Perspective: Not all Vendors and Products are Created Equal by John N. Stewart

Shop the Entire Special Issue- International Engagement on Cyber: 2012  ||  Return to International Engagement on Cyber: 2012 index

John N. Stewart is Senior Vice President and Chief Security Officer at Cisco Systems, Inc. In his 25-year career, Stewart has been a leader in expanding the definition of security, working with academic think tanks, government, and numerous enterprises. He currently leads the Cisco Global Government Solutions and Corporate Security Programs.

"A dedicated global task force would manage the reception, investigation, repair, and public reporting of security vulnerability information related to the vendor’s products."

We do not just use the Internet, we rely upon it, and as we continue to use it across the globe it in ways previously undiscovered, the criticality for it increases in parallel. The Internet now is as vital to society as electric power. The importance is different–we lived through a two-decade tran- sition from scientific novelty to essential technology–and is noteworthy all unto itself.

Today talented hacking teams seek new ways to infiltrate national systems, await the moment to disrupt services in critical infrastructures, steal information for known and unknown purposes, and use methods that often adapt as the actions are underway. Governments and businesses increas- ingly, and correctly, invest from server to cloud in three key technologies—mobility, collaboration, and virtualization—to improve resiliency, increase efficiency, and reduce costs. We increasingly use technology to create value, so much so that it is now the enabler for our communications, business goals, and service delivery. Last is who we are all choosing as providers to design, develop, and even run our core services infrastructures. Given that we align our own goals to those of vendors, scrutinizing their reputation and behavior is an essential part of the selection process. Since not all vendors and their products are created equal, we are in a market transition where trust has a paramount role. Trust is increasingly present in our dialogues, manifesting itself in supply chain secu- rity discussions, vendors’ executives past connections, software quality and design processes in vendor product development and service deliveries, and public examples where a vendor broke its trust with their customer.

Today, vendor and product selection are based on the ability to fulfill need, price-point, and vendor attributes such as viability. The “trust” market transi- tion introduces three essential criteria: vendor trustworthiness and transparen- cy, product trustworthiness and integ- rity, and vendor commitment to and understanding of security issues.

Today, it is possible to address the hidden risk in choosing a vendor, and reduce known risk while operating national infrastructures. This ideal—a “trustworthy system”—can be achieved through vendor inspection, delinea- tion between assumed and verifiable trust, and, ultimately, a network secu- rity infrastructure more advanced than the one in which we operate today.This article explores each of these elements of a “trustworthy system.” (purchase article...)