Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cisco CPO: Privacy Is Not About Secrecy or Compliance

Michelle Dennedy sat down with Dark Reading at the recent Cisco Live event to set the record straight about privacy, regulation, encryption, and more.

Cisco chief privacy officer Michelle Dennedy has been active in privacy policy and law for years. She is the founder of the iDennedy Project, a public service organization that focuses on the privacy issues of children, the elderly, and other vulnerable populations. She is also co-founder and editor in chief of TheIdentityProject.com, an advocacy site focused on the issues surrounding child ID theft.

Before joining Cisco in 2015, Dennedy was vice president for security and privacy solutions at Oracle. Prior, she was chief data governance officer in the cloud computing division and chief privacy officer at Sun before it was acquired by Oracle.

At the just-concluded Cisco Live, in Orlando, Fla., Dennedy sat down with Dark Reading for an interview that ranged from the role privacy plays at the network hardware company to the way GDPR is having an impact on privacy, security, and the networking business. What follows is an edited version of our conversation.

Dark Reading: Tell us about the role of chief privacy officer at Cisco. Is your primary focus on Cisco's activities or Cisco's products?
Dennedy: Half of my role is making sure we are telling our story appropriately. There are a lot of countries that are still grappling with the way privacy laws are written, so I work with them to kind of geek out on how things actually work.

Other parts of my team are working on research. There's not enough research done yet on the financial modeling. How do we know when we're adding the right kinds of protections for privacy? How does that impact the business?

I have an economist and a financial MBA lawyer, a well-overeducated dude who comes up with metrics for me. I use the metrics to run our business better. I think we measured security by the pound until a couple of years ago. Now it just got so big that people couldn't comprehend a billion-person loss.

The other piece is privacy engineering, which is both public and private. I actually just stepped down as chair of IEEE 7002, where we ticked off a privacy engineering IEEE standards body section within the ethics engineering section. We're working on that as a standard to say, "How do you build an environment that is ethical and has privacy engineering?"

That's the external. The internal is training my own scrum masters in an agile environment. We train them on how to look at privacy functionality as a specification or requirement. In all, it's kind of an inside-outside, leftward-sideways, upside-down role.

Dark Reading: You talked about metrics for privacy. Are you saying there's more to privacy than simply walking down a regulatory checklist?
Dennedy: Absolutely, particularly for a company like Cisco. We have a tremendous responsibility, an ethical responsibility. A grand majority of the world's traffic, at some point, hits, touches, or is impacted by Cisco technology. We have the opportunity to make the world a safer place.

If I were to say, "I'm going to look at this fragmented, 125 privacy-jurisdiction world and try to hit compliance region by region just to get out of [regulatory trouble]," I would fail. So instead I say, "What is the outcome?"

The outcome is, how do you tell a story about a person with integrity and respect? That's what privacy is. It's not about secrecy. It's not about compliance. It's about telling human stories with respect.

How do I build that to delight our customers? That's the challenge. That's the race I'm in.

Dark Reading: For many people, data safety belongs under the security umbrella. How much do you work with security teams to try and relieve some of the tension between privacy and security?
Dennedy: I think when I first got into this in the 2000 aughts, it was "versus." I think nowadays we've gotten much closer. I'll put it in my own myopic way: I own the content inside the pipe. And [the CISO] looks for fit in the architecture of the pipe. The architecture may look beautiful, and it might be secure, and it may have been designed to be drip-free. But if you're putting the wrong content through, it doesn't work.

The way that this works really well is, you look at data as an asset. And just like any other kind of asset in your portfolio, you ask, "Where is the highest risk of loss?"

Where you find holes, and where you find weaknesses and vulnerabilities, that's where you prioritize security. That doesn't mean the rest is unsecured, but by having this yin and yang of content and architecture together, it's a much, much stronger network fabric."

Dark Reading: One of the most visible points where security and privacy are in tension is encryption. Privacy advocates want everything encrypted, while security advocates point out correctly that criminal traffic can hide in encryption as easily as legitimate confidential information. What do you think is the proper role of encryption in privacy?
Dennedy: Privacy advocates that want everything encrypted are not experts. They talk a lot, and they have lovely martinis, and I salute them all day long. But encryption is one of a panoply of protective measures, and if you are hiding away something just to hide it away, you're back in compliance land. Not everything needs to be encrypted to be private. Sometimes it starts much earlier in the process.

There's a terrific Ph.D. who I work with. His name is Dave McGrew, and he was the founder of the ETA [Encrypted Traffic Analysis] beast.

His idea was that encryption has a pattern like anything else. So when you see an encrypted flow of data, abnormally timed and sized encryption packets that are flowing through a network in an unexpected way create lumps.

You know what the pattern should look like, and you can imagine and intuit what you think that lump is. Now you have a much smaller subset to inspect. By doing that, we reach much more widely into the network to make sure that we're respecting everybody's security and privacy.

I think when you really look at the purpose and the objective of security tools, and the purpose and the objective of respectful storytelling, you get those things together, and there's so much more innovation that we can do instead of just saying, "Your encryption is pretty."

Dark Reading: Is there anything else you'd like to add that I haven't asked about?
Dennedy: We live in a multimodal, multiproblem-set world, and we try to solve all these multimodal problems with one set of players. If you set the lawyers free — and I'm a lawyer by training — they're going to come up with legalistic arguments. If you set the technologist free, it's the same story.

As advanced as we've become, with these new laws they're trying to keep up with technology, while technologists are finding different ways of being. I think we need more problem-solvers. I think we need a diverse mindset to come up with some solutions.

It's going be a fun world, but that's what we're looking at.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...