Microsoft has been very public about how they changed the company to make security a priority. What's the story at Cisco? How did the security program get built?
We were probably in the same space. Many companies, including our own, started with building stuff first that solved communications problems and then thinking about the safety of communications afterwards.
About five years ago, we were fighting the company, my team. Mostly in the information security business. We were the "no" organization, the ivory tower. That's a dangerous place to be because my take is we ought to be a consultative fulfilment arm, not an adjudicator.
So we changed a lot of it and we started injecting things, like "You're going to have expertise in your team. We're not going to be even in the middle, so that way you can invest the expertise for what you need and we're not holding you up or bringing you into a slower position."
So did you do something like adopt a secure development lifecycles or change the way you built products?
We're not mature in this. We're in the awkward teenage phase. We're testing at the end of the development process and we're figuring out from that data how do you go backwards into the definition process. Now some definition happens anyway. So for example there are some baseline requirements of every product we built. However, I still say there's a lot to be learned. When you think you've got it right and you build it and you test it, the learnings from the test should benefit the next thing you build.
We haven't adopted a secure development lifecycle like Microsoft yet. We haven't nailed up equally on all product lines in a very consistent methodical measurable way, and that's why I say we're in that awkward teenage phase.