For a year John Stewart has been CSO at Cisco. He's in charge of a team of 60 information security professionals who play a role in IT architecture, policy, audit and incident response to protect an internal user base of about 48,000 employees worldwide. Stewart recently discussed Cisco's risk-management strategy with Network World Senior Editor Ellen Messmer.

What are some of Cisco's security concerns?

Over the past 18 months, we started seeing attacks against our network timed against the end of our quarters, and we realized someone was trying to knock the electronic-commerce service offline at the Web portal through denial-of-service attacks. It really opened our eyes.

How do you cope with these attacks?

We use Cisco Riverhead, now called Cisco Guard since Cisco acquired Riverhead, to block the attacks. Upstream, we have relations with service providers - all the big ones, AT&T, MCI, Sprint - about bandwidth consumption. We work with them in the case of a denial-of-service attack, and it's effective in filtering it. Security is about managing it when it happens.

How does your team interact with the rest of Cisco?

When there's an internal IT project, say overhauling the human resources system or replacing an entire database infrastructure or putting up connectivity between our company and another for communications, there's an engagement process between the business owners and IT team, plus, often, counsel as an advisor. In security, we look to issue a report that the implementation was within the appropriate risk tolerance.

What non-Cisco security products or services do you use and like?

We use McAfee, Symantec and Trend Micro antivirus. You want to test technologies working with yours. We provide identity and password management, and an audit trail of access. One product there is CA's Netegrity, where we have a complex set of rules with our manufacturing partners. We use the Qualys platform for vulnerability scanning, and also Arbor's Peakflow for viewing statistical abnormalities in and out of the network.

The job of the CSO always seems to involve writing security policies. Do you work with the legal department to do that?

Yes, Cisco has internal and external subject-matter experts with knowledge of different areas of the world, such as the European Union or Asia. When we write a policy, we want a light touch because we want these policies accepted every year. There's no Web monitoring. We have the expectation our employees are doing the right things.