informa

Cybersecurity In-Depth

8 min read
article

Edge Chat With Cisco Secure CTO TK Keanini on Achieving Better Security Outcomes

Now is the time for organizations to rethink their security strategies with a platform- and architecture-based approach in mind. Keanini explains.

Enterprise security IT teams are dealing with interoperability issues that make it difficult for different security technologies from multiple vendors to work together. In the latest Edge Chat, TK Keanini, CTO of Cisco Secure, talks about how platform outcomes can drive security. (The transcript of the conversation is below.)

Terry Sweeney: Welcome to this series of Dark Reading Fast Chats. Terry Sweeney here, contributing editor to Dark Reading. I am joined now by TK Keanini, chief technology officer of Cisco Secure. TK, glad you could join us today.

Keanini: Thanks for having me.

Sweeney: Our topic is achieving better security outcomes with an open platform. It feels like a great place to start would be defining what we mean when we're talking about an open platform where security's concerned.

Keanini: Probably the best way to approach that definition is through outcomes. Products deliver outcomes. Turns out that platforms deliver outcomes also. I would say that the main difference between the two is that a product, when it delivers a successful outcome to a customer, it's unique. It's valued for its uniqueness. The contrast to that is a platform outcome [and] actually is more valuable when it's common across the particular products. And it is a very customer-centric request actually to have more platform outcomes because they're the ones having to deal with the interoperability issues.

Sweeney: OK, thanks for that. That's helpful. With that in mind, why should organizations rethink their security strategy with this platform- and architecture-based approach in mind?

Keanini: I visited a lot of trade shows back when we used to do trade shows in person.

Sweeney: Right.

Keanini: I had a customer describe it to me that they're here looking for transportation and they're getting sold a bunch of car parts. So it's again, it's a very customer-centric thing to ask why. Why don't they have a multivendor architecture? And the problems they're trying to solve really are for the things that are more valuable. Let's just take them one by one, like, for instance, a good example is single sign-on. I mean, a great example of a platform outcome. It is absolutely more valuable when it's common across all of your products, Cisco or otherwise. And so there's a number of those platform outcomes that I think really come to the surface when you're trying to build a security program end to end for your enterprise.

Sweeney: You alluded to this a few minutes ago, but let's dig a little deeper and describe how platform and architecture outcomes are different than individual product outcomes. You were talking about car parts versus, I don't know, being picked up in a Tesla. Maybe that's a twisted analogy, but fill in for us if you would.

Keanini: Yeah. Sure. And again, single sign-on sort of the poster child here because it really describes experience. I, as an end user, would like to experience a single sign-on for maybe a dozen products. Right. Now the complexity might be pushed back away from the user, but the experience is what matters. So you could almost seek the same type of platform outcome for licensing. I want to buy a plethora of products the same way. I want my telemetry to have a particular type of platform outcome. You can kind of go down the list, but again, in the end, a platform outcome is defined by a feature that is, in fact, more valuable when it is common across multivendor products than when it is unique. And that, I think, just raises, we should be considering our platform outcomes with the same rigor and the same metrics even as our product outcomes.

Sweeney: So that naturally leads to a pain point that we hear from security professionals regularly about their admins having to define security policies for each and every point solution that you have in place. How far away are we from being able to define policies just once and have it just replicate down the line?

Keanini: It's back to that sort of adage: Simple problem, simple solution. Complex problem, probably a complex solution. Hopefully simple, but for some let me just say that, for some, they have been able to solve this particular unified policy problem completely using maybe one or two products, not so hard. So for some, they've already reached the promised land there. For others, larger organizations, it's been a real battle and it's been kind of slow-going. You and I have probably been in the business to have seen single sign-on, that journey.

Sweeney: Yes.

Keanini: And now it's at a place where it's pretty used worldwide globally. We'll probably see the same thing in terms of standards. The necessary standards for multivendor interoperability, for trust, for all those things to happen at a global scale, they're here. Now it's a part of getting it implemented, making a few mistakes, correcting them, going through a few revisions. But I think we're really close to actually having the same level of interoperability with policy that we do with authentication.

Sweeney: TK, what do you tell clients or prospective customers when they ask about how they should evaluate a security platform?

Keanini: Yeah. One, I would say that a lot of customers over time, it's been my experience, they almost apologize for being unique, and I think they should stand proud for being unique, and their security program should be as facilitating to their needs up and above anything else that's happening globally. What's right for your business is really the target. And then the question becomes, what are the product outcomes that my business needs? And then more importantly, what are the platform outcomes my business needs? Some of the platform outcomes, frankly, will reduce complexity, they'll lower administrative costs, they're lower operational costs. You're actually in some cases going to the vendor for the outcome, not the means to the outcome and all of those things matter. And so I said, basically, make it your own program and maybe a nice little chart where you have your columns with all your products and your rows are some of the platform outcomes that are important to you. Again, one of them being single sign-on, licensing, policy is probably going to be a fast follow, but there are several that are going to be important to the business.

Sweeney: It sounds like you're encouraging customers to build in that open platform requirement as part of their evaluation.

Keanini: I think so. I think, again, particularly for the larger organizations, they've been dealing with this multivendor interoperability problem longer than most. And they've figured out ways to sort of leave it up to one vendor to do X, the other vendor to do Y, get a minimal amount of sort of interoperability. I think also vendors are stepping up delivering more platform outcomes, at least the ones that have more of a platform to deliver. And then it's a matter of finding interoperability within those platforms. Most of them are very, very rich in terms of integration surface and automation capabilities.

Sweeney: In the few minutes we have left, I'm wondering if you can address, in your own words, what simplified security looks like to you?

Keanini: So, yes, I have three tenants that I sort of returned to all the time. One is that the outcome not only be facilitating an expert, but also be facilitating the nonexpert. Bringing security to the business, to the nonsecurity, they may be technical, but they're not a security person. They help them do the right thing, help them along their secure journey. The second thing is that for all of these outcomes with simplicity and intuitiveness, think of it at the system level as well as the product level. So this is why I sort of introduced this language of product outcomes and platform outcomes and having them both be first class.

So simplicity for a product doesn't necessarily mean simplicity for the system, right? I don't want to be doing this thing over and over again in a simple way. And then the last thing I would say is, recognizing that while we talk about simplicity and the end user, recognizing that security is very, very asymmetrical. We are trying to facilitate our users and our business in a very intuitive and simple way while simultaneously making it exponentially harder for the adversary. OK. I have to say that.

Sweeney: Good point.

Keanini: We cannot lose focus to the fact that what is easy for us must remain exponentially harder for them.

Sweeney: TK, great stuff, really interesting new perspectives on open platforms and dealing with complexity and even fostering interoperability in security. Thanks for joining us for this Edge Fast Chat today.

Keanini: Cool. Thanks.

Sweeney: We've been talking with TK Keanini, CTO of Cisco. This has been Terry Sweeney for Dark Reading. Thanks for joining us today. And we'll see you next time.