...knowledge that an attacking team has. In an attempt to disrupt electronic commerce, we will get an attack near the end of our quarter. That's a different style then we've seen in the past. We certainly face a lot of the more common ones, or the more frequently talked about ones, be it spam, be it the viruses and worms, but we have mitigated to a great degree the risks associated with those.
How do you measure if you have been successful in your job as a security professional at Cisco?
That nobody knows we're there and they are feeling safe.
Microsoft is releasing a new operating system later this year, Windows Vista. Microsoft likes to tout all the security enhancements in Vista, do you care about things like that? Do you look at that and think: "This is going to help me in terms of my security exposure?"
Not at an operating system by operating system level. Any new technology is one that will have positives in its ability to protect itself and it will have new threats. That's not a Microsoft problem, it is every operating system developed.
When you're protecting your own network, what kind of products do you like to use, what sort of technologies do you use?
We use behavioural technology. The first and best defence we use on computers at Cisco is the Cisco Security Agent. And by behavioural, what it is really doing is saying an operating system is running this way normally, but everything else is questionable. It might be OK, but you have to pose a question to find out whether it really is or isn't. [It is] single-handedly the most important technology we have deployed for protecting our computers in the past couple of years. We still use antivirus, we still use anti-spyware, those are key elements. We use all three of Symantec, Trend [Micro] and McAfee.
You mentioned you use Cisco products also to protect your own network. What do you do if you have a problem with a Cisco product and does that ever occur?
It absolutely occurs. But being a part of engineering, as my team is, and we're part of IT as well, we get to work with engineering very closely. If there is ever a unique need on a product or there is a whole product we have not even invented yet that would be best suited to protect an enterprise, being so collaborative with my engineering team means that we can see the problem from both sides. They can use us as the practicing arm of what they are developing. I am a customer and I'd like to say that I am in a class of good tough customers.
Would you say that in terms of security at Cisco you are also accountable for security and totally responsible?
I think everybody at Cisco is accountable for security at Cisco. What I am uniquely accountable for, as is my team, is education and awareness and the use of technology to help best protect our company. What I'd rather never say is that a security team is responsible for security at a company, namely my security team is responsible for security at Cisco. That means that 99 percent of the company somehow isn't. That's the inverse of what I am looking for. I'd rather be helpful to the business, towards it understanding that we're all responsible.
Do your users seem to understand that as well, or do they say: 'John is responsible for everything, I can go connect my laptop to a rogue wireless access point, he's going to take care of it anyway. I can go download spyware or Kazaa onto my PC, John is going to take care of it, it is not really my deal?'
With this many people, there will always be cases where a person did not realise that they could not do something. From John Chambers as our chief executive on down, we all realise that security is part of our responsibility.
Is there any technology you won't use because of security reasons? I know of companies that won't use wireless networking, let mobile devices such as Palm Treo smartphones onto their networks, or let somebody connect an iPod to their work computer because of possible security issues.
We put security software on the Treos and allow them to be deployed. Most people want the Treos not only for contact information, they also want to use other application like email. We say they are allowed to use it with email, if they install security software. It is part of making security part of the generic process. We know that you want to do something productive, here is how you do it safely.
