RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.
“It’s our civic duty to ensure that everyone below the security poverty line has a level of safety, because it’s gonna eventually get to be a human-rights issue,” Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote.
“This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there’s a breach,” he said.
This idea of a cybersecurity poverty line — essentially were those below the poverty line don’t have the budget or human resources to implement security measures — was coined by Cisco’s head of advisory CISOs Wendy Nather during an earlier RSA Conference.
Lifting all companies above the poverty line should matter, even to those already there, as people and organizations become more interconnected because of software dependencies, shared data, hybrid work and the like, Patel said.
“We are living in a holistic ecosystem where the weakest link can break down the entire chain,” he explained. “A small supplier for an auto manufacturer that gets breached could shut down the entire production line of an auto company.”
Plus, “everyone’s an insider,” Patel added.
If we don’t take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you’re above the security poverty line, but you’ll still be exposed
Physical walls and software perimeters no longer separate people and information as either inside or outside the organization, he said. This also expands the potential attack surface as people and devices connect and share data with others that are outside the traditional enterprise perimeter.
“And if we don’t take care of the folks that are below the security poverty line, you can do all that you want to protect yourself if you’re above the security poverty line, but you’ll still be exposed,” Patel said.
Establishing security protocols across an organization requires a sufficient budget to buy products and employ security professionals with the capabilities to defend against threats. However, influence also plays a role in separating the security haves and have-nots, added Shailaja Shankar, SVP of Cisco’s Security Business Group.
“Large organizations that are above the poverty line have been able to negotiate great terms with their suppliers in this interconnected system,” she told The Register. “But when you are a small player, it is very hard for you to negotiate and you just take what your providers give you.”
Shared risk, shared defenses
As to how the industry ended up with a significant number of organizations below that line, there’s plenty of blame to go around. It’s the internet’s fault for making us more interconnected, it’s claimed. Complexity is also an issue: as security architectures become increasingly sophisticated, they also become more complex.
And yes, the Cisco execs also admitted that the vendor community bears responsibility, too, for selling a plethora of products that don’t interoperate or always live up to their protection promises.
Similarly, it’s going to require a collective effort to dig out of this mess. Part of involves security vendors providing expertise and donating and collaborating to share threat intelligence.
To this end, Shankar pointed to Cisco’s Talos threat intelligence team operating security products 24-7 for critical infrastructure customers in Ukraine and providing free cloud security products to organizations in the war-torn country as examples of what her company is doing.
Plus, she added, Cisco’s a founding member of the Cyber Threat Alliance. “We partner with more than 30 different global security vendors and we share threat intelligence that allows us to protect the customers and defend this digital ecosystem,” Shankar said. “Shared risk requires shared defenses.”
Business models also need to shift, Patel said. “People will start thinking about protection, not at the individual organization level, but at the supply chain level — thinking about the ecosystem at large rather than just what’s in my domain,” he said.
This extends to vendors providing free or low-cost security to nonprofits and NGOs, and larger firms’ using their buying power to help smaller organizations improve their security posture, Patel added.
“I just don’t think this is an overnight thing, but I think the recognition is starting to hit people pretty hard,” Patel said. “One small supplier that makes a small component that might cost seven cents in a $100 item can literally hold up the entire production line because they had a breach. That is a profound impact because billions, hundreds of billions, if not trillions of dollars could actually stop the function if that was systematically attacked by the bad actors.” ®