- Alissa Irei, Senior Writer
As leader of its information security and trust organization, Cisco CISO Steve Martino positions himself at the intersection of the company's IT and business interests. Unlike some cybersecurity executives of the old school -- gatekeepers focused on guarding against outside threats, at any cost -- Martino said he aims to more closely align Cisco's security stance with its corporate strategy. He wants to manage rather than eliminate vulnerabilities, he explained, in proportion to the organization's tolerance for risk and appetite for reward.
In Martino's view, an enterprise's security policies should complement, rather than frustrate, its business objectives -- balancing competing interests and priorities in a way that ultimately best serves the organization. In today's competitive market landscape, he added, companies need to take chances if they want to succeed, while still protecting themselves and their customers.
Information Security spoke with Martino to learn more about his work at Cisco and how he views the evolving role of the CISO.
How would you describe your big-picture mandate as the Cisco CISO?
Steve Martino: We focus on four security domains. In the first, we ask, 'Are the products we're building secure? Were they designed, developed, manufactured and shipped securely?' Cisco also builds and operates 67 SaaS services -- it is a multibillion-dollar set of lines of business. So the second domain is ensuring we're building and operating those in a way that meets our contractual obligations, our customer expectations and our regulatory requirements. The third domain is internal: building and operating all of our IT systems in a secure fashion. And the fourth domain is a foundational one: protecting the data and privacy of all employees and customers in those three previous domains.
How have you seen the cybersecurity professional's role change over your career so far?
Martino: I've been in the tech industry for decades, and in that time, security has shifted from being about securing a system -- a mainframe, a data center or whatnot -- to securing many systems and their interconnectivity. It's really changed from something you could do more or less on your own to a team sport. When you have a great team, you win, and when you don't, the weakest link is going to be your Achilles' heel.
To build the right security strategy today, it's really important to understand the lines of business and their objectives, risk tolerance and regulatory constraints. Then you also have to have good relationships with the development and operations teams and understand their skills, capabilities and technology, because if they're not thinking about security until after they finish designing and building, you're going to fail. You really need that triangle between security, lines of business and development and operations, in a way that puts security front and center from the beginning. Good relationships matter. They let you do things the right way from the start -- and when something goes sideways, they allow you to deal with it quickly and in a trustworthy way.
What's your philosophy when it comes to mitigating security risks, without unduly hampering business objectives?
Martino: First, you can never eliminate risk -- no matter how much you want to, no matter how hard you try and no matter how much money you spend. And that's because humans make mistakes, and those mistakes open the door to dedicated threat actors.
The second thing to keep in mind: If a business wants to thrive in today's competitive environment, it has to take some risks and make some tradeoffs. You can't maintain a perfect security environment while also adding new features, hitting time-to-market objectives and trying different technologies. But you can understand the risks and take them intelligently, which means building approaches and processes to remediate them if they go sideways. It's really about finding that balance between the customers' needs, the regulatory environment and the competitive environment.
What jumps out at you as you look at today's threat landscape?
Martino: It's cool to talk about the zero days, the nation-state actors and the sci-fi threats. But the reality is attackers are still using the simplest approaches they can. Most cybercriminals are businesspeople, and they want the fastest return on investment and the highest net profits possible. That's why I advocate getting back to basics, before getting into any sci-fi-type cyberdefense strategies.
For me, this is the bare minimum: First, building applications and infrastructure in a secure way. Second, patching and managing that infrastructure with the necessary robustness and urgency. If I built it insecurely or am not maintaining it effectively, then I'm creating a lot of holes.
On top of that, I think you need good account management and multifactor authentication and authorization capabilities. As we've exposed more and more of our IT applications and services to the internet, that authentication and authorization to get access to an application or service is a critical linchpin. In my mind, if you built it right, you're managing vulnerabilities effectively and you have good account authorization practices and technologies, [then] you've protected yourself against most potential cyberattacks. At a minimum, you're going to make them work really hard to hurt you.
If you've done that well, you can start to think about what I call the '5%,' which, unfortunately, takes about 40% to 50% of your budget. That means instrumenting your network -- collecting and analyzing data logs -- so when something goes wrong, you can find and contain it. People often focus only on defense measures, but make sure you're also ready to respond proactively when something happens. If you're doing the right things upfront, you'll minimize your negative outcomes. It takes a balanced approach, investing wisely in both ends of that threat spectrum.
It seems you put a lot of emphasis on internal security awareness training. How would you describe your approach as Cisco CISO?
Martino: Sitting people down in front of computers for an hour a year and telling them, 'Security is really important, and bad things can happen,' doesn't really help. Some compliance regimes mandate it, and that's fine. But in terms of effectiveness, I believe in targeted training that is specific to particular job functions. If you're a recruiter, for example, I want to train you as part of the business process on how to conduct web searches and obtain and screen resumes securely.
The one exception to that, and the one thing every employee in the company can do: Don't get phished. That's why I put a lot of energy into our phishing program. Every quarter, we send a phishing email to every employee, which we also post on an internal website called Phish Pond. If employees think they've received a phishing message from me, they can look it up and confirm on Phish Pond. Or if they want to stay ahead of the game, they can proactively check the site and know which emails we're going to send and when we're going to send them. I'm OK with that, because anyone doing that is aware and thinking about it. If someone does click on a phish, they are immediately redirected to a digital training session that says, 'Here's what you could have done differently, and here's how you can improve,' to drive the right behavior.
When we started the program several years ago, we saw a click-through -- or fail -- rate of 30%, which tends to be about the enterprise average. Our click-through rate now is well under 10%, so I think it works, and it's a great way to engage people in something that can be a little fun.
What advice would you offer to other CISOs and security leaders?
Martino: I often see companies looking for 'the' cybersecurity playbook, 'the' cybersecurity architecture -- the 'easy button,' if you will. The reality is every organization has a different corporate culture. A CISO trying to help a company make the right tradeoffs between security needs and business priorities has to really understand the organization and its goals; are they trying to stay the course, transform their business, grow into new markets? The CISO needs to design an approach that aligns to that organization's corporate culture and risk tolerance, rather than just looking for a one-size-fits-all approach -- because one size doesn't fit all.
- How to handle requirements for risk assessment methodologies –ComputerWeekly.com