Q&A with Cisco Systems security executive Edna Conway
Preceded by a legal career in New Hampshire, including serving as assistant attorney general, Edna Conway has worked the past 18 years at Cisco Systems, rising through the ranks to chief security officer for the networking giant’s global value chain.
Conway oversees Cisco’s strategy to assess, monitor and improve the security and resiliency of all its products and services. In her role, she has been active in determining how companies and third-party members can securely design, manufacture, deliver and sustain information technology products and services.
An expert and international speaker on third-party risk and security, Conway was honored earlier this year by the NH High Tech Council’s Tech Women/Tech Girls initiative as its 2018 Tech Professional of the Year.
On June 2, at the Pinkerton Academy’s Stockbridge Theatre in Derry, Conway will speak about the future prospects and challenges of the interconnected world at TEDxAmoskeagMillyard. For more information, visit tedxamoskeagmillyard.com.
Q. This year, the theme at TEDx is “It’s complicated,” which is what comes to mind when I think of cybersecurity. What are you going to talk about?
A. We live in a digital world, and we all have the opportunity to thrive in it, not just technology professionals. We already live in a world where things are talking to, listening to and observing all of us. There is data suggesting that the number of connected devices is going to approach 200 billion by 2020. We can view that negatively or positively. I for one am excited by the possibilities.
This digital revolution has the prospect of bringing more efficiencies and less mundane work, and more time to ponder and enjoy – isn’t that an innovative thought? But each of these devices could also be a pathway for others to control our data and us. It is this challenge that we must address. Built-in cybersecurity is part of the equation, but we also need to weigh the benefits and risks of every device we own.
Q. How can individuals manage our cybersecurity?
A. I try to remind people to make prudent choices – use your humanity and common sense, and do what we do in the corporate world every day: apply a risk-based approach. We teach our children to look both ways when they cross the street. How hard would it be to teach them to embed cybersecurity in their decision-making as they navigate the digital world?
Q. How do companies develop their relationship with consumers, especially when there are concerns about how the company will use consumer data?
A. I think that thriving in this digital world requires us as consumers to be cognizant of how we’re using devices and services. On the flip side, enterprises making the devices need to be transparent and trustworthy. I believe the currency of the digital economy is the same currency we had around the fire pit in the cave—was the person going to club the wooly mammoth or club you? It’s trust. And it is data that fuels that trust, while tools like AI and distributed ledger technology ensure the integrity of the data.
Q. Especially when third-party companies are involved, how does an enterprise ensure its customers’ protection?
A. It’s not just about the data; we must take a more holistic approach. People think cybersecurity is simply about vulnerabilities in software, and that is a real risk. But what are the true risks? I worry about things like espionage – somebody watching – and that doesn’t necessarily have to be an enterprise. It could be an individual or a nation-state. I also worry about what I call manipulation. Is someone controlling my device, or even a small part of it? And the last thing I worry about is disruption.
To take a holistic approach to security we need to think about not just information security but also security technology, operational security and behavioral security.
Q. Tell me the connection between law and cybersecurity in your career paths.
A. I would love to tell you there was a grand plan. Understanding technology is something we all need to do. There’s a generation now that’s grown up with hand-held devices; they are part of life for them, like the wired telephone was for an earlier generation.
Understanding policy and practices is part of legal training; it is a way of thinking. It makes you look at the whole soccer field, rather than just where the ball is. So it was helpful to start in law and move into security. I was very happy being an attorney and being an assistant attorney general in New Hampshire. I went into private practice, and when you go into private practice in New Hampshire, you have to take a comprehensive approach because we’re a small state. I prosecuted homicide cases as an assistant attorney general as my first job out of law school. Not many of my current peers in security had the opportunity to launch their careers in such a high-stakes context.
Q. How did the opportunity arise to work with Cisco?
A. Joining Cisco’s legal team was an opportunity to grow and learn from inside an enterprise that embraces innovation. I just asked one question, which was, “Do I have to move?” Fortunately, Cisco is more concerned with competence and ability than geographical location. With my Cisco solutions in place I have command central right here in Merrimack, New Hampshire.
Q. Having served as assistant attorney general, what perspective did that give you of the state? Why did you choose to stay here?
A. With no disrespect to the wonderful opportunities in my life, I would say the best job I ever had was the one where I said, “I represent the people of New Hampshire.” This is an extraordinary state. We are highly educated; we are independent thinkers. We’re changing the world along with many, many folks in other places in the U.S. and outside the U.S.
Look what we’re doing right here in Manchester. Consider, for example, Dean [Kamen]’s innovation and what he has accomplished. There are innovators and companies across the state making significant impact in technology. There is just something very special about New Hampshire. And I am proud to call it home.