Built in: From myth to reality


Many hypothesize that IT solutions with security “built in” are as rare as the mythological unicorn. I propose quashing such a hypothesis and making security “built in” a reality. What could enable that goal to be achieved?

A critical first step is truly appreciating the power of the IT value chain. It is, after all, the complete IT lifecycle. Its fundamental parts span the first spark of a creative idea through its development, fulfillment, delivery, use and ultimate demise. 

The value chain lives both within and beyond our own enterprises. To effectively make security “built in,” we must embed security into the very foundation of that value chain. How might we rally the creativity and commitment of our value chain partners to join the cause of ensuring that security is built in?

Security practitioners should create a map of their respective value chains. Only after we understand the “who, what and where” of our enterprises' value chains can we take the next step: putting in place a flexible and adaptable architecture to begin the journey of making security “built in.” Is your map complete? Do you know what organization in your enterprise owns the relationship with your distribution channel?  

Once you have a map, establish what threats should be part of the mindset of your value chain members. Manipulation, disruption and espionage in the IT value chain is an essential place to start.  

Next, establish foundational requirements that can be applied across the product lifecycle, from design to decommission. The key driving those requirements is collaborative partnerships with your value chain partners. After all, our goal should be to enhance integrity with security “built in,” regardless of the functional area of the company or external partner handling any aspect of that lifecycle.

Such a flexible and adaptable architecture for your value chain might include the following essential areas in which to “build in” security:

Security governance: a governance and information security program; security policies, standard operating procedures; and security risk management.

Security in manufacturing and operations: tracking and accountability; security in inventory management; security in handling proprietary items; and scrap management. 

Asset management: identification and classification; media protection and disposal; and records management.

Security incident management: incident identification and reporting; and incident response.

Security service management: security in business continuity planning and business continuity plan testing.

Security in logistics: warehousing and storage; shipping and receiving; and packaging security. 

Physical and environmental security: physical access control and monitoring; perimeter security; highly secure areas; security during equipment maintenance; and power and lighting. 

Personnel security: security training and awareness; contracts and enforcement; and termination or change of employment.

Information/data protection: data classification and handling; cryptographic controls; backup, retention, and disposal; information access controls; network security; information system logging and monitoring; information exchange; and information infrastructure security (including cloud and SaaS). 

Security engineering and architecture: secure design and development lifecycle; product security baselines; and configuration and change management.

Third-tier partner security: methods to drive your security goals throughout your multi-tiered value chain.

Real-world solutions and truly frank conversations around such an architecture can and will get us to the pinnacle of realizing security being “built in.” 

Edna Conway is chief security officer at Cisco Systems.
Edna Conway

Edna Conway is the CEO of EMC Advisors, a firm that provides board and advisory services to enterprises and governments globally on technology, security, risk management and supply chain resilience. She most recently served as Microsoft’s VP and the Chief Security & Risk Officer for its Cloud Infrastructure program. Edna is responsible for the security and resilience of the cloud infrastructure upon which Microsoft’s Intelligent Cloud business operates. Previously, Conway served as the Chief Security Officer for Cisco’s Global Value Chain. Edna also was a partner in an international private legal practice and served as the Assistant Attorney General for the State of New Hampshire.

Conway is an advisor to numerous capital investment organizations, has served on over a dozen boards and is an inductee into Fortune’s Most Powerful Women. She also serves on the NYU Tandon School of Engineering Cyber Fellows Advisory Council, as a guest lecturer for the Carnegie Mellon University CISO Program and is a Senior Non-resident Fellow at the Carnegie Endowment for International Peace program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.