Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cisco CPO: Privacy Is Not About Secrecy or Compliance

Michelle Dennedy sat down with Dark Reading at the recent Cisco Live event to set the record straight about privacy, regulation, encryption, and more.

Cisco chief privacy officer Michelle Dennedy has been active in privacy policy and law for years. She is the founder of the iDennedy Project, a public service organization that focuses on the privacy issues of children, the elderly, and other vulnerable populations. She is also co-founder and editor in chief of TheIdentityProject.com, an advocacy site focused on the issues surrounding child ID theft.

Before joining Cisco in 2015, Dennedy was vice president for security and privacy solutions at Oracle. Prior, she was chief data governance officer in the cloud computing division and chief privacy officer at Sun before it was acquired by Oracle.

At the just-concluded Cisco Live, in Orlando, Fla., Dennedy sat down with Dark Reading for an interview that ranged from the role privacy plays at the network hardware company to the way GDPR is having an impact on privacy, security, and the networking business. What follows is an edited version of our conversation.

Dark Reading: Tell us about the role of chief privacy officer at Cisco. Is your primary focus on Cisco's activities or Cisco's products?
Dennedy: Half of my role is making sure we are telling our story appropriately. There are a lot of countries that are still grappling with the way privacy laws are written, so I work with them to kind of geek out on how things actually work.

Other parts of my team are working on research. There's not enough research done yet on the financial modeling. How do we know when we're adding the right kinds of protections for privacy? How does that impact the business?

I have an economist and a financial MBA lawyer, a well-overeducated dude who comes up with metrics for me. I use the metrics to run our business better. I think we measured security by the pound until a couple of years ago. Now it just got so big that people couldn't comprehend a billion-person loss.

The other piece is privacy engineering, which is both public and private. I actually just stepped down as chair of IEEE 7002, where we ticked off a privacy engineering IEEE standards body section within the ethics engineering section. We're working on that as a standard to say, "How do you build an environment that is ethical and has privacy engineering?"

That's the external. The internal is training my own scrum masters in an agile environment. We train them on how to look at privacy functionality as a specification or requirement. In all, it's kind of an inside-outside, leftward-sideways, upside-down role.

Dark Reading: You talked about metrics for privacy. Are you saying there's more to privacy than simply walking down a regulatory checklist?
Dennedy: Absolutely, particularly for a company like Cisco. We have a tremendous responsibility, an ethical responsibility. A grand majority of the world's traffic, at some point, hits, touches, or is impacted by Cisco technology. We have the opportunity to make the world a safer place.

If I were to say, "I'm going to look at this fragmented, 125 privacy-jurisdiction world and try to hit compliance region by region just to get out of [regulatory trouble]," I would fail. So instead I say, "What is the outcome?"

The outcome is, how do you tell a story about a person with integrity and respect? That's what privacy is. It's not about secrecy. It's not about compliance. It's about telling human stories with respect.

How do I build that to delight our customers? That's the challenge. That's the race I'm in.

Dark Reading: For many people, data safety belongs under the security umbrella. How much do you work with security teams to try and relieve some of the tension between privacy and security?
Dennedy: I think when I first got into this in the 2000 aughts, it was "versus." I think nowadays we've gotten much closer. I'll put it in my own myopic way: I own the content inside the pipe. And [the CISO] looks for fit in the architecture of the pipe. The architecture may look beautiful, and it might be secure, and it may have been designed to be drip-free. But if you're putting the wrong content through, it doesn't work.

The way that this works really well is, you look at data as an asset. And just like any other kind of asset in your portfolio, you ask, "Where is the highest risk of loss?"

Where you find holes, and where you find weaknesses and vulnerabilities, that's where you prioritize security. That doesn't mean the rest is unsecured, but by having this yin and yang of content and architecture together, it's a much, much stronger network fabric."

Dark Reading: One of the most visible points where security and privacy are in tension is encryption. Privacy advocates want everything encrypted, while security advocates point out correctly that criminal traffic can hide in encryption as easily as legitimate confidential information. What do you think is the proper role of encryption in privacy?
Dennedy: Privacy advocates that want everything encrypted are not experts. They talk a lot, and they have lovely martinis, and I salute them all day long. But encryption is one of a panoply of protective measures, and if you are hiding away something just to hide it away, you're back in compliance land. Not everything needs to be encrypted to be private. Sometimes it starts much earlier in the process.

There's a terrific Ph.D. who I work with. His name is Dave McGrew, and he was the founder of the ETA [Encrypted Traffic Analysis] beast.

His idea was that encryption has a pattern like anything else. So when you see an encrypted flow of data, abnormally timed and sized encryption packets that are flowing through a network in an unexpected way create lumps.

You know what the pattern should look like, and you can imagine and intuit what you think that lump is. Now you have a much smaller subset to inspect. By doing that, we reach much more widely into the network to make sure that we're respecting everybody's security and privacy.

I think when you really look at the purpose and the objective of security tools, and the purpose and the objective of respectful storytelling, you get those things together, and there's so much more innovation that we can do instead of just saying, "Your encryption is pretty."

Dark Reading: Is there anything else you'd like to add that I haven't asked about?
Dennedy: We live in a multimodal, multiproblem-set world, and we try to solve all these multimodal problems with one set of players. If you set the lawyers free — and I'm a lawyer by training — they're going to come up with legalistic arguments. If you set the technologist free, it's the same story.

As advanced as we've become, with these new laws they're trying to keep up with technology, while technologists are finding different ways of being. I think we need more problem-solvers. I think we need a diverse mindset to come up with some solutions.

It's going be a fun world, but that's what we're looking at.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...