence. 

To this end, Shankar pointed to Cisco's Talos threat intelligence team operating security products 24-7 for critical infrastructure customers in Ukraine and providing free cloud security products to organizations in the war-torn country as examples of what her company is doing. 

Plus, she added, Cisco's a founding member of the Cyber Threat Alliance. "We partner with more than 30 different global security vendors and we share threat intelligence that allows us to protect the customers and defend this digital ecosystem," Shankar said. "Shared risk requires shared defenses."

Business models also need to shift, Patel said. "People will start thinking about protection, not at the individual organization level, but at the supply chain level — thinking about the ecosystem at large rather than just what's in my domain," he said. 

This extends to vendors providing free or low-cost security to nonprofits and NGOs, and larger firms' using their buying power to help smaller organizations improve their security posture, Patel added. 

"I just don't think this is an overnight thing, but I think the recognition is starting to hit people pretty hard," Patel said. "One small supplier that makes a small component that might cost seven cents in a $100 item can literally hold up the entire production line because they had a breach. That is a profound impact because billions, hundreds of billions, if not trillions of dollars could actually stop the function if that was systematically attacked by the bad actors." ®

Send us news
9 Comments

Chinese cyberspies reportedly breached Verizon, AT&T, Lumen

Salt Typhoon may have accessed court-ordered wiretaps and US internet traffic

Cisco is abandoning the LoRaWAN space, and there's no lifeboat for IoT customers

Support stretches to end of 2029, no more maintenance beyond 2026

Why Cisco reportedly wants in on CoreWeave's rent-a-GPU racket

This may help Switchzilla hit $1B AI sales goal by FY25

Red team hacker on how she 'breaks into buildings and pretends to be the bad guy'

Alethe Denis exposes tricks that made you fall for that return-to-office survey

NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great

Logjam 'hurting infosec processes world over' one expert tells us as US body blows its own Sept deadline

T-Mobile US to cough up $31.5M after that long string of security SNAFUs

At least seven intrusions in five years? Yeah, those promises of improvement more than 'long overdue'

So how's Microsoft's Secure Future Initiative going?

34,000 engineers pledged to the cause, but no word on exec pay

Recall the Recall recall? Microsoft thinks it can make that Windows feature palatable

AI screengrab service to be opt-in, features encryption, biometrics, enclaves, more

Marriott settles for a piddly $52M after series of breaches affecting millions

Intruders stayed for free on the network between 2014 and 2020

UK's Sellafield nuke waste processing plant fined £333K for infosec blunders

Radioactive hazards and cyber failings ... what could possibly go wrong?

Big brands among thousands infected by payment-card-stealing CosmicSting crooks

Gangs hit 5% of all Adobe Commerce, Magento-powered stores, Sansec says

The fix for BGP's weaknesses has big, scary, issues of its own, boffins find

Bother, given the White House has bet big on RPKI – just like we all rely on immature internet infrastructure that usually works