The Cisco approach to cybersecurity

This is an excerpt from a Reframed podcast interview conducted with Conrad Steyn, CTO and Head of Engineering for Cisco Sub-Saharan Africa. Text has been edited for clarity.

The full interview can be heard on all podcast platforms including Spotify and Anchor.

Conrad Steyn (CS): From a Cisco point of view, I don’t think the listeners and everybody out there understand that Cisco is the number one cybersecurity company in the world. We have the largest threat intelligence organisation called Cisco Talos. As part of our organisation, security is really at the heart of everything that we do. The first part of the role is that security is embedded and included in everything that we do. I think the key question that we always get from our customers is, how prepared are we for today’s hybrid world? When you start looking at this, the new dilemma is that security has completely evolved. In the last two years, we saw that the old way of doing security no longer works for anybody. When you start looking at businesses and you start looking at employees, and everybody else, you can almost say that businesses are starting to compete as ecosystems, and pretty much every employee now is a security insider therefore we have to revisit this dilemma of cybersecurity. And I think the key question is always, how do we start addressing that? Looking at security it’s just becoming way too complex. And I think, when you start looking at the different access technologies coming into play as well, we saw a big driver on 5G, drive connectivity, moving to multi-cloud, when we look at how mobile penetration just accelerated exceptionally, then wireless services, etc.  it’s all driven into this new realm of connectivity, and how do we secure this entire environment? And that’s really the big transformation that we’ve seen. As Cisco, is obviously, a provider of all of these services, the number one priority is obviously for us to define an architecture. So we’ve got zero trust as a framework, from a security point of view to ensure that we have an end-to-end security portfolio that can have all of these areas.

37% of people surveyed by Cisco do not use or do not know what multi-factor authentication is

Brendon Petersen (BP): Explain what you mean by that architecture. What is your threat architecture?

CS: When we talk about zero trust, it’s industry recognised. That’s really the strategic approach to security. We need to look at three different areas of security. Typically we start with how we establish trust. When we say establish trust, it’s really understanding who’s the user. Which device are they using? Is the device that they’re using? Does it have the correct rights, software levels, etc? Can they then access any workload or only particular workloads? We also need to know if there are indicators of compromise from a device or user point of view. So it’s establishing trust from a user and device point of view, and understanding what they can access. 

The second part of that architecture is, how do you enforce trust-based access? So how do we ensure that the user on the device has the right privileges to access the right application, the right network resource, and the right workload? Can they actually communicate between these workloads? 

The last pillar is that it’s good to establish trust once and then enforce the trust once. But what we’ve seen is that the attack vector is constantly evolving. So we have to verify the trust continuously. And we have to understand that the traffic being generated does not become a threat, there’s no risk or anomalies or malicious behaviour in there. If the trust level is changed, we understand that there’s a level of compromise and then reinforce the trust. That’s really the three areas as to why zero trust became very relevant. Now, from a Cisco point of view, we really looked at it, and we said, so if we look at establishing trust, that is very tied to the workforce. So how do we talk about zero trust for the workforce? If we look at enforcing that trust-based access, it’s really around zero trust with the workload. So what is the security posture around that workload? And then lastly, the continuous verification of trust is how we create zero trust for the workplace environment. And that’s really the comprehensive zero trust security approach that Cisco’s adopted across the entire lifecycle journey from a user. So if you think about it, you have the workforce, the workload, and workplace, and security needs to wrap around all three of those.

BP: Now, when it comes to remote work, we’ve seen that sort of hybrid approach a lot of companies are taking. What sort of changes and impacts have you seen in the way businesses are looking at their cybersecurity budgets, the setups, and the sort of infrastructure that they may have?

CS: I think the biggest trend that we’ve seen is the drive to securing the remote worker and establishing that secure connectivity back into the enterprise. And this is really where we’ve seen the home office or the remote office becoming an extension of the corporate enterprise. And what I mean by that is that we’ve seen the extension of the corporate network securely into the home user. And then the corporate network policies and zero trust framework could be applied to the Home Office user or the remote user, be it on a laptop or a mobile device, etc. But what’s covered on the back of that is that through securing this remote worker, there’s been an entire industry drive to what is called passwordless. Now with passwordless because it’s really around multi-factor authentication. So understanding who the user is, what the posture of that device is, a one-time authentication pretty much seamlessly into the enterprise, and then in the background to perform your health check, to look at your zero trust, network access, etc, and to enforce that trust once the user has been identified. So passwordless is very key at the moment. And it’s top of mind for all organisations. And I think, because we’re in this realm of remote working, that’s to take that level of frustration away from the end user. And to make it seamless. Hybrid work is here to stay, so we see a lot of enterprises investing in hybrid work environments and secure remote solutions right now.

BP: I’m looking at a study that Arthur Goldstuck’s World Wide Worx and I’m actually going read exactly what it says: “Corporations being over budget on cybersecurity spend may look like a positive sign, but it also raises the likelihood that the budgets were too low to begin with.”

I find that interesting because apparently at least half of South African large businesses are over budget and cybersecurity spend. I think it’s an interesting sort of perspective. And I’m wondering, from a Cisco perspective, is that something that you guys have found as well?

CS: I think it’s a combination of both. When we look at the pre-pandemic phase, everything was kind of centralised, there was a centralised security model, centralised internet access, etc, from a lot of the enterprises and businesses within Africa. During the pandemic, we saw everything move out closer to the user and we saw the adoption of cloud services, pretty much being accelerated quite extensively. That drove an entire new cybersecurity framework, software and everything else moved closer to the user. So when we started looking at the cloud drive, there was a big migration and requirements for cloud security services. We also saw the adoption of secure access services edge where security and workloads had to move closer to the user now, and I think that we a lot of investment went. I think that drove the low to high-budget expansion that you saw, because it wasn’t security as normal anymore and legacy network-based perimeter-based security couldn’t apply anymore. We needed to have security into the workload visibility, and actionable insights to remediate. You also saw the number of attacks and the evolution of the attacks happening during that phase, to the point that it actually became a prominent business. I think also an area of underspend was in the IT OT space, where security from an IT OT environment was very dedicated and focused around those. Those were targeted environments from an attack surface point of view, and suddenly, IT OT, and enterprise, what we call the carpeted space, all have to be treated equally and form part of the same zero-trust framework so that the same policies and security mechanisms could be applied across all of those. I think that’s where a lot of spend went into. Just looking forward to 2023 we see quite a lot more spend going into the IoT space, OT, and IT space, from a security, expansion, and inclusion into zero trust, obviously, because of the targeted approach to AI into those areas. So that’s really where I think a lot of underspend was happening. It wasn’t a true focus area. And during the pandemic, all of the attack surface increased around those spaces. And the migration to cloud is really an adaption to SASE is where that’s been tremendously increased.

Read next: Trend Micro looks to close the cybersecurity skills gap