 From the SiliconANGLE Media Office in Boston, Massachusetts, it's theCUBE. Now, here's your host, Stu Miniman. Hi, and welcome to a special presentation of theCUBE. We're here in our Boston area studio. Happy to welcome to the program a first-time guest, Edna Conway, who is the Chief Security Officer of Global Value Chain inside Cisco and in New Englander. Edna, thanks for coming. Thanks so much for having me, Stu. All right, so it's your first time on the program. We've obviously had lots of guests from Cisco. We've covered the security industry. We've first time, we've actually done a bunch of theCUBE at the RSA conference this year. Tell us just a little bit about your background for our audience, what kind of led you to your current role Chief Security Officer in Global Value Chain, and what does that mean in Global Value Chain? So you know, it's an interesting role. I have the privilege of sort of leading our effort to think about a set of concerns that we have that we would call threats in the third-party ecosystem that comprises the value chain. So let's start with what is the value chain? The value chain is the end-to-end life cycle for any solution. So we think about it through the lens of the commitment we wanna make to our customers about integrity. And from there, we look at a whole set of threats that should be of a common concern across security. And those include manipulation, espionage, and disruption. And then we break it down to a set of exposures and an architecture that makes it something that is useful and can be deployed across the entire ecosystem itself and allows us to reach out to the enterprise partners who own the commercial relationships with those third parties. So I'm very lucky to have this role and how I got there is a long saga of 17 years of Cisco. All right, and I love that and I wanna unpack that some. So I look at a lot of my career, we've talked about how do we get out of the silos? How do we not talk about boxes, but we're talking about solutions, talking about the value to business. How is that kind of whole IT transformation happening? Digital transformation is more than a buzzword is something we spend a lot of time working on. Many people, they'll think of Cisco and they'll be like, oh, it's that network company that I buy switches and routers from. Of course, we know Cisco, an industry giant does way more than that, but maybe you can help flesh out from us. Where does Cisco fit? Where do the ecosystem people compliment and fill out the entire solution set? So it's a great question from the perspective of, we're not just a box company. And I think when you look at where digital transformation is taking us, it's taking us exactly where we are and the journey that we're on, which is a combination of solutions. When you go to the grocery store, you may have cheese on your list, but very rarely you're just eating the cheese. You may be serving cheese and crackers. You might be making a fondue, but you're doing something with it that's a solution. And so we've been combining hardware and software and X as a service solutions to meet the needs of our customers for an extended period of time now. Now take that platform of looking at the customer first and then begin to think about integrity. And so where we sit is in a place where I certainly think about third parties who provide or deliver any value to any of those solutions. And they're diverse, Stu. They run the gamut. All right, so Edna, as you're talking to users, what's top of mind for them? I know security is something I've talked about many times in my career. It's something that usually comes up. I think 15 years ago, the line I always used is it was top of mind, but often bottom of budget today. It's a board level conversation. I can't turn on the TV any day without hearing things like hackers and cyber attacks and ransomware. So where does security fit into really the business discussion? How do people interact with the board when they talk about this? What are some of the chief concerns and how are people dealing with the whole security puzzle today? So it's an interesting puzzle, but I think it can be deconstructed. And the concerns, ironically, of the security community are actually the concerns of the customer base. So I've thought about it for a while, and I think the largest cry we hear is a need for simplification. As we digitize, we embrace more and more members of this third-party ecosystem, and that adds an inherent complexity. So simplification is absolutely essential, and that leads us to a path of trying to drive a singular architecture and pervasive security. I think the next thing that I see, quite frankly, is something we've all been talking about, which is talent. But I look at it from a slightly different lens. Well, we all are aware of the fact that we need to build more security skill capacity on the planet, not just in the United States. Globally, there's another lens which is as we expand the digital environment, what we're going to see is technology become business, and it's the way we will operate. Now think about that for a moment. That means you might wanna have in your security group somebody who has operational experience, someone who has a robust history of doing risk management modeling. These are not traditional security areas. So I think the talent area is one that is, A, how do we build up security expertise? B, what do we need that we don't have in the community of security? So simplification, talent, and then really two others. The first is everybody's worried about tainted or counterfeit solutions in the information communications technology arena. And then finally, we're all focused on the reality that nation-state or nation-state-sponsored actors and zealot actors are out there, and they are patient, they are skilled, and they are well-funded. Yeah, and that reminds me of a lot of conversations we've had in an area we've tracked for a bunch of years as the chief data officer. So we all know how important data is. I need to secure my data, of course. But there's the balance, there's kind of the technology needs like the governance, risk, and compliance piece, and then there's the business value. How do I get more value out of my data? How do I help drive my business forward? How does security fit into that kind of framework? And how do we do the bit flip of making sure that security isn't just something that I have as like insurance, but something that helps drive my business needs? So I think the digital transformation will actually make security drive business in all honesty. It's going to be inherent. And a lot of the things that I've been thinking about are the realities that I believe we're going to see a de facto standard of care imposed on us. So we've seen certainly regulation and legislation, lots of that. But what I'm talking about is a business and societal baseline standard of care around security that's going to be expected of us, just as today there's med malpractice. It's negligence if you go below the standard of care. We're going to see that insecurity as we ramp up the percentage of businesses and daily activities that are actually transformed by the digital environment that we see burgeoning around the world. So I think that's one thing. And then we can talk a lot about pervasive security and what that means. That means a great deal to us. And that's what we're trying to drive. Okay, maybe, do you have any customer examples you can give? You probably can't talk to the specific customers, but I know in the regulated industries, like healthcare, like finance, they spend huge amounts of money in security. It is very much multifaceted. Are they showing examples of what you were just talking about with the digital transformation, how they transform their businesses with security as the driver? I think different industries are at different levels. I think some of them are still, if you look, let's look at the energy industry, for example. You have two ends of the spectrum. There are those who are still worried about the reality of protecting the grid. And then there are those who are using the digital transformation to change the way in which we swiftly distribute power, the way in which we harness the power, and the way in which we measure the utilization of all of us because the wonderful thing about the digital transformation is, we still don't ingest or inhale technology, we still use devices, and those devices are power-sucking aliens. And so there's an example where you have both ends of the spectrum, I think. Some are regulated and they're defined in a unique area. Healthcare, I think, is somewhere in the middle. Healthcare has seen great productivity enhancements as a result of digital transformation. The security element grew out of what we're all familiar, at least in the US, and models everywhere on the globe, which is HIPAA. So you blend privacy and expectation there, but now what we're seeing is efficiency. You know, I recently had an experience where it was the first time I saw this. I was in an ER and the physician came in and behind the physician came a human who had a lovely little label on their shirt that indicated that they were the data technician, and they came with a rolling cart with a laptop on it. And there was an efficiency gain that was ascertained that these were people who were expert in medical terminology and could document what was going on so that the physician could actually cater in a different way to the patient. There's a productivity enhancement with a security guarantee because we had a lockdown air-gapped environment in which we were engaging. And it was really innovation at its best. I was, I stopped talking actually about why I was there and started talking about the practices that they were utilizing. Love to see where it's a combination of technology and people that is gonna deliver a better solution, not just saying, oh, well, we just automated that or threw some new device or technology or sensor on it to be able to solve it, I love that. You brought up devices and if I get down in the weeds a little bit, every time we talk about IoT, security comes up because the surface area of attack just grew exponentially. And we've already had a couple of instances where, oh, wait, there's devices that had default security parameters that were easy to get into. How should we be thinking about security when things like IoT and the industrial internet start popping up? So I think there's a couple of ways you can do it, but quite frankly, IoT is something that many of us have been thinking about for quite some time and it's because of the value chain. So in this third-party community, you now have different people and different devices and different data. Blending it all together requires you to really take a comprehensive approach. And that comprehensive approach really has, I think, four steps. First, determine who the key third parties are in your ecosystem, right? It's a daunting task if you say all. Key, it's a risk-based approach. Next, figure out what they do for you. So once you've got that, you can build an architecture that articulates the foundational elements of your security parameters. We happen to have an architecture, it's 11 security domains that I had the privilege of building in. And then you deploy it. And next, you assess against it. And if you're doing it really well and now you're making security part of business, you actually blend security into the methodology by which you're measuring that supplier or partner's performance. It's no longer security coming in and saying we want you to do this. It's, you're a member of our family. Here are the list of things that we want you to do and security is a line item there. And by the way, you're gonna be scored on that. And then finally, I think lift your head up and continue to talk with those partners because as each of us grow in our digital transformation, you're going to see changes in the risks. And if you've built a flexible architecture that can deal with silly changes that seem like they are minor. And I say silly for a reason because if you don't look at it from a security lens and an operational lens, oh, that's a minor, minor change. Surely it couldn't have a major security ramification. It just might and your flexible architecture can change on the fly. All right, so, and I got a little bit of an interesting question for you. One of the things I hear companies struggling with is the pace of change. And they always have a reason why they can't do it. Security is one of those reasons that they usually say, oh wait, I can't do the new thing because I have my security processes in change and I need to go. Do we have the opportunity to be more secure, move faster and you know, how do we get people off of that inertia that they have today and take advantage of them and make sure that they understand that there's a path to being even more secure than we are today. So really interesting changes are happening where what we're seeing as we embed security more and more into operational processes and the people who own those commercial operations. Security is not a separate thing any longer. And so we're all seeing demands for enhanced productivity. If you have security at the table and built in, what you're going to see is the productivity gains that we plan, design and then ultimately implement will inevitably include security. But here's the real kicker. I think we know we have success when security starts to build in business. It becomes a differentiator. If you have six flavors of cereal, but one of them happens to have extra calcium and is responsibly sourced, you might pick that for those criteria. Now take that into the technology arena. Security is right there front and center as a differentiator. Yeah, it reminds me a lot of what we talked about about sustainability, green technology, kind of the green tech wave didn't take off. But if there's a lot of business value that I could have and it happens to also be sustainable, that's a nice differentiator to have. Similar analogy, I think? I think it is a similar analogy, but I think you need to drive, when I talk about pervasive security, I mean a comprehensive view. And so what that translates is to, you have IT and OT and then the human element converging. The right security in the right place at the right time allows it not to be A, overwhelming. B, not to be so cumbersome that you can't change swiftly. And C, allows the period of time necessary to affect the change, to be reasonable and most importantly, not stop the flow of business. Because at the end of the day, we all live in business environments and that's another thing we need to work on. Security practitioners do not speak the language of business and we need to help them translate. There seems to be a general level of anxiety today. And if Dave Vellante was here, my boss, he'd say it's a board level discussion about security and have an expectation, you've probably been hacked already. I mean, there's all the stats, you've been hacked six months before you realize how are you reacting to that? We hear about major hacks to so many companies on the news all the time. So that just has that level of, oh my gosh, I'm probably already in for it. They're gonna get me. It's not a question of if it's just when, for how much and how often do I have to deal with that. How do we operate in an environment like this and how do we bring that anxiety level back down for everybody? So I think there are a lot of statistics out there that would frighten all of us. And so let's remind ourselves of a couple of things. The solution to security is us. It's the human element. And the problem is the human element as well, right? But if you take an integrated defense approach, and we've talked about this a lot and you can see in our 2017 annual cybersecurity report, a number of statistics that suggest that there are challenges, but we can see movement towards utilization of third parties, finding best in breed. I think our report actually had a statistic that indicated that 72% of security professionals actually engage in security up to 20 to 80% in that range with third parties. So bringing family in, articulating swift movement and aligning around a convergence of a small set of factors that we call the architecture and allowing people a flexible approach to achieve that should be a ticket to success. And it should be a ticket to not being frightened but being aware, right? You can use automation. You need to, there's some things are very simple. How many of your incidents are you thoroughly investigating? And then at the end of the day, if you use automation, you investigate thoroughly what's gonna rise to the top just like the cream are the true threats. Deal with them and deal with them thoroughly. Will new ones come down the pike? Absolutely, but if you had an easier path with an old threat, wouldn't you use that if you were an attacker? Absolutely. Edna, how's the industry doing? You look at the value chain overall, all the partners you're doing with, if I'm gonna have you back a year from now, what would you like to see the industry move forward on? Where are we already doing good? Where do we need to move forward to make it even better? So I think we still need some good housekeeping ourselves, the things that your mom always told you about eat, write, exercise, they still count. And those include your incident management, your automation of anything that can detect and stop an attack. But I think what we wanna be is, for the last, if you look at the analysis out there, for the last six years or so, particularly with regard to third parties, we keep bringing them in. So I understand that we're raising the denominator by an empirical statistical large amount. But we're hovering around 80% of the breaches being due to third parties when they're attributable. Six years, 80, 81, 84, 80, that's not movement. Now think digital transformation. What I'd love to see in a year or so is that number reduced substantially so that we're picking the right partners, number one. But we're engaging with them in an architecture that says we're doing this together rather than saying you caused this. Do we have a way of saying this is what we expect of you? By the way, we may not tell you exactly how to do it because some of our partners are the best in class. Let them do it in a manner that best fits their business. And then come together to reduce the statistical anomalies so that we're getting to the point where third parties really are in a causation anymore and good housekeeping is checked off consistently and regularly and checked again. And Cisco's a big player in the ecosystem, very active in standards bodies, open source foundations. Are there industry initiatives that Cisco's helping take a lead to deliver on some of these things that you were talking about? I think there are. There are many colleagues in many initiatives at least in my space on the third party side. We're certainly working with governments and public-private partnerships around the world. Some have manifested themselves in new ISO standards, talking about counterfeit and tainted information and communications technology. Some focus on unique industries such as what we see regulatory bodies looking at the grid or energy and working with them. So I think they're out there. I think that they can be daunting because they're proliferating, which is why I go back to when, where they are participating with so many of our industry colleagues, simplification, and also asking regulators, legislators and standards bodies to actually build on what already exists rather than duplicating, because it simply causes confusion and may not actually move the needle on security. And if people want to find out more, you've mentioned a couple of reports, sounds like there's some really good data is there. You know, one of those great Cisco microsites or someplace people can go to find more. So I think there's tremendous data in the Cisco annual cybersecurity report. We actually have a trust and transparency, trust.sysco.com where we put out a host of information. I'm pleased to say value chain security was in this year's annual cybersecurity report. And we also have information there about value chain security on the trust center, as well as some of the efforts that we're engaging in internationally and hardcore technology efforts that we're leading to bring diligence to our platforms and solutions for our customers. And I want to give you the final word. Any particular things you're working on that's exciting you trend from customers or anything you'd like to help us to close this out. So I think the final word I will give you is in a world where devices haven't gone away, think carefully about those third parties and the suppliers from whom you acquire things because if you're not innovating at the base level, so let's think about a device, electronics. The heartbeat of the electronics is what, the printed circuit board. The heartbeat of the board is the chip. If we're thinking together innovatively with academia and other talent about chip solutions that can obfuscate, that can implement security, we can help one another across the board and across that intertwined ecosystem because we are at the end of the day going to be one big family of security, hopefully tight users in a digital environment. And the Conway, really appreciate you coming into the office today. It's a big space between the people, the operations, and the technology lost to look at in the security space and something we appreciate being able to dig in with you. Thank you for watching theCUBE.