In this Q&A, CREATe.org CEO Pamela Passman talks with Cisco’s Edna Conway about the insights she shared at a recent conference focused on promoting U.S. – Japan cooperation on “Supply Chains, Security and Cyber Risks.” The conference was co-sponsored by the Sasakawa Peace Foundation USA and the Center for Responsible Enterprise And Trade (CREATe.org).
Edna Conway serves as Cisco’s Chief Security Officer for its Global Value Chain. In this capacity, she develops and oversees the deployment of Cisco’s strategy to assess, monitor, and continuously improve the security of its global value chain. Cisco’s Value Chain Security Program spans its Engineering, Supply Chain Operations, Worldwide Partner and Technical Services organizations. Conway drives Cisco’s cyber and security protection plan throughout its third party ecosystem.
Question: What are the fundamental value chain security threats you face in the tech sector?
Cisco is focused on three key security threats relating to its value chain: Manipulation (unauthorized control); Espionage (unauthorized visibility); and Disruption (denial of service). These threats manifest in fundamental area of exposures:
- Taint, which is any alteration that allows unauthorized control or content visibility
- Counterfeit raw materials or finished goods
- Misappropriation of intellectual property (IP) and information security breaches
Question: How do you approach value chain security threats?
To secure our global value chain, Cisco takes an architectural approach designed to protect against, detect and mitigate security threats and exposures.
Cisco’s value chain security architecture identifies 11 security domains (shown below) and 184 controls within those domains to strive to ensure integrity and avoid risks that could deeply and negatively impact customers throughout the flow of commerce.
Based on the nature of service or product that the value chain partner provides, the company flexibly applies the right control in the right stage(s) of the value chain. The 11 domains and the related requirements have all been identified using a risk-based approach, and are part and parcel of the company’s agreements and/or engagements with its partners. Cisco encourages partners to embrace the requirements as part of eligibility to be a member of the Cisco value chain. We also monitor to see how well they are doing.
Question: In a world of intelligent devices, how does Cisco work to reduce the risk of counterfeit parts?
In information technology solutions with many “intelligent parts,” there are serious ramifications to system malfunction and security when parts or code modules are counterfeited. Cisco’s approach not only seeks to protect against, but also to detect anomalous processes, behaviors or operations which can afford entrée of counterfeit components or services into the value chain and reduce functionality and integrity.
Question: How do you approach trade secret protection?
Cisco believes a domain approach to security, which goes across people, processes and technology, and has strong executive support, helps address its identified value chain security risks, among them trade secret leakage.
Today’s digital economy renders all members of our global value chains “insiders.” Only by deploying a layered approach with a set of flexible standards (e.g. heightened care with those involved directly in innovation), can the company strive to ensure that all its “insiders” and partner insiders are meeting the company’s high standards.
Identifying what is important, sharing practical control goals which can be customized, and treating value chain members as “partners” are key to reducing the risks of trade secret and IP leakage.
Question: What role can standards play in reducing risks in the digital value chain?
The reality of a digital world is clear: the global economy and critical infrastructure of every nation are deeply intertwined with and dependent upon a cyber environment. This has inevitably led to a new era of cyber vulnerability. The risks of counterfeiting, taint, IP leakage and information security breaches can only be addressed in the context of this cyber environment. An essential part of Cisco’s commitment to security is active participation in public-private partnerships and international standards addressing cyber and value chain security.
Cisco has been active in a number of industry groups to help promulgate a limited set of new standards and best practices in both the value chain security and cyber security areas. With respect to end-to-end value chain integrity, Cisco investigated numerous standards to inform its own processes: for example, National Institutes of Standards and Technology (NIST) Cybersecurity Framework; NIST 800-161; NISTIR 7622 as guidance and the Open Trusted Technology Provider Standard, which was recently adopted as ISO 20243.
Read More about the Sasakawa – CREATe Event: