Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cisco CPO: Privacy Is Not About Secrecy or Compliance

Michelle Dennedy sat down with Dark Reading at the recent Cisco Live event to set the record straight about privacy, regulation, encryption, and more.

Cisco chief privacy officer Michelle Dennedy has been active in privacy policy and law for years. She is the founder of the iDennedy Project, a public service organization that focuses on the privacy issues of children, the elderly, and other vulnerable populations. She is also co-founder and editor in chief of TheIdentityProject.com, an advocacy site focused on the issues surrounding child ID theft.

Before joining Cisco in 2015, Dennedy was vice president for security and privacy solutions at Oracle. Prior, she was chief data governance officer in the cloud computing division and chief privacy officer at Sun before it was acquired by Oracle.

At the just-concluded Cisco Live, in Orlando, Fla., Dennedy sat down with Dark Reading for an interview that ranged from the role privacy plays at the network hardware company to the way GDPR is having an impact on privacy, security, and the networking business. What follows is an edited version of our conversation.

Dark Reading: Tell us about the role of chief privacy officer at Cisco. Is your primary focus on Cisco's activities or Cisco's products?
Dennedy: Half of my role is making sure we are telling our story appropriately. There are a lot of countries that are still grappling with the way privacy laws are written, so I work with them to kind of geek out on how things actually work.

Other parts of my team are working on research. There's not enough research done yet on the financial modeling. How do we know when we're adding the right kinds of protections for privacy? How does that impact the business?

I have an economist and a financial MBA lawyer, a well-overeducated dude who comes up with metrics for me. I use the metrics to run our business better. I think we measured security by the pound until a couple of years ago. Now it just got so big that people couldn't comprehend a billion-person loss.

The other piece is privacy engineering, which is both public and private. I actually just stepped down as chair of IEEE 7002, where we ticked off a privacy engineering IEEE standards body section within the ethics engineering section. We're working on that as a standard to say, "How do you build an environment that is ethical and has privacy engineering?"

That's the external. The internal is training my own scrum masters in an agile environment. We train them on how to look at privacy functionality as a specification or requirement. In all, it's kind of an inside-outside, leftward-sideways, upside-down role.

Dark Reading: You talked about metrics for privacy. Are you saying there's more to privacy than simply walking down a regulatory checklist?
Dennedy: Absolutely, particularly for a company like Cisco. We have a tremendous responsibility, an ethical responsibility. A grand majority of the world's traffic, at some point, hits, touches, or is impacted by Cisco technology. We have the opportunity to make the world a safer place.

If I were to say, "I'm going to look at this fragmented, 125 privacy-jurisdiction world and try to hit compliance region by region just to get out of [regulatory trouble]," I would fail. So instead I say, "What is the outcome?"

The outcome is, how do you tell a story about a person with integrity and respect? That's what privacy is. It's not about secrecy. It's not about compliance. It's about telling human stories with respect.

How do I build that to delight our customers? That's the challenge. That's the race I'm in.

Dark Reading: For many people, data safety belongs under the security umbrella. How much do you work with security teams to try and relieve some of the tension between privacy and security?
Dennedy: I think when I first got into this in the 2000 aughts, it was "versus." I think nowadays we've gotten much closer. I'll put it in my own myopic way: I own the content inside the pipe. And [the CISO] looks for fit in the architecture of the pipe. The architecture may look beautiful, and it might be secure, and it may have been designed to be drip-free. But if you're putting the wrong content through, it doesn't work.

The way that this works really well is, you look at data as an asset. And just like any other kind of asset in your portfolio, you ask, "Where is the highest risk of loss?"

Where you find holes, and where you find weaknesses and vulnerabilities, that's where you prioritize security. That doesn't mean the rest is unsecured, but by having this yin and yang of content and architecture together, it's a much, much stronger network fabric."

Dark Reading: One of the most visible points where security and privacy are in tension is encryption. Privacy advocates want everything encrypted, while security advocates point out correctly that criminal traffic can hide in encryption as easily as legitimate confidential information. What do you think is the proper role of encryption in privacy?
Dennedy: Privacy advocates that want everything encrypted are not experts. They talk a lot, and they have lovely martinis, and I salute them all day long. But encryption is one of a panoply of protective measures, and if you are hiding away something just to hide it away, you're back in compliance land. Not everything needs to be encrypted to be private. Sometimes it starts much earlier in the process.

There's a terrific Ph.D. who I work with. His name is Dave McGrew, and he was the founder of the ETA [Encrypted Traffic Analysis] beast.

His idea was that encryption has a pattern like anything else. So when you see an encrypted flow of data, abnormally timed and sized encryption packets that are flowing through a network in an unexpected way create lumps.

You know what the pattern should look like, and you can imagine and intuit what you think that lump is. Now you have a much smaller subset to inspect. By doing that, we reach much more widely into the network to make sure that we're respecting everybody's security and privacy.

I think when you really look at the purpose and the objective of security tools, and the purpose and the objective of respectful storytelling, you get those things together, and there's so much more innovation that we can do instead of just saying, "Your encryption is pretty."

Dark Reading: Is there anything else you'd like to add that I haven't asked about?
Dennedy: We live in a multimodal, multiproblem-set world, and we try to solve all these multimodal problems with one set of players. If you set the lawyers free — and I'm a lawyer by training — they're going to come up with legalistic arguments. If you set the technologist free, it's the same story.

As advanced as we've become, with these new laws they're trying to keep up with technology, while technologists are finding different ways of being. I think we need more problem-solvers. I think we need a diverse mindset to come up with some solutions.

It's going be a fun world, but that's what we're looking at.

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...