Introduction
Employee Responsibility
Raising Awareness
Keeping Employees Informed
Leaders Set the Example
“Make no mistake. What used to be in the movies is now in the mainstream. Hacking has become an industry that is profitable for some and costly for many. Viruses are no longer annoying—they are destructive and hacking is no longer about playing—it's about stealing.” – John N. Stewart
Everyone is responsible for helping keep Cisco secure. In this article, John N. Stewart, Vice President and Chief Security Officer, Corporate Security Programs Organization, discusses three important security considerations: why it is important to make information security an integral part of the work environment, who Cisco considers to be its “employees,” and how to effectively train employees on company security policies.
Information security is clearly a mainstream issue, and one that employees take very seriously. Because Cisco has an open culture, we empower and trust our employees who, in turn, need to wield this power responsibly.
Employees within Cisco have a vested interest to keep company information safe, for without it, they have lost the ability to succeed in their jobs. When a laptop is lost or stolen, the information lost is far more costly than the laptop itself.1 Confidential or sensitive company information including financial data, source code, patents and/or product roadmaps, for example, are considered information assets. Without access to the necessary information, a person's productivity falls, and if the information falls into the wrong hands, it can be used against customers, the company, or the employees themselves.
People make the biggest difference in information protection, and that responsibility lies with Cisco badged personnel. When Cisco targets employees for security awareness programs, it's not just the full-time employees, it includes contractors, vendors, consultants, partners, as well as cafeteria and custodial workers—anyone with physical access to Cisco. Cisco has a global workforce of over 55,000 people to educate on information security practices.
This education comes in a variety of forms. The information security polices are part of the Cisco Code of Business Conduct, which every employee must read and accept annually. This institutes accountability at the employee level and helps ensure information security policies are enforceable, rather than just a policy on paper.
Another effective method that raises awareness of security issues is to profile threats on the homepage of the company's internal website. A recent example of this is an article featured last month about “phishing”. In the wake of the publication of this article, the information security team saw a marked increase in employees contacting them about possible phishing e-mails. Other recent articles have focused on the importance of writing NDAs (Nondisclosure Agreements) to protect intellectual property, provided information on worms and virus attacks, and supplied information on spam with instructions on how to handle e-mail attachments from unknown sources. Through these articles, employees are better informed on the kinds security threats that exist and better equipped to respond appropriately when they find themselves in a situation that might compromise security.
Additionally, to help protect information from being used incorrectly, we have started including security markings into collateral templates such as: Cisco Public, Cisco Confidential, Cisco Highly Confidential – Controlled Access, and Cisco Restricted – Restricted Access Only.
All employees are expected to take annual information security training. This interactive online video training leads the viewer through several situations and asks the viewer what they would do in certain scenarios. Putting the information security policies in a real-world situation enables the employee to apply the policies to their typical work situation. This training covers remote access, wireless, information classification, e-mail, and other information security policies. It acts as a teaching tool, and educates users on what to do, and what not to do in practical situations. The CEO, the Chief Development Officer, and the VP/Chief Security Officer also appear in the training to reinforce executive sponsorship and expectation.
We look to our leaders to set the example. When awareness programs are launched or security issues arise, our senior leadership is well briefed and passes that message down to their organizations. It is this commitment by our executive leadership that makes security a consistent topic at Cisco.
The key to reaching over 55,000 Cisco workers is to use several communication techniques to bring information security to the forefront. Starting at the top with executive management and moving through the organization to every employee, we use network tools and multimedia to raise security awareness at work and at home to keep us all as safe as possible.
In part one of this article series, Stewart discusses adopting a security-aware culture.
1The Burton Group, Michael DiSabato, Senior Analyst.
About John N. Stewart: As the Cisco Systems Chief Security Officer and Vice President of Corporate Security Programs Organization, Stewart provides leadership and direction to multiple corporate security teams, strategically aligning with business units and the IT organization to create leading corporate security practices, policies, and processes.
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.