 from downtown San Francisco. It's theCUBE, covering RSA North America 2018. Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at San Francisco at RSA Conference 2018 as 40,000 plus professionals talking about security. It's quickly becoming one of the biggest conferences that we have in San Francisco, right up there with Oracle Open World and Salesforce.com is pretty amazing show. And we're excited to get some of the insight with some of the experts that are here for the event all the way from the East Coast from New Hampshire. Edna Conway is joining us. She's a Chief Security Officer, Global Value Chain for Cisco. Edna, great to see you. Oh, I'm delighted to be here, Jeff. Thank you. Yeah, absolutely. So we're glad to get you out of the 21 degree weather that you said was cold and sleety when you departed the East. Cold and sleety, spring in New Hampshire, although it's not much nicer here in San Francisco. No, it's a little dodgy today. Anyway, let's jump into it. So you're all about value chain. What exactly when you think about value chain, explain to the people, what are you thinking? Yeah, it's a great question because we define the value chain as the end to end life cycle for any solution. So it could be hardware, it could be software, it could be a service, whether it's a service afforded by a person or a service afforded through the cloud. Now it's interesting because the number of components in a solution value chain just continue to grow over time as we have the API economy and clouds and all these things are interconnected. So I would imagine that the complexity of managing and then by relation securing that value chain must be getting harder and harder over time as we continue to add all these kind of API components to the solution. Is that what you see in the field? I think there's a challenge there without a doubt but sometimes that interconnection actually gives you a hook in, right? And so what we've been thinking about for years now is is there a way to actually define a simple high level architecture that can be flexible and elastic with some rigidity that allows you to identify what your core goals are and then allows those third party ecosystem members to join you in the effort to achieve those goals in a way that works for their business. Right, and then how does open source play in that? Because that's also an increasing component of the value chain as that's integrated into more and more either just overtly you're implementing an open source solution or you've got all these people that are kind of open source plus and what they're building and delivering to the market. Open source is a great challenge without a doubt. I think the way in which to deal with open source is to understand where you're getting it from just like all third party ecosystem members. Who are they? What are they doing for you? And more precisely, how are you gonna utilize them and take a risk-based approach to where you're embedding them, right? Not all things are created equally and so your worry needs to be different depending on the utilization, right? The risk-based approach is a great comment because security in a way to me is kind of like insurance. You can't be ultimately secure unless you just lock the doors and sit in there by yourself. So it's always kind of this risk trade-off benefit versus trade-off and really a financial decision as to how much do you want to invest in that next unit of security relative to the return. So when you're thinking about it from a risk-modeling basis versus just we're putting up the moat and nobody's coming in, which we know doesn't work anymore, what are some of the factors to think about so that you're achieving the right level of success at the right investment? I think there are a number of things to think about and the primary one I would say is look at what I believe is the currency of the digital economy which is trust. And in order to build trust, what you need to do is understand the risks that you're taking and those risks need to be measured in the language of business. So all of a sudden it becomes really clear when you know what someone is doing for you and you know how they're doing it and the invasiveness of your inquiry and partnership with them actually needs to be adjusted. And all of a sudden you develop not only a baseline but an opportunity to enhance your trust. Let's take an example. So Cisco's working with Intel, we're gonna deploy Intel's threat detection technology. Our first instantiation of that will be tetheration. Clearly they're a third-party ecosystem member and they have been for some time. Now what we're thinking about is how does Intel go about deploying that capability? And not only that, but how are we gonna utilize it? And our view is if you take CPU telemetry and you combine it with our edge as well as our network telemetry, you have a better solution down the road, better solution for alerts, better solution for quicker decisions for the inevitable. That risk-based approach says we're embedding into and partnering at a core solution level. That's a different area of inquiry than somebody we were talking earlier and I said, you know, if you're a sheet metal provider on the external part of a chassis, great. There's quality due diligence, but security limited, yeah? So it's interesting because on one hand you're opening up new kind of threat surfaces if you will, the more components that are at a solution from the more providers. On the positive side, now you're leveraging their security expertise within the components that they're bringing into the solution. So it's most things in life, right? It's really kind of two sides of the same coin opening up more threats, but leveraging another group of resources who have an expertise within that piece of the value chain. Absolutely. Look, none of us make something from nothing. You know, the reality is we're relying more and more in the digital economy on those third parties. So understanding precisely how they're doing something is important, but we also have to be respectful of one another's intellectual property. And that is a unique wrinkle in a day and age of integration that we haven't seen previously. The other thing I think that's really important is we're seeing a wonderful, I think, explosion of IoT. There's a downside, obviously. The question is have folks deployed their IoT in a way that included the security community. You should have security at the table, but what IoT does is give you edge visibility that you've never had before. So I see it as a positive, but it needs to be informed by things like AI, it needs to be informed by things like machine learning, and there need to be gates within at the end of the day where the information is managed, which is at the network. Right, because again, it's just another entry point in as well. So it's a good thing, bad news. I want to circle back on the boardroom discussion that we talked about a little bit earlier. Everyone's talking about securities of board conversation, cloud as a board conversation. A lot of these big IT transformational things that are happening are now being elevated to the board because everybody's a digital company and everybody's a digital business. When you want to talk to the board and how should people talk to the board about security vis-a-vis kind of this risk analysis versus just appear we're secure or not secure. And I'm sure every CEO and board is worried for that announcement to come out in the paper that they were breached some time ago. And you almost think it's inevitable at some point in time. So what does the board discussion look like? How's the board decision changing as security gets elevated beyond kind of the basics? So let me answer that in the context of value change security. Absolutely. I think we need to get to the point where security speaks the language of business. We need to walk into the board and say we have an architecture. We are deploying measures to achieve the architecture and a certain level of compliance and goal setting across the ecosystem on a risk-based approach. Fabulous words. I'm a board member. What does that mean to me? Totally. Give me a number. Well, and the number comes out of tolerance levels. So if you have this architecture and you have goals set, we have 11 domains. We set goals flexibly based on the nature of the third party and what they do for us. Now we have a tolerance level. And guess what you can report? I'm at tolerance. I'm above tolerance. I'm below tolerance. And if you start to model through a variety of techniques, there are a number of standards out there and processes some folks have written about them where you can translate that risk of tolerance into dollars if you're in the US or currency of your choice. And the reality is you're walking in and saying at tolerance means this degree of risk. Below tolerance means I've reduced my risk to this. It might afford you an opportunity to say, perhaps you can share some of that benefit with me to take the program to a new level. Right, right. Or in a different area. Above tolerance, higher degree of risk. What do we do about it? Now you're speaking the language of business. So that's pretty old school business, right? I want to talk to you about something that's a little bit newer school, which is blockchain. And you've used the word trust. I don't know how many times in this interview we'll check the transcript. But trust is a really important thing obviously. And some people have said that they view blockchain as trust as a service. I'm just curious to get your perspective as we hear more and more about blockchain and big companies like IBM and a lot of companies are putting a bunch of resources behind it. Where do you see blockchain fitting? What is Cisco's position around if they have official position yet as blockchain now is introduced into this world of trust? So I think we're all looking at it. Cisco included, blockchain is incredibly useful too without a doubt. I'm not sure that blockchain is going to solve world hunger or world peace. Shoot. However, just as we said, trust has elements of use artificial intelligence to inform your decisions, achieve a higher degree of trust. What you can have is a set of let's say, hashes, date and time stamps. As something passes through the network. Because remember, if the currency is trust, the integrity of the data is the fuel that allows you to earn trust. And digital ledger technology or blockchain is something that I think allows us to develop what I call a passport for the data. So we have a chain of custody. You know, I'm an old homicide prosecutor from many, many years ago. Chain of custody was important in the trial. So too chain of custody of your data and your actions across the full spectrum of a life cycle and a degree of integrity. We've never had the ability to do easily before. Interesting times. All right, Ed. Well, thank you for spinning some of your day with us. I'm sure you have a crazy busy RSA planned out for the next couple of days. So thanks again. My pleasure. Thank you so much for having me. All right. She's Ed Nicomway. I'm Jeff Frick. You're watching theCUBE from RSA Conference 2018. Thanks for watching.