Operations

6/19/2018
10:50 AM
50%
50%

Cisco CPO: Privacy Is Not About Secrecy or Compliance

Michelle Dennedy sat down with Dark Reading at the recent Cisco Live event to set the record straight about privacy, regulation, encryption, and more.

Cisco chief privacy officer Michelle Dennedy has been active in privacy policy and law for years. She is the founder of the iDennedy Project, a public service organization that focuses on the privacy issues of children, the elderly, and other vulnerable populations. She is also co-founder and editor in chief of TheIdentityProject.com, an advocacy site focused on the issues surrounding child ID theft.

Before joining Cisco in 2015, Dennedy was vice president for security and privacy solutions at Oracle. Prior, she was chief data governance officer in the cloud computing division and chief privacy officer at Sun before it was acquired by Oracle.

At the just-concluded Cisco Live, in Orlando, Fla., Dennedy sat down with Dark Reading for an interview that ranged from the role privacy plays at the network hardware company to the way GDPR is having an impact on privacy, security, and the networking business. What follows is an edited version of our conversation.

Dark Reading: Tell us about the role of chief privacy officer at Cisco. Is your primary focus on Cisco's activities or Cisco's products?
Dennedy: Half of my role is making sure we are telling our story appropriately. There are a lot of countries that are still grappling with the way privacy laws are written, so I work with them to kind of geek out on how things actually work.

Other parts of my team are working on research. There's not enough research done yet on the financial modeling. How do we know when we're adding the right kinds of protections for privacy? How does that impact the business?

I have an economist and a financial MBA lawyer, a well-overeducated dude who comes up with metrics for me. I use the metrics to run our business better. I think we measured security by the pound until a couple of years ago. Now it just got so big that people couldn't comprehend a billion-person loss.

The other piece is privacy engineering, which is both public and private. I actually just stepped down as chair of IEEE 7002, where we ticked off a privacy engineering IEEE standards body section within the ethics engineering section. We're working on that as a standard to say, "How do you build an environment that is ethical and has privacy engineering?"

That's the external. The internal is training my own scrum masters in an agile environment. We train them on how to look at privacy functionality as a specification or requirement. In all, it's kind of an inside-outside, leftward-sideways, upside-down role.

Dark Reading: You talked about metrics for privacy. Are you saying there's more to privacy than simply walking down a regulatory checklist?
Dennedy: Absolutely, particularly for a company like Cisco. We have a tremendous responsibility, an ethical responsibility. A grand majority of the world's traffic, at some point, hits, touches, or is impacted by Cisco technology. We have the opportunity to make the world a safer place.

If I were to say, "I'm going to look at this fragmented, 125 privacy-jurisdiction world and try to hit compliance region by region just to get out of [regulatory trouble]," I would fail. So instead I say, "What is the outcome?"

The outcome is, how do you tell a story about a person with integrity and respect? That's what privacy is. It's not about secrecy. It's not about compliance. It's about telling human stories with respect.

How do I build that to delight our customers? That's the challenge. That's the race I'm in.

Dark Reading: For many people, data safety belongs under the security umbrella. How much do you work with security teams to try and relieve some of the tension between privacy and security?
Dennedy: I think when I first got into this in the 2000 aughts, it was "versus." I think nowadays we've gotten much closer. I'll put it in my own myopic way: I own the content inside the pipe. And [the CISO] looks for fit in the architecture of the pipe. The architecture may look beautiful, and it might be secure, and it may have been designed to be drip-free. But if you're putting the wrong content through, it doesn't work.

The way that this works really well is, you look at data as an asset. And just like any other kind of asset in your portfolio, you ask, "Where is the highest risk of loss?"

Where you find holes, and where you find weaknesses and vulnerabilities, that's where you prioritize security. That doesn't mean the rest is unsecured, but by having this yin and yang of content and architecture together, it's a much, much stronger network fabric."

Dark Reading: One of the most visible points where security and privacy are in tension is encryption. Privacy advocates want everything encrypted, while security advocates point out correctly that criminal traffic can hide in encryption as easily as legitimate confidential information. What do you think is the proper role of encryption in privacy?
Dennedy: Privacy advocates that want everything encrypted are not experts. They talk a lot, and they have lovely martinis, and I salute them all day long. But encryption is one of a panoply of protective measures, and if you are hiding away something just to hide it away, you're back in compliance land. Not everything needs to be encrypted to be private. Sometimes it starts much earlier in the process.

There's a terrific Ph.D. who I work with. His name is Dave McGrew, and he was the founder of the ETA [Encrypted Traffic Analysis] beast.

His idea was that encryption has a pattern like anything else. So when you see an encrypted flow of data, abnormally timed and sized encryption packets that are flowing through a network in an unexpected way create lumps.

You know what the pattern should look like, and you can imagine and intuit what you think that lump is. Now you have a much smaller subset to inspect. By doing that, we reach much more widely into the network to make sure that we're respecting everybody's security and privacy.

I think when you really look at the purpose and the objective of security tools, and the purpose and the objective of respectful storytelling, you get those things together, and there's so much more innovation that we can do instead of just saying, "Your encryption is pretty."

Dark Reading: Is there anything else you'd like to add that I haven't asked about?
Dennedy: We live in a multimodal, multiproblem-set world, and we try to solve all these multimodal problems with one set of players. If you set the lawyers free — and I'm a lawyer by training — they're going to come up with legalistic arguments. If you set the technologist free, it's the same story.

As advanced as we've become, with these new laws they're trying to keep up with technology, while technologists are finding different ways of being. I think we need more problem-solvers. I think we need a diverse mindset to come up with some solutions.

It's going be a fun world, but that's what we're looking at.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19301
PUBLISHED: 2018-11-15
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
CVE-2018-5407
PUBLISHED: 2018-11-15
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVE-2018-14934
PUBLISHED: 2018-11-15
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
CVE-2018-14935
PUBLISHED: 2018-11-15
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.
CVE-2018-16619
PUBLISHED: 2018-11-15
Sonatype Nexus Repository Manager before 3.14 allows XSS.