- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - For a year John Stewart has been CSO at Cisco. He's in charge of a team of 60 information security professionals who play a role in IT architecture, policy, audit and incident response to protect an internal user base of about 48,000 employees worldwide. Stewart recently discussed Cisco's risk-management strategy with Network World Senior Editor Ellen Messmer.
What are some of Cisco's security concerns?
Over the past 18 months, we started seeing attacks against our network timed against the end of our quarters, and we realized someone was trying to knock the electronic-commerce service offline at the Web portal through denial-of-service attacks. It really opened our eyes.
How do you cope with these attacks?
We use Cisco Riverhead, now called Cisco Guard since Cisco acquired Riverhead, to block the attacks. Upstream, we have relations with service providers - all the big ones, AT&T, MCI, Sprint - about bandwidth consumption. We work with them in the case of a denial-of-service attack, and it's effective in filtering it. Security is about managing it when it happens.
How does your team interact with the rest of Cisco?
When there's an internal IT project, say overhauling the human resources system or replacing an entire database infrastructure or putting up connectivity between our company and another for communications, there's an engagement process between the business owners and IT team, plus, often, counsel as an advisor. In security, we look to issue a report that the implementation was within the appropriate risk tolerance.
What non-Cisco security products or services do you use and like?
We use McAfee, Symantec and Trend Micro antivirus. You want to test technologies working with yours. We provide identity and password management, and an audit trail of access. One product there is CA's Netegrity, where we have a complex set of rules with our manufacturing partners. We use the Qualys platform for vulnerability scanning, and also Arbor's Peakflow for viewing statistical abnormalities in and out of the network.
The job of the CSO always seems to involve writing security policies. Do you work with the legal department to do that?
Yes, Cisco has internal and external subject-matter experts with knowledge of different areas of the world, such as the European Union or Asia. When we write a policy, we want a light touch because we want these policies accepted every year. There's no Web monitoring. We have the expectation our employees are doing the right things.
About two years ago, Cisco had its IOS code stolen after a hacker attack. How did that investigation go?
I can't speculate on the disposition of that case, but it's still open and we're working with law enforcement on it.
So what do you think about extrusion detection, monitoring for outbound transmission of sensitive content?
It's interesting and we're experimenting with it. There's one thing we've developed ourselves in our data centers for use by those writing code. Everyone only gets to see an image of what they are involved in for source code development, the idea being somewhat like the old technology, X Windows. Can you still screen-scrape or take a picture? Yes. Can you memorize it? Yes. But it won't allow file transfer. We developed this data detection based on ClearCase View Servers and virtual network computing connections for the desktop.