Shiva Persaud is the director of safety engineering for Cisco. His workforce is chargeable for the Cisco Safe Growth Lifecycle (CSDL), a set of practices based mostly on a “secure-by-design” philosophy developed to make sure that safety and compliance are top-of-mind in each step of an answer’s lifecycle. This weblog is the third in a collection centered on M&A cybersecurity, following Jason Button’s put up on Demonstrating Belief and Transparency in Mergers and Acquisitions.
One of the crucial essential concerns when Cisco acquires an organization, is making certain that the safety posture of the acquisition’s options and infrastructure meets the enterprise’s safety requirements. That may be a tough proposition and definitely doesn’t occur in a single day. The truth is, at Cisco, it solely comes about because of the efforts of a large number of individuals working laborious behind the scenes.
“The constant message is that regardless of the place a product is in its safety journey, from inception to end-of-life actions, there’s nonetheless quite a lot of work that may occur to result in a greater safety consequence,” says Persaud.
Whereas Persaud and his workforce work inside Cisco on all the corporate’s merchandise and options, additionally they play a vital function in sustaining safety requirements in Cisco’s mergers and acquisitions (M&A) work.
Figuring out Dangers Takes the Mindset of a Hacker
Merely put, Persaud’s workforce is tasked with figuring out the safety dangers posed by an acquisition’s expertise and serving to groups mitigate these dangers.
“It begins with a danger evaluation the place we ask ourselves what an attacker would do to compromise this particular expertise,” says Persaud. “What are the business greatest practices for securing such a expertise? What do our prospects count on this expertise to offer from a safety perspective? And as soon as we’ve these dangers enumerated, we prioritize them to determine which is an important to handle first.”
To anticipate the place a hacker may discover vulnerabilities and the actions they may take, the CSDL workforce should put themselves in that assault mindset. Thankfully for Persaud, his curiosity in laptop safety began as early as center college. “It simply form of grew from there,” he says. “For a lot of people I’ve labored with and employed over time, it’s an analogous state of affairs.”
That lifelong curiosity and expertise work to the workforce’s benefit. They take a risk-based method to safety, during which they establish all the problems that should be mounted after which price them based mostly on the probability of prevalence and seriousness of the outcomes of an assault. These rankings inform their selections on which points to repair first.
“We provide you with methods to go mitigate these dangers and co-author a plan referred to as the Safety Readiness Plan, or SRP,” Persaud says. “Then we companion with groups to take that plan and execute it over time.”
Not One-and-Completed: Making certain Safety Is a Continuous Precedence
In alignment with CSDL’s steady method to safety all through an answer’s lifecycle, Persaud says that “safety is a journey, so the workflow to complete the safe growth lifecycle by no means ends.”
Whereas preliminary onboarding of an acquired firm—together with completion of the preliminary danger evaluation and the SRP—sometimes ends inside a number of months of the acquisition. Persaud provides, “The work continues because the expertise is built-in into a bigger tech stack or because it’s modified and bought as a standalone providing to our prospects.” As the answer or expertise evolves and begins to incorporate new options and functionalities, the CSDL work continues to verify these options are safe as properly.
That work can have its obstacles. Persaud says that one of many major challenges his workforce offers with is reducing by way of the flurry of exercise and bids for the acquisition’s consideration that come pouring in from all sides. It’s a loopy time for each Cisco and the acquisition, with many essential duties on the prime of everybody’s to-do lists. “Not simply within the safety realm,” says Persaud,” however in lots of different areas, too. So having the ability to get the acquisition to give attention to safety in a significant method within the context of all the things else that’s taking place is a serious problem.”
One other problem is coping with acquisitions that may not have a lot safety experience on their authentic workforce. Which means they’re not in a position to give Persaud’s workforce a lot assist in figuring out the place safety dangers lie and the way critical they’re—so Cisco’s engineers have much more investigative work to do.
3 Methods to Make Safety Easier in M&A
When requested what recommendation he would give to organizations that wish to preserve an excellent safety posture when buying one other firm, Persaud names three key components.
High-down help for and dedication to safety
To achieve M&A safety, it’s vital that the group’s board of administrators, CEO, and all subsequent ranges of administration help and be dedicated to assembly a excessive stage of safety requirements and outcomes. The remaining administration of the acquisition additionally must be on board with the safety dedication, and each organizations ought to make it possible for all workers acknowledge that dedication and help. If administration help just isn’t there, the work in the end received’t get finished. It may be troublesome and time-consuming and with out companywide recognition of its key significance, it received’t get prioritized, and it’ll get misplaced within the myriad of different issues that each one the groups need to do.
Align to business requirements and greatest practices
The difficulty of safety can get actually difficult, in a short time. Persaud says it’s good to search out business requirements and greatest practices that exist already and can be found to everybody, “so that you’re not reinventing the wheel—or extra regarding, reinventing the wheel poorly.”
The place to search for these business requirements will fluctuate, relying on the expertise stack that must be secured. “In case you are inquisitive about securing an internet software,” says Persaud, “then beginning with the OWASP High Ten checklist is an efficient place to start out. In case you are promoting a cloud supply or cloud service, then take a look at the Cloud Safety Alliance’s Cloud Controls Matrix (CCM) or the Cisco Cloud Controls Framework.”
A method to consider it, Persaud says, is that there are a number of safety frameworks sure prospects will want an organization to stick to earlier than they’ll use their options. Suppose frameworks like FedRAMP, SOC-2, Widespread Standards, or FIPS.
“You may align your product safety work to these frameworks as a baseline after which construct on prime of them to make expertise extra resilient.” It’s an awesome place to start out.
Determine on very centered outcomes that facilitate enchancment over time
It’s important that a company be very clear on what it desires to perform in terms of making certain safety of an acquisition’s options and infrastructure. This can assist it keep away from “attempting to boil the entire ocean,” says Persaud.
Persaud and his workforce speak about working as much as safety health the way in which a runner would begin with a 5K and work as much as an Ironman competitors. “You’re taking progressive steps in the direction of bettering,” he says. “You’re very express about what milestones of enchancment you’ll encounter in your journey of fine safety.”
3 Methods Cisco Can Assist
Persaud says Cisco is uniquely positioned to assist organizations preserve safety requirements when buying different firms. He factors to 3 vital differentiators.
Companywide dedication to safety
“The extent of visibility and help that we’ve for safety at Cisco, begins with our board of administrators and our CEO, after which all through the group,” says Persaud. “This can be a very particular and distinctive state of affairs that enables us to do quite a lot of impactful work from a safety perspective,”
Cisco has lengthy been adamant about safety that’s inbuilt from the bottom up and never bolted on as an afterthought. It’s the rationale the CSDL exists, in addition to the Cisco Safety & Belief Group and the various, many groups that work day by day to infuse safety and privateness consciousness into each product, service, and answer—together with the expertise and infrastructure of newly acquired firms.
Sturdy set of constructing blocks to allow safe outcomes
As soon as Persaud’s workforce has recognized and assessed the safety dangers of an acquisition, his and different groups go about serving to the acquisition handle and mitigate these dangers. Cisco offers a set of widespread constructing blocks or instruments that groups can use to enhance the safety posture of an acquisition.
“We’ve safe libraries that groups can combine into their code base to assist them do sure issues securely, in order that the person groups don’t need to implement that safety performance from scratch,” says Persaud. “And Cisco produces sure items of {hardware} that may be leveraged throughout our product strains, equivalent to safe boot and safe storage.”
“Cisco’s operations stack additionally has numerous companies acquisitions can use,” says Persaud. “An instance of this comes from our Safety Vulnerability and Incident Command workforce (SVIC). They supply logging capabilities that cloud gives at Cisco can leverage to do centralized logging, after which monitor these logs. SVIC additionally gives a safety vulnerability scanning service so particular person groups don’t need to do it independently.”
One other vital constructing block is Persaud’s workforce and their experience. They act as a invaluable useful resource that groups can seek the advice of after they wish to construct a brand new function securely or enhance the safety of an current function.
Robust safety group intent on offering options
Persaud concludes, “Cisco has an especially sturdy and energetic safety group the place groups can ask questions, acquire insights, give steerage, troubleshoot points, share concepts and expertise, and focus on rising safety matters. The group is dedicated to serving to others as an alternative of competing in opposition to one another. Members have the mindset of enriching the general method to safety at Cisco and studying from any supply they’ll to make issues regularly higher.
Associated Blogs
Managing Cybersecurity Threat in M&A
Demonstrating Belief and Transparency in Mergers and Acquisitions
We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!
Cisco Safe Social Channels
Share:
