Edna Conway Of Cisco Discusses Securing Supply Chains

Edna Conway is the Chief Security Officer of the Global Value Chain at Cisco, where she drives comprehensive security architecture throughout the IT and networking giant’s third-party ecosystem.

Conway has been recognized as a leader in the field of Information and Communication Technology and has received a number of prestigious awards including a Fed 100 Award, CSO of the Year Award at RSA, multiple Stevie Awards, multiple Golden Bridge Awards and Women of M2M Award.

She has testified before the U.S. Presidential Commission on Enhancing National Cybersecurity, Defense Science Board and Federal Energy Regulatory Commission. Conway has also served on public and private company advisory boards where she provides her input and expertise.

(The interview below has been lightly edited for clarity.)

International Business Times: What are some of the greatest challenges for organizations trying to secure supply chains?

Edna Conway: Digital transformation is expanding the scope of the third-party ecosystem upon which we rely for all aspects of business and daily life. Understanding what your value chain consists of is the first key step. My definition is: “The value chain is the end-to- end life cycle for a solution, whether that solution is tangible, digital or a service, including its supply chain.”

There are three key challenges to securing a global value chain. Of course, my answers are provided through the lens of an Information and Communication Technology (ICT) solution provider.

First, identifying for all members of the ecosystem the key threats you are targeting. Here are the three primary areas of concern I propose: Manipulation, espionage and disruption.

Second, translating those threats into practical exposures. For ICT Original Equipment Manufacturers, those exposures are tainted solutions, counterfeit solutions, misuse of intellectual property (IP) and information security breach of third parties leading to disclosure of your IP or confidential information.

Third, developing a program to address the security impact of the proliferation of digital transformation undertaken by your value chain members, your own enterprise and each of you together. For example, as IOT devices are deployed on manufacturing floors, the integrity of the data gathered and relied upon is ripe for a security breach.

IBT: How can organizations work to ensure their partners and clients also engage in the best security practices?

Conway: The answer lies in a comprehensive security strategy implemented under a security architecture that drives the right security in the right place at the right time. This approach will encourage collaboration and minimize complexity.

To do this across the value chain, I suggest five steps.

First, identifying the key players in your third-party ecosystem and understanding what those third parties deliver to you.

Second, developing a flexible security architecture that can be shared with and deployed across the variety of third parties in your ecosystem. A security architecture for the value chain must set forth the key areas that must be addressed—we call those domains.

Domains for consideration include security governance, asset management, security incident management, security in manufacturing and operations, security in service management, information protection, third-tier partner security, physical and environmental security, security in logistics and storage and personnel security.

In addition, the security architecture for the value chain should be flexible enough to identify which requirements and security end states apply to which type of product or service.

Third, assessing whether those third parties are operating within the tolerance levels set by your security architecture. Fourth, being alert to new security risks that the ecosystem may present as digitization increases, and fifth, actively participating in international security standards and industry guidelines to assure business alignment.

IBT: What current or growing trend in cyber threats should organizations be preparing for?

Conway: I think there are four key risks we must be aware of across the value chain: The ever-growing use of open source software; the impact of increasing reliance on the integrity of third party cloud platforms; deploying far too many security solutions without a single, integrated architecture; and the risk of addressing cyber in isolation, without a comprehensive approach to physical, logical operations, and information security.