Edna Conway, a prominent female CSO from Cisco Systems shares her strategies for managing the cloud security architecture where ecosystem partners play a crucial role. Security in our hyper-connected and converged world means addressing physical security, operational security, and infosec along with behavioral and privacy issues.

Edna Conway serves as Cisco’s Chief Security Officer for its Global Value Chain. In this capacity, she develops and oversees the deployment of Cisco’s strategy to assess, monitor, and continuously improve the security and resiliency of its global value chain. Cisco's Value Chain Security Program spans its Supply Chain Operations, Engineering, Worldwide Partner and Services organizations. In addition, Conway drives Cisco’s supply chain cyber and security protection plan through its suppliers and channel partners.

Conway serves or has served on the company’s Cyber-Security Board, Risk and Resiliency Operating Committee, Global Compliance Governance Committee and Eco Board. She also serves as a leader in various international security, supply chain, and sustainability standards, public-private partnerships, and information and communications industry consortia (e.g., ISO, iNEMI, IPC, The Open Group Trusted Technology Forum, The Common Criteria and the Electronics Industry Citizenship Coalition).

Transcript

This transcript has been edited for length and clarity.

Introduction

Michael Krigsman: Cybersecurity and information security are complex and crucial topics. That's why we're speaking with one of the world's experts. She's going to explain the issues to us around security in our hyperconnected world, Edna Conway from Cisco. Edna, welcome to CXOTalk.

Edna Conway: Well, thank you so much for having me, Michael. I think it's an interesting topic. You know, as Cisco's chief security officer for its global value chain, I think it's an opportune time to really have a conversation about the fact that we live in a world of "we." There is no longer a "them" and "us." That's how we live today.

Michael Krigsman: I love that. We live in a world of "we." Edna, what does that imply for security?

Edna Conway: It implies both challenges and opportunities. When you think about the world in which we reside today, and when I say "reside," it really is at an individual level, at a government level, and at an enterprise or business level. We are all utilizing platforms, third-party services, and devices that enable us to work, live, entertain ourselves, feed ourselves, and do a host of other things.

What we may not be doing quite as well is embracing fundamental principles of how we expect those services and devices to behave. We often say when we're raising children, "When you're going to go out on the street, you need to look both ways." How do we teach the children who are digital natives to actually thrive, not survive but thrive in a connected world? that's the challenge that we all have. At a business level, it takes it up a notch to a different set of environments than those we utilize individually.

Framework for the Modern Security CSO

Michael Krigsman: Edna, how do we even begin to approach the complexities of this very important topic that literally affects every single one of us today?

Edna Conway: You know there are many approaches that you could take. Let's talk about one that certainly I and others in the industry have utilized and Cisco has a serious commitment to thinking about things comprehensively: a unified architecture approach; a way to think about pervasive security.

When you think about what I do, and let me elaborate on that a little bit, I'm a little bit different than what you might hear from a chief information security officer who is thinking about securing the information, data flow, and technology that enables the exchange of information inside of an enterprise. What I'm doing is thinking about securing the offers that we have for our customers. All of us have that at any business level.

What do those offers consist of? Well, they might, for some of us as they are at Cisco, be hardware or they might be software. They might be services. They might be cloud offers.

We begin by thinking, if we want to secure our enterprises, we also need to secure what we deliver to our customers. As individuals, we are those customers. Sometimes, as enterprises, we're customers of other enterprises. Start there.

One, who am I serving as a customer? Two, what am I delivering to them? Then you get into the nitty-gritty, the really exciting part, and the challenging part.

Who is part of what I'll call the third-party ecosystem that at any point during the lifecycle of any one of those things that we are offering to our customers? Who are they and what are they providing to us? We could talk a little bit more about that, but I want to make sure that we understand the fundamental premise of who are they and what are they doing for us is where we start.

The Connected, Information Security Ecosystem

Michael Krigsman: You should elaborate on that. When you say, "Who are they and what are they doing for us?" explain and keep it brief because I want to go into that third part about the ecosystem, which is, I think, where the world starts to really change.

Edna Conway: Let's use a consumer example. Imagine you're buying a connected refrigerator. There's a brand name on that connected refrigerator, without a doubt. Right? You think that's who you're dealing with and that may be true. They are part of who they are.

What are they providing to you? They're providing a refrigerator. Well, a refrigerator's purpose is to keep things frozen and to keep things cool. But you might ask, "Well, it's connected. It's connected through my Internet service provider in my home, but where are they keeping the data? How are they connecting? Who is managing that data?"

Better yet, if it's a connected refrigerator that you can integrate with your mobile phone that takes pictures, that lets you see that you don't have eggs anymore in your refrigerator while you're out at the supermarket, the reality is you also want to begin to say, "Who is hosting that data, who is keeping the pictures, and who has control over the access?" That might be a series of folks who are actually not the OEM from whom you purchased the refrigerator.

What is Global Value Chain for Enterprise Security?

Michael Krigsman: Your title is value chain, Chief Security Officer for the Global Value Chain. When you talk about all these different components of where is the data traveling, where it is coming from, where is it going, and where is it residing at every step of the way, is that the value chain? What's the term that you would use for that? Is it ecosystem? What's the term?

Edna Conway: The value chain is the set of third parties who are at any point in any stage of the lifecycle—remember, I live in the information communications technology world, so the lifecycle of ICT—any of those third parties who participate, whether virtually or physically. Let me give you some examples.

Imagine the lifecycle starts with the first idea you have for a new product, a new solution, or a new feature set in your code or a new offering that you're going to put up on the cloud and invite people to become tenants of and utilize. Then you start to think about how you're going to plan around that and how you're going to order what you need to deliver it. Then you start to source what you need in order to deliver it.

Then you actually make it. Make could be, make hardware in a factory. It could be, make in developing the code and bringing in third-party code modules. It could be, make; I'm building a data center and I'm building a cloud offer that's going to give you compute or storage capacity.

Now, I've designed and developed it with a first idea. I've planned and ordered. I've sourced and I've made. Fantastic. You still haven't given anything to your customers.

You then, actually, have to deliver it. How is it delivered? In what modality using what kind of technology? Sometimes, it may be delivered because it's tangible via transportation.

Then, after it's delivered, how is it going to be utilized by your customer? How are you going to service it? How are you going to support it?

At some point, how are you going to end-of-life it, whether it's to shut down access to a tenancy on a cloud or take back tangible equipment that has been used for a period such that it now needs to be replaced with new and more innovative technology? That's the lifecycle.

The value chain is all of the people as well in that third-party ecosystem that are involved. I'll give you an example. Somebody who could be in the lifecycle is a third-party cloud service provider who provides storage capacity for your cloud offer. It could be somebody who provides integrated chips and circuits for what you're building. It could be somebody who is actually providing logistics, warehousing and transportation services for your tangible equipment. It could also be a third-party licensor of their software that you're embedding into your code to provide features and functionality that they deliver in your overall software solution.

Third-Party Ecosystem Partners

Michael Krigsman: The value chain is this complex and very often hidden, with a lack of transparency in many cases, set of actors all along the way. Is it that value chain or could we also, say, more imprecisely, use the term ecosystem that brings the complexity and the real challenge to modern security?

Edna Conway: I think there's complexity in how we design and develop ourselves as well. If you look at some statistics, and we can all mine them, and there are wonderful sources out there, but if you just look, for example, at the data that comes out of the Verizon incident report, the breach report every year, I've evaluated that over the last nine or ten years.

Let's be honest. We can't always attribute a particular incident to a particular actor. But when we can, we're talking about almost a decade. We've hovered between around 72% and close to 80% of the time it comes from a third-party.

We're not necessarily moving the needle. The third-party ecosystem is growing. We're actually connecting to more and more of them, so we're doing better but we're growing the denominator of the fraction.

While I don't want to, in any way, minimize the importance of secure development in your own enterprise practices, thinking about who those third parties are and what you expect of them is absolutely fundamental to ensure you can look at a customer and say, "You know what? I value our customer relationships. Most importantly, I want you to," here's the big word, "trust. Trust me as a provider. Trust my processes and, in order to earn that trust, I am embracing the third-parties in my ecosystem to make sure what I'm delivering to you is safe, secure, and free from a host of threads," that we can talk a little bit more about today.

What is the Value Chain vs. the Supply Chain?

Michael Krigsman: Arsalan Kahn, on Twitter, says that it seems like the notion of the security value chain is similar to supply chain, the concept, only involving data.

Edna Conway: Lots of people use value chain and supply chain in the same ways. From my perspective, the supply chain is actually a subset of the value chain. For many enterprises who actually deliver services or products and make them, there is a fundamental supply chain operations organization.

It is not just about data. Supply chains make things like drugs, like vehicles, like Cisco gear. There is a supply chain that supports the infrastructure for your enterprise.

Please understand that it is a great question and let me clarify. It's about hardware. It's about software. It's about data infrastructure and it's about offers that sit out there on the cloud. It's about all of it. We can't think about it in isolated patches.

Trust and the Cloud Ecosystem: Manipulation, Espionage, and Disruption

Michael Krigsman: Edna, you spoke about trust and we've got all of these partners in this chain of the creation, the movement, the storage of data and going across silos that previously were not traversed. Tell us about this concept of trust.

Edna Conway: Trust is earned by looking at least with regard to information and communications technology; looking at your customer and saying, "I have a plan. I have an architecture that focuses on fundamental threats."

What are those fundamental threats? There are three, in my view, only three. They're enormous. They are worthy threats for our attention, but there are three.

We want to make sure that the information and communications technology we use, whether tangible or virtual, is actually free from any kind of manipulation. No one has altered it in a way other than we authorized or intended it as the providers of that technology.

The second real fundamental threat is espionage. We want to make sure, whether it's a nation-state, an individual, an enterprise, or an industrial actor, that the information that passes, is stored on, or is actually computed on are information and communications technology not observed by those other than the individuals, enterprises, or partners who we intended to see and use it.

Then the third one is actually disruption. We want to make sure that what we're relying on is not going to be disrupted by an equipment failure, by a breach of software, or any other effort. We can talk a little bit in a little while about what that means in a world where information technology and operation technology are converging.

Three threats: manipulation, espionage, and disruption.

Michael Krigsman: Okay. That seems on the surface. How do we penetrate, to use a security term, these domains in order to get under the surface of the implications of what you've just said?

Edna Conway: I think it's reaching out your arms and coming up with a flexible and elastic architecture that you can use that allows you to have a conversation with and validate the practices utilized by the members of that third-party value chain. You can imagine that because they're different and, in fact, in some cases very diverse, what you ask of them and what you might expect of them would be equally very divergent. Not every security requirement can actually apply to every third-party.

I'll give you an example. If I am talking to somebody who is providing me with third-party software, I'm going to talk to them about specific code practices, perhaps penetration testing, static analysis, dynamic analysis. I'm going to do a host of evaluations. I'm going to talk to them about what their vulnerability triggers are and what their patch process is.

If I'm talking to somebody who is making me a printed circuit board on which other components are going to be placed by somebody else in the ecosystem, I'm going to talk to that printed circuit board supplier about what they're doing to secure access to the information about my highly proprietary circuit board plans and designs. In fact, in that world, the highest amount of intellectual property is retained inside something called Gerber files. I'm going to have specific discussions and goals about securing Gerber files and who can see them, use them, and access them.

If I asked somebody who was providing anything else other than a printed circuit board about Gerber files, I'll be honest, Michael, with you. They might actually look at me and say, "I'm not sure what you're referring to," or they might look at us and say, "Well, gee. I heard there's a Gerber food company. Why are you talking about that? It's baby food, isn't it?"

We need to understand our colleagues that are involved. This can be done with one flexible architecture. The way we've chosen to do it is to have 11 fundamental domains in our architecture but then actually write goal-based requirements and those goal-based requirements are customized based on the nature of what that third-party partner provides to us. All of a sudden, we're in sync as we're talking about what's being delivered.

Number two, another important point that I said there are goal-based requirements. Sometimes the best way to achieve security is to let those with whom you are partnering deploy security in the way that best suits their business and their operations rather than saying, "Do it this way." How about, "Achieve this goal. I may be agnostic as to how you achieve the goal, but I want the goal to be achieved and I want to be able to validate that the goal has in fact been achieved"?

Michael Krigsman: Can you give us an example of that because, at a high level, of course, that's the right way to work with partners, in general, and employees as well if you trust them and you think they're capable? Give us an example in the security world.

Edna Conway: A couple of examples; let's think about it in terms of, let's talk about information and access. How are you deploying role-based access control in your organization? Does everybody need to see everything? Absolutely not. We all learned when we were children in school; the best way to keep something a secret is to not tell a lot of people and make sure you understand whether or not the person you're telling it to is "trustworthy."

How do you assess that? You assess what their practices in the past have been, what their behavior patterns are. Do they have a way of writing things down on a piece of paper and putting them in a secure location? These are the kinds of criteria that you look at for role-based access control, which is absolutely essential. Not everyone needs to know everything or see everything; the number one practice in a secure, hyperconnected world.

You might do something really different with somebody who, for example, is running a manufacturing floor. In that case, you might say, "What I really want you to do is have the realities of physical security. Let's talk about what pervasive security means because lots of people think information security operates in a vacuum. It does not.

Security, as we sit here today in a hyperconnected world, is one that is requiring a layered approach. I'll ask a question. Do any of us actually connect to the Internet simply by taking a sip of a beverage or breathing in? No. We still use devices.

When you think about that, that means that what we need to do is think about physical security, operational security—so we'll go back to that manufacturing floor—information security—without a doubt is there at the table, but it is a piece of pervasive security—as well as behavioral security because we all know that the ticket to success, in many cases on security, is educating our humans. The problem with security is that often we have talented humans who seek to either do harm or those who are not well educated and inadvertently and non-maliciously engage in behavior that causes security problems or breaches.

Let's go back to the manufacturing floor for a minute, Michael, because that's very different than what we talked about with what we would do with software. I might say, "I want to know who you let in and out of the factory. Does everybody need to go into every part of the factory? How do you segregate that? how do you deal with the parts that are going to go on, for example, a printed circuit board assembly that is absolutely critical, manipulatable, and contains a high percentage of intellectual property? I'm hoping you deal with those in a very different way. Let's talk about that."

You can, in a nonprescriptive way, say, "I want them separated. I want you to inventory them. I want to know when they're used. I want to know when they're scrapped," because, as we all know, counterfeit is a risk of those threats. Counterfeit frequently comes from the mining of scrap. Those are examples of what you would ask of that manufacturer might include different things than what you would ask of that software supplier.

Managing Small (SMB) Cloud and Ecosystem Partners

Michael Krigsman: All of these components need to be in place, but I would imagine that that is dependent upon the partners' resources. In fact, Arsalan Kahn again comments on Twitter. He says, "What about when you're dealing with smaller companies that don't have the resources?" How do we manage that? We live in an imperfect world.

Edna Conway: It is an imperfect world, and there are lots of ways to do it. They are equally imperfect but we are striving to do it. Some are international standards. Some are setting baseline requirements.

I'm sitting here today in Massachusetts at a facility that Cisco has here, having brought together members of something called the Charter of trust, which is something that we are a part of. It is a private-private partnership, no public in it. We are looking together at what we call ten fundamental principles of trust. We have been deeply working on what we call Principle II's focus, which is securing the digital supply chain.

When you think about the fact that, in that whole ecosystem, you might have small and medium businesses, that architecture can be flexibly deployed. Here's a glaring example. Imagine that some facilities that are large enterprises might have things like biometric controls and integrated role-based access. A smaller facility might actually have a human guard with a clipboard with a set of pictures of the four people who are able to go into a particular area and do work there.

One might sound more sophisticated than the other. But if implemented correctly, the more traditional way and the cheaper way, which might work for a small and medium business because it doesn't have to scale beyond the four individuals who can walk into that room and do specific work, is perfectly acceptable.

I think what we need to do is look at private-private partnerships and public-private partnerships. You know here in the U.S. the DHS has been looking at a lot of effort to think about securing and minimizing risk around our information and communications technology value chains. When we look at that together, what we always keep in mind is the full spectrum of the size of an enterprise and the volume of complexity in individual resources that all of us have to bring to bear.

Streamlining it to, what are the five or six things that you can do that are the most risk improving is really a useful and helpful way to think about it. Start small. Start fundamental. Build from there.

What is Data Convergence in Security?

Michael Krigsman: Again, a lot of this has to do with the fact that data is traversing silos that previously it did not. Can you explain why that dimension adds complexity to all of this and what are the kind of silos, data silos that are being broken today?

Edna Conway: When I say convergence, we have been seeing, for years, critical infrastructure and hardcore industrial controls operated in an environment that was often separate and isolated from information technology environments. But when we bring those two together, things like IoT devices, let's think about sensors, perhaps, that are now connected to the operation of a piece of functional industrial equipment and, in fact, linked to an ICS SCADA system. We've got supervisory controls that work in industrial environments with an information technology connected to the Internet overlay. Fabulous efficiencies. People can know when machines need to be repaired. They can know when they are not performing up to par. You can do that real-time, perhaps, as you're walking a factory floor on a mobile device.

Here's the risk that we now need to think about. We are traversing, to use your word, to silos that will often, in fact, not only separate but frequently the reference was air-gapped. They were not even physically connected. Now, a breach through the IT can actually serve as an attack surface to get into the functional operational equipment.

What we need to think about is actually a new day and age of partnership around pervasive security. We need lots of experts at the table to think about this together because frequently IT people don't speak operational technology and vice versa, but we can come together and develop a new lexicon and new practices and understand one another better.

I'll give you a glaring example of that if you remember years and years ago when we first came up with quality control. Quality management systems today, when you speak of them, everybody goes, "Yes, of course." Well, I remember a day and age when people put out banners that proudly displayed that they were a 9001 certified facility and company. Today, that's part of doing business.

We are at the precipice of utilizing the vast array of hyper-connectivity to change the way we actually experience life, work, enterprise, and operations, but we need to speak with one another in a new model. There are still new, burgeoning standards that are growing and both the private and public sector needs to be at the table at all sizes: small, medium, and large.

Do Open Office Floor Plans Increase Security Risks?

Michael Krigsman: We have a couple of questions, some really good questions, from Twitter. Zachary Jeans asks a question from a different perspective, from a business perspective. He says, "How has the movement to open office floor plans and the breaking down of business silos negatively impacted organizational security?"

Edna Conway: That's a fantastic question.

Michael Krigsman: Isn't it? It's a great question. We're talking about data silos and he's talking about business silos and cultural silos. What's the impact on security of that?

Edna Conway: If you think about the way humans behave in productivity, we all have different styles. There has been this move to and there's been much written about it, I might add, the open floorplan, which is designed to really allow simultaneous collaborative creativity.

The downside of it, when you think about it, is you also need some time and space to think. We all have laptops, I suspect, or some kind of device. What happened with that was, you now see the privacy screens that go on our screens, right? We're all sitting there because we know that within probably about a four-inch perimeter from our eye lens, there is probably someone else who has the capacity to view that same screen.

Michael Krigsman: Yes but, hey, spies are everywhere. [Laughter]

Edna Conway: Well, the other thing is, it may just be you don't really want somebody to see what you're writing or it might be, I'm working on something that is a merger and acquisition potential and the last thing we want is that information to get out into somebody's hands because somebody is going to engage in insider training as a result of it. How do you deal with that?

I think it requires something that all of our parents raised us with, sometimes a little degree of common sense. Depending on what you're working on, we all have open enterprises with what are called audio privacy rooms or certain work that you can only do in certain places. But the question is one that I do think is very important and it's also why role-based access control in an IT system is fundamental because you can only get into that which you need to know in order to perform your function.

I'm the chief security officer for the value chain. I do not need to get into the HR tools. I do not need to see people's salaries. I do not need to see their healthcare information. "Are you enabling collaboration in a physical way in an open business environment and, simultaneously, leveraging technology or other practices to close down some of the security risks that might arise because of the new models?" is what we ought to be thinking about, so thank you so much for asking that question.

Security Architecture vs. Enterprise Architecture

Michael Krigsman: Edna, thank you for your insightful answers. We have another question. Again, this is from Arsalan Kahn. Arsalan Kahn is on a roll today with another great question he has, which is, "You're talking about security architecture. Where does security architecture fit or not fit with enterprise architecture?"

Edna Conway: The reality is, enterprise architecture is a little bit different. I think security is a fundamental part of the enterprise.

When you're thinking about enterprise architecture, you're thinking about your business holistically. What am I doing from a risk and brand perspective, from a people management perspective, from an actual enticing the right kinds of people and getting them to stay? That's an enterprise type of question. There are more, plenty more.

What I think we want to do is, we want to start to have security at the table with business. I've been on a journey for the last probably 15 years to get security compliance, sustainability, and risk to actually speak the language of business so that, rather than being the outside experts who say, "Do this, that, and the other," let's have a set of goals that we want to achieve together that actually feed the business.

What I've seen over the last, for sure, five to eight years is that security can become a business differentiator and it can be absorbed into your enterprise architecture. It can also be embraced as part of your enterprise risk management. It is one of many risks.

When you become part of the enterprise family, you are at the table. You are thought of consistently in every aspect. I think they are different. It is a great question because it recognizes that security is not the end-all and be-all. It is a way to bring safety and security to our new operation or operating models as individuals and to make decisions. But, ultimately, an enterprise has its own architecture.

Boards of Directors and Information Security

Michael Krigsman: Continuing then on this theme of security and the business, this is CXOTalk, so let's talk about the boards of directors and the relationship of the board to security. How does that work? How should it work?

Edna Conway: Michael, you and I have chatted about this briefly. I think we're seeing a move in boards slowly to embrace diversity, but I'd like to challenge all of the enterprises out there to think about, what is the diversity of thought that you need at that governance table? What does it look like in 2019, and what does it need to get us to where we're going to be in 2030 and beyond?

I've seen a trend that is slowly changing where, look, you need people who have had P&Ls. You need people who have been CEOs, people who have been CFOs. These are fundamental, core functions within an enterprise that need to be at the governance table to guide, to ask the right questions.

Remember, when you're at a board, you're not the operator. You are governing and guiding. What I think we need more of is, we need to see security and risk practitioners at the table, at the board level, to bring that kind of perspective to the enterprise management so that we are thinking about branching off into a new division, a new product portfolio, a new service.

Fantastic. What does that look like? What is the total available market? How are we going to approach it? Is there a geographic way in which we're going to approach it?

Here's a novel thought. If you have a risk person sitting at the table, they're going to sit there and say, "Well, where do we want to start? Do you want to start where the largest TAM is or do you want to start where the lowest risk is? If it's high IP containing, do you want to put it into a market where there's high respect for IP or a place where there's low respect for IP, which brings a whole other degree of risk?

If you're going to go everywhere, what is the blanket of security that you're going to deploy because you're the first to the market, you know there are going to be fast followers, and you don't want to be eaten alive? That's a board-level conversation. If you don't have the right people sitting at the table thinking about that, fundamentally, then you're missing the opportunity to gain the richness of diversity of thought and you are also missing the opportunity to give guidance in a far more broad and meaningful way.

Business Advice for Enterprise Security Professionals

Michael Krigsman: What advice do you have to security professionals to gain the expertise, the business expertise, so that the board will call upon them to participate in these governance conversations that you've just described?

Edna Conway: I think we, in security, need to embrace other areas of expertise as we think about our security community. I can think of folks who are renowned in the security area who may not necessarily have started out as technical and may still not be the most technical folks. When you bring great communicators, great legal minds, or great folks who can think about operational practicality, then you have a security community that automatically learns how to speak the business language because they have business partners as part of their immediate family. It's not like we're teaching them something that already isn't innate.

Right now, we have all seen the statistics with regard to the absence of available talent in the security arena. Perhaps what we ought to consider doing is embracing those who have the capacity to learn, bring their own unique expertise, and begin to—I'm going to use a harsh word here—invade security into the mindset and operations of everyone, then we will see people like myself.

My undergraduate degree is in Medieval and Renaissance Literature. It doesn't really have the ring of security to you, does it?

Michael Krigsman: No, that's definitely not a career path I would have predicted. [Laughter]

Edna Conway: [Laughter] We have this opportunity to not only bring other disciplines into security, but we also have to start as security professionals to understand what matters in business. At the end of the day, we all have stakeholders. We all have shareholders, public/private NGOs, and governments have, in essence, shareholders. They're called the citizenry of the nation that brings to the coffers of the government, through their tax dollars, the ability to serve those citizens.

What we need to do is understand what that language is. It's fairly easy if you do a rotation. Send somebody who has only done information security to go do a six-month project in a factory or to work with a finance person more closely in the course of developing something new in their infosec arena. What you will see, whether in a collaborative, open workspace or in a private room is an evitable growth in synergy and a sharing of language and the ability to speak with and for one another. Then you walk into that board ready, capable, and speaking the right language.

Security Advice for the Enterprise

Michael Krigsman: Can you put your finger on one or two things that are the common issues you see all the time strategically that companies should just doublecheck?

Edna Conway: Know with whom you're working. Understand what they're doing for you. Make sure you know who has access to what and determine whether they need to have it. Embrace your workforce both directly as well as your value chain partners to ensure that they understand what your mission is, which is to deliver to customers the highest integrity, the highest quality, secure and safe services and solutions, and bring their expertise to the table and work on it together.

Michael Krigsman: Edna Conway, thank you very, very much for taking your time today to be with us on CXOTalk.

Edna Conway: My privilege.

Michael Krigsman: We've been speaking with Edna Conway. She is the chief security officer for the Global Value Chain at Cisco. Before you go, please subscribe on YouTube, hit the little subscribe button at the top of our website and sign up for our newsletter, and tell a friend.

Thanks so much, everybody. I hope you have a great day. We will be back next week with another awesome episode of CXOTalk. Take care, everybody. Have a good one. Bye-bye.

This transcript has been edited for length and clarity.

Introduction

Michael Krigsman: Cybersecurity and information security are complex and crucial topics. That's why we're speaking with one of the world's experts. She's going to explain the issues to us around security in our hyperconnected world, Edna Conway from Cisco. Edna, welcome to CXOTalk.

Edna Conway: Well, thank you so much for having me, Michael. I think it's an interesting topic. You know, as Cisco's chief security officer for its global value chain, I think it's an opportune time to really have a conversation about the fact that we live in a world of "we." There is no longer a "them" and "us." That's how we live today.

Michael Krigsman: I love that. We live in a world of "we." Edna, what does that imply for security?

Edna Conway: It implies both challenges and opportunities. When you think about the world in which we reside today, and when I say "reside," it really is at an individual level, at a government level, and at an enterprise or business level. We are all utilizing platforms, third-party services, and devices that enable us to work, live, entertain ourselves, feed ourselves, and do a host of other things.

What we may not be doing quite as well is embracing fundamental principles of how we expect those services and devices to behave. We often say when we're raising children, "When you're going to go out on the street, you need to look both ways." How do we teach the children who are digital natives to actually thrive, not survive but thrive in a connected world? that's the challenge that we all have. At a business level, it takes it up a notch to a different set of environments than those we utilize individually.

Framework for the Modern Security CSO

Michael Krigsman: Edna, how do we even begin to approach the complexities of this very important topic that literally affects every single one of us today?

Edna Conway: You know there are many approaches that you could take. Let's talk about one that certainly I and others in the industry have utilized and Cisco has a serious commitment to thinking about things comprehensively: a unified architecture approach; a way to think about pervasive security.

When you think about what I do, and let me elaborate on that a little bit, I'm a little bit different than what you might hear from a chief information security officer who is thinking about securing the information, data flow, and technology that enables the exchange of information inside of an enterprise. What I'm doing is thinking about securing the offers that we have for our customers. All of us have that at any business level.

What do those offers consist of? Well, they might, for some of us as they are at Cisco, be hardware or they might be software. They might be services. They might be cloud offers.

We begin by thinking, if we want to secure our enterprises, we also need to secure what we deliver to our customers. As individuals, we are those customers. Sometimes, as enterprises, we're customers of other enterprises. Start there.

One, who am I serving as a customer? Two, what am I delivering to them? Then you get into the nitty-gritty, the really exciting part, and the challenging part.

Who is part of what I'll call the third-party ecosystem that at any point during the lifecycle of any one of those things that we are offering to our customers? Who are they and what are they providing to us? We could talk a little bit more about that, but I want to make sure that we understand the fundamental premise of who are they and what are they doing for us is where we start.

The Connected, Information Security Ecosystem

Michael Krigsman: You should elaborate on that. When you say, "Who are they and what are they doing for us?" explain and keep it brief because I want to go into that third part about the ecosystem, which is, I think, where the world starts to really change.

Edna Conway: Let's use a consumer example. Imagine you're buying a connected refrigerator. There's a brand name on that connected refrigerator, without a doubt. Right? You think that's who you're dealing with and that may be true. They are part of who they are.

What are they providing to you? They're providing a refrigerator. Well, a refrigerator's purpose is to keep things frozen and to keep things cool. But you might ask, "Well, it's connected. It's connected through my Internet service provider in my home, but where are they keeping the data? How are they connecting? Who is managing that data?"

Better yet, if it's a connected refrigerator that you can integrate with your mobile phone that takes pictures, that lets you see that you don't have eggs anymore in your refrigerator while you're out at the supermarket, the reality is you also want to begin to say, "Who is hosting that data, who is keeping the pictures, and who has control over the access?" That might be a series of folks who are actually not the OEM from whom you purchased the refrigerator.

What is Global Value Chain for Enterprise Security?

Michael Krigsman: Your title is value chain, Chief Security Officer for the Global Value Chain. When you talk about all these different components of where is the data traveling, where it is coming from, where is it going, and where is it residing at every step of the way, is that the value chain? What's the term that you would use for that? Is it ecosystem? What's the term?

Edna Conway: The value chain is the set of third parties who are at any point in any stage of the lifecycle—remember, I live in the information communications technology world, so the lifecycle of ICT—any of those third parties who participate, whether virtually or physically. Let me give you some examples.

Imagine the lifecycle starts with the first idea you have for a new product, a new solution, or a new feature set in your code or a new offering that you're going to put up on the cloud and invite people to become tenants of and utilize. Then you start to think about how you're going to plan around that and how you're going to order what you need to deliver it. Then you start to source what you need in order to deliver it.

Then you actually make it. Make could be, make hardware in a factory. It could be, make in developing the code and bringing in third-party code modules. It could be, make; I'm building a data center and I'm building a cloud offer that's going to give you compute or storage capacity.

Now, I've designed and developed it with a first idea. I've planned and ordered. I've sourced and I've made. Fantastic. You still haven't given anything to your customers.

You then, actually, have to deliver it. How is it delivered? In what modality using what kind of technology? Sometimes, it may be delivered because it's tangible via transportation.

Then, after it's delivered, how is it going to be utilized by your customer? How are you going to service it? How are you going to support it?

At some point, how are you going to end-of-life it, whether it's to shut down access to a tenancy on a cloud or take back tangible equipment that has been used for a period such that it now needs to be replaced with new and more innovative technology? That's the lifecycle.

The value chain is all of the people as well in that third-party ecosystem that are involved. I'll give you an example. Somebody who could be in the lifecycle is a third-party cloud service provider who provides storage capacity for your cloud offer. It could be somebody who provides integrated chips and circuits for what you're building. It could be somebody who is actually providing logistics, warehousing and transportation services for your tangible equipment. It could also be a third-party licensor of their software that you're embedding into your code to provide features and functionality that they deliver in your overall software solution.

Third-Party Ecosystem Partners

Michael Krigsman: The value chain is this complex and very often hidden, with a lack of transparency in many cases, set of actors all along the way. Is it that value chain or could we also, say, more imprecisely, use the term ecosystem that brings the complexity and the real challenge to modern security?

Edna Conway: I think there's complexity in how we design and develop ourselves as well. If you look at some statistics, and we can all mine them, and there are wonderful sources out there, but if you just look, for example, at the data that comes out of the Verizon incident report, the breach report every year, I've evaluated that over the last nine or ten years.

Let's be honest. We can't always attribute a particular incident to a particular actor. But when we can, we're talking about almost a decade. We've hovered between around 72% and close to 80% of the time it comes from a third-party.

We're not necessarily moving the needle. The third-party ecosystem is growing. We're actually connecting to more and more of them, so we're doing better but we're growing the denominator of the fraction.

While I don't want to, in any way, minimize the importance of secure development in your own enterprise practices, thinking about who those third parties are and what you expect of them is absolutely fundamental to ensure you can look at a customer and say, "You know what? I value our customer relationships. Most importantly, I want you to," here's the big word, "trust. Trust me as a provider. Trust my processes and, in order to earn that trust, I am embracing the third-parties in my ecosystem to make sure what I'm delivering to you is safe, secure, and free from a host of threads," that we can talk a little bit more about today.

What is the Value Chain vs. the Supply Chain?

Michael Krigsman: Arsalan Kahn, on Twitter, says that it seems like the notion of the security value chain is similar to supply chain, the concept, only involving data.

Edna Conway: Lots of people use value chain and supply chain in the same ways. From my perspective, the supply chain is actually a subset of the value chain. For many enterprises who actually deliver services or products and make them, there is a fundamental supply chain operations organization.

It is not just about data. Supply chains make things like drugs, like vehicles, like Cisco gear. There is a supply chain that supports the infrastructure for your enterprise.

Please understand that it is a great question and let me clarify. It's about hardware. It's about software. It's about data infrastructure and it's about offers that sit out there on the cloud. It's about all of it. We can't think about it in isolated patches.

Trust and the Cloud Ecosystem: Manipulation, Espionage, and Disruption

Michael Krigsman: Edna, you spoke about trust and we've got all of these partners in this chain of the creation, the movement, the storage of data and going across silos that previously were not traversed. Tell us about this concept of trust.

Edna Conway: Trust is earned by looking at least with regard to information and communications technology; looking at your customer and saying, "I have a plan. I have an architecture that focuses on fundamental threats."

What are those fundamental threats? There are three, in my view, only three. They're enormous. They are worthy threats for our attention, but there are three.

We want to make sure that the information and communications technology we use, whether tangible or virtual, is actually free from any kind of manipulation. No one has altered it in a way other than we authorized or intended it as the providers of that technology.

The second real fundamental threat is espionage. We want to make sure, whether it's a nation-state, an individual, an enterprise, or an industrial actor, that the information that passes, is stored on, or is actually computed on are information and communications technology not observed by those other than the individuals, enterprises, or partners who we intended to see and use it.

Then the third one is actually disruption. We want to make sure that what we're relying on is not going to be disrupted by an equipment failure, by a breach of software, or any other effort. We can talk a little bit in a little while about what that means in a world where information technology and operation technology are converging.

Three threats: manipulation, espionage, and disruption.

Michael Krigsman: Okay. That seems on the surface. How do we penetrate, to use a security term, these domains in order to get under the surface of the implications of what you've just said?

Edna Conway: I think it's reaching out your arms and coming up with a flexible and elastic architecture that you can use that allows you to have a conversation with and validate the practices utilized by the members of that third-party value chain. You can imagine that because they're different and, in fact, in some cases very diverse, what you ask of them and what you might expect of them would be equally very divergent. Not every security requirement can actually apply to every third-party.

I'll give you an example. If I am talking to somebody who is providing me with third-party software, I'm going to talk to them about specific code practices, perhaps penetration testing, static analysis, dynamic analysis. I'm going to do a host of evaluations. I'm going to talk to them about what their vulnerability triggers are and what their patch process is.

If I'm talking to somebody who is making me a printed circuit board on which other components are going to be placed by somebody else in the ecosystem, I'm going to talk to that printed circuit board supplier about what they're doing to secure access to the information about my highly proprietary circuit board plans and designs. In fact, in that world, the highest amount of intellectual property is retained inside something called Gerber files. I'm going to have specific discussions and goals about securing Gerber files and who can see them, use them, and access them.

If I asked somebody who was providing anything else other than a printed circuit board about Gerber files, I'll be honest, Michael, with you. They might actually look at me and say, "I'm not sure what you're referring to," or they might look at us and say, "Well, gee. I heard there's a Gerber food company. Why are you talking about that? It's baby food, isn't it?"

We need to understand our colleagues that are involved. This can be done with one flexible architecture. The way we've chosen to do it is to have 11 fundamental domains in our architecture but then actually write goal-based requirements and those goal-based requirements are customized based on the nature of what that third-party partner provides to us. All of a sudden, we're in sync as we're talking about what's being delivered.

Number two, another important point that I said there are goal-based requirements. Sometimes the best way to achieve security is to let those with whom you are partnering deploy security in the way that best suits their business and their operations rather than saying, "Do it this way." How about, "Achieve this goal. I may be agnostic as to how you achieve the goal, but I want the goal to be achieved and I want to be able to validate that the goal has in fact been achieved"?

Michael Krigsman: Can you give us an example of that because, at a high level, of course, that's the right way to work with partners, in general, and employees as well if you trust them and you think they're capable? Give us an example in the security world.

Edna Conway: A couple of examples; let's think about it in terms of, let's talk about information and access. How are you deploying role-based access control in your organization? Does everybody need to see everything? Absolutely not. We all learned when we were children in school; the best way to keep something a secret is to not tell a lot of people and make sure you understand whether or not the person you're telling it to is "trustworthy."

How do you assess that? You assess what their practices in the past have been, what their behavior patterns are. Do they have a way of writing things down on a piece of paper and putting them in a secure location? These are the kinds of criteria that you look at for role-based access control, which is absolutely essential. Not everyone needs to know everything or see everything; the number one practice in a secure, hyperconnected world.

You might do something really different with somebody who, for example, is running a manufacturing floor. In that case, you might say, "What I really want you to do is have the realities of physical security. Let's talk about what pervasive security means because lots of people think information security operates in a vacuum. It does not.

Security, as we sit here today in a hyperconnected world, is one that is requiring a layered approach. I'll ask a question. Do any of us actually connect to the Internet simply by taking a sip of a beverage or breathing in? No. We still use devices.

When you think about that, that means that what we need to do is think about physical security, operational security—so we'll go back to that manufacturing floor—information security—without a doubt is there at the table, but it is a piece of pervasive security—as well as behavioral security because we all know that the ticket to success, in many cases on security, is educating our humans. The problem with security is that often we have talented humans who seek to either do harm or those who are not well educated and inadvertently and non-maliciously engage in behavior that causes security problems or breaches.

Let's go back to the manufacturing floor for a minute, Michael, because that's very different than what we talked about with what we would do with software. I might say, "I want to know who you let in and out of the factory. Does everybody need to go into every part of the factory? How do you segregate that? how do you deal with the parts that are going to go on, for example, a printed circuit board assembly that is absolutely critical, manipulatable, and contains a high percentage of intellectual property? I'm hoping you deal with those in a very different way. Let's talk about that."

You can, in a nonprescriptive way, say, "I want them separated. I want you to inventory them. I want to know when they're used. I want to know when they're scrapped," because, as we all know, counterfeit is a risk of those threats. Counterfeit frequently comes from the mining of scrap. Those are examples of what you would ask of that manufacturer might include different things than what you would ask of that software supplier.

Managing Small (SMB) Cloud and Ecosystem Partners

Michael Krigsman: All of these components need to be in place, but I would imagine that that is dependent upon the partners' resources. In fact, Arsalan Kahn again comments on Twitter. He says, "What about when you're dealing with smaller companies that don't have the resources?" How do we manage that? We live in an imperfect world.

Edna Conway: It is an imperfect world, and there are lots of ways to do it. They are equally imperfect but we are striving to do it. Some are international standards. Some are setting baseline requirements.

I'm sitting here today in Massachusetts at a facility that Cisco has here, having brought together members of something called the Charter of trust, which is something that we are a part of. It is a private-private partnership, no public in it. We are looking together at what we call ten fundamental principles of trust. We have been deeply working on what we call Principle II's focus, which is securing the digital supply chain.

When you think about the fact that, in that whole ecosystem, you might have small and medium businesses, that architecture can be flexibly deployed. Here's a glaring example. Imagine that some facilities that are large enterprises might have things like biometric controls and integrated role-based access. A smaller facility might actually have a human guard with a clipboard with a set of pictures of the four people who are able to go into a particular area and do work there.

One might sound more sophisticated than the other. But if implemented correctly, the more traditional way and the cheaper way, which might work for a small and medium business because it doesn't have to scale beyond the four individuals who can walk into that room and do specific work, is perfectly acceptable.

I think what we need to do is look at private-private partnerships and public-private partnerships. You know here in the U.S. the DHS has been looking at a lot of effort to think about securing and minimizing risk around our information and communications technology value chains. When we look at that together, what we always keep in mind is the full spectrum of the size of an enterprise and the volume of complexity in individual resources that all of us have to bring to bear.

Streamlining it to, what are the five or six things that you can do that are the most risk improving is really a useful and helpful way to think about it. Start small. Start fundamental. Build from there.

What is Data Convergence in Security?

Michael Krigsman: Again, a lot of this has to do with the fact that data is traversing silos that previously it did not. Can you explain why that dimension adds complexity to all of this and what are the kind of silos, data silos that are being broken today?

Edna Conway: When I say convergence, we have been seeing, for years, critical infrastructure and hardcore industrial controls operated in an environment that was often separate and isolated from information technology environments. But when we bring those two together, things like IoT devices, let's think about sensors, perhaps, that are now connected to the operation of a piece of functional industrial equipment and, in fact, linked to an ICS SCADA system. We've got supervisory controls that work in industrial environments with an information technology connected to the Internet overlay. Fabulous efficiencies. People can know when machines need to be repaired. They can know when they are not performing up to par. You can do that real-time, perhaps, as you're walking a factory floor on a mobile device.

Here's the risk that we now need to think about. We are traversing, to use your word, to silos that will often, in fact, not only separate but frequently the reference was air-gapped. They were not even physically connected. Now, a breach through the IT can actually serve as an attack surface to get into the functional operational equipment.

What we need to think about is actually a new day and age of partnership around pervasive security. We need lots of experts at the table to think about this together because frequently IT people don't speak operational technology and vice versa, but we can come together and develop a new lexicon and new practices and understand one another better.

I'll give you a glaring example of that if you remember years and years ago when we first came up with quality control. Quality management systems today, when you speak of them, everybody goes, "Yes, of course." Well, I remember a day and age when people put out banners that proudly displayed that they were a 9001 certified facility and company. Today, that's part of doing business.

We are at the precipice of utilizing the vast array of hyper-connectivity to change the way we actually experience life, work, enterprise, and operations, but we need to speak with one another in a new model. There are still new, burgeoning standards that are growing and both the private and public sector needs to be at the table at all sizes: small, medium, and large.

Do Open Office Floor Plans Increase Security Risks?

Michael Krigsman: We have a couple of questions, some really good questions, from Twitter. Zachary Jeans asks a question from a different perspective, from a business perspective. He says, "How has the movement to open office floor plans and the breaking down of business silos negatively impacted organizational security?"

Edna Conway: That's a fantastic question.

Michael Krigsman: Isn't it? It's a great question. We're talking about data silos and he's talking about business silos and cultural silos. What's the impact on security of that?

Edna Conway: If you think about the way humans behave in productivity, we all have different styles. There has been this move to and there's been much written about it, I might add, the open floorplan, which is designed to really allow simultaneous collaborative creativity.

The downside of it, when you think about it, is you also need some time and space to think. We all have laptops, I suspect, or some kind of device. What happened with that was, you now see the privacy screens that go on our screens, right? We're all sitting there because we know that within probably about a four-inch perimeter from our eye lens, there is probably someone else who has the capacity to view that same screen.

Michael Krigsman: Yes but, hey, spies are everywhere. [Laughter]

Edna Conway: Well, the other thing is, it may just be you don't really want somebody to see what you're writing or it might be, I'm working on something that is a merger and acquisition potential and the last thing we want is that information to get out into somebody's hands because somebody is going to engage in insider training as a result of it. How do you deal with that?

I think it requires something that all of our parents raised us with, sometimes a little degree of common sense. Depending on what you're working on, we all have open enterprises with what are called audio privacy rooms or certain work that you can only do in certain places. But the question is one that I do think is very important and it's also why role-based access control in an IT system is fundamental because you can only get into that which you need to know in order to perform your function.

I'm the chief security officer for the value chain. I do not need to get into the HR tools. I do not need to see people's salaries. I do not need to see their healthcare information. "Are you enabling collaboration in a physical way in an open business environment and, simultaneously, leveraging technology or other practices to close down some of the security risks that might arise because of the new models?" is what we ought to be thinking about, so thank you so much for asking that question.

Security Architecture vs. Enterprise Architecture

Michael Krigsman: Edna, thank you for your insightful answers. We have another question. Again, this is from Arsalan Kahn. Arsalan Kahn is on a roll today with another great question he has, which is, "You're talking about security architecture. Where does security architecture fit or not fit with enterprise architecture?"

Edna Conway: The reality is, enterprise architecture is a little bit different. I think security is a fundamental part of the enterprise.

When you're thinking about enterprise architecture, you're thinking about your business holistically. What am I doing from a risk and brand perspective, from a people management perspective, from an actual enticing the right kinds of people and getting them to stay? That's an enterprise type of question. There are more, plenty more.

What I think we want to do is, we want to start to have security at the table with business. I've been on a journey for the last probably 15 years to get security compliance, sustainability, and risk to actually speak the language of business so that, rather than being the outside experts who say, "Do this, that, and the other," let's have a set of goals that we want to achieve together that actually feed the business.

What I've seen over the last, for sure, five to eight years is that security can become a business differentiator and it can be absorbed into your enterprise architecture. It can also be embraced as part of your enterprise risk management. It is one of many risks.

When you become part of the enterprise family, you are at the table. You are thought of consistently in every aspect. I think they are different. It is a great question because it recognizes that security is not the end-all and be-all. It is a way to bring safety and security to our new operation or operating models as individuals and to make decisions. But, ultimately, an enterprise has its own architecture.

Boards of Directors and Information Security

Michael Krigsman: Continuing then on this theme of security and the business, this is CXOTalk, so let's talk about the boards of directors and the relationship of the board to security. How does that work? How should it work?

Edna Conway: Michael, you and I have chatted about this briefly. I think we're seeing a move in boards slowly to embrace diversity, but I'd like to challenge all of the enterprises out there to think about, what is the diversity of thought that you need at that governance table? What does it look like in 2019, and what does it need to get us to where we're going to be in 2030 and beyond?

I've seen a trend that is slowly changing where, look, you need people who have had P&Ls. You need people who have been CEOs, people who have been CFOs. These are fundamental, core functions within an enterprise that need to be at the governance table to guide, to ask the right questions.

Remember, when you're at a board, you're not the operator. You are governing and guiding. What I think we need more of is, we need to see security and risk practitioners at the table, at the board level, to bring that kind of perspective to the enterprise management so that we are thinking about branching off into a new division, a new product portfolio, a new service.

Fantastic. What does that look like? What is the total available market? How are we going to approach it? Is there a geographic way in which we're going to approach it?

Here's a novel thought. If you have a risk person sitting at the table, they're going to sit there and say, "Well, where do we want to start? Do you want to start where the largest TAM is or do you want to start where the lowest risk is? If it's high IP containing, do you want to put it into a market where there's high respect for IP or a place where there's low respect for IP, which brings a whole other degree of risk?

If you're going to go everywhere, what is the blanket of security that you're going to deploy because you're the first to the market, you know there are going to be fast followers, and you don't want to be eaten alive? That's a board-level conversation. If you don't have the right people sitting at the table thinking about that, fundamentally, then you're missing the opportunity to gain the richness of diversity of thought and you are also missing the opportunity to give guidance in a far more broad and meaningful way.

Business Advice for Enterprise Security Professionals

Michael Krigsman: What advice do you have to security professionals to gain the expertise, the business expertise, so that the board will call upon them to participate in these governance conversations that you've just described?

Edna Conway: I think we, in security, need to embrace other areas of expertise as we think about our security community. I can think of folks who are renowned in the security area who may not necessarily have started out as technical and may still not be the most technical folks. When you bring great communicators, great legal minds, or great folks who can think about operational practicality, then you have a security community that automatically learns how to speak the business language because they have business partners as part of their immediate family. It's not like we're teaching them something that already isn't innate.

Right now, we have all seen the statistics with regard to the absence of available talent in the security arena. Perhaps what we ought to consider doing is embracing those who have the capacity to learn, bring their own unique expertise, and begin to—I'm going to use a harsh word here—invade security into the mindset and operations of everyone, then we will see people like myself.

My undergraduate degree is in Medieval and Renaissance Literature. It doesn't really have the ring of security to you, does it?

Michael Krigsman: No, that's definitely not a career path I would have predicted. [Laughter]

Edna Conway: [Laughter] We have this opportunity to not only bring other disciplines into security, but we also have to start as security professionals to understand what matters in business. At the end of the day, we all have stakeholders. We all have shareholders, public/private NGOs, and governments have, in essence, shareholders. They're called the citizenry of the nation that brings to the coffers of the government, through their tax dollars, the ability to serve those citizens.

What we need to do is understand what that language is. It's fairly easy if you do a rotation. Send somebody who has only done information security to go do a six-month project in a factory or to work with a finance person more closely in the course of developing something new in their infosec arena. What you will see, whether in a collaborative, open workspace or in a private room is an evitable growth in synergy and a sharing of language and the ability to speak with and for one another. Then you walk into that board ready, capable, and speaking the right language.

Security Advice for the Enterprise

Michael Krigsman: Can you put your finger on one or two things that are the common issues you see all the time strategically that companies should just doublecheck?

Edna Conway: Know with whom you're working. Understand what they're doing for you. Make sure you know who has access to what and determine whether they need to have it. Embrace your workforce both directly as well as your value chain partners to ensure that they understand what your mission is, which is to deliver to customers the highest integrity, the highest quality, secure and safe services and solutions, and bring their expertise to the table and work on it together.

Michael Krigsman: Edna Conway, thank you very, very much for taking your time today to be with us on CXOTalk.

Edna Conway: My privilege.

Michael Krigsman: We've been speaking with Edna Conway. She is the chief security officer for the Global Value Chain at Cisco. Before you go, please subscribe on YouTube, hit the little subscribe button at the top of our website and sign up for our newsletter, and tell a friend.

Thanks so much, everybody. I hope you have a great day. We will be back next week with another awesome episode of CXOTalk. Take care, everybody. Have a good one. Bye-bye.