Did you know? You can share this story using the social media icons on the left. Please include the hashtag #WeAreCisco. You can also rate and comment on the story below.
Walking the Fine Line
Like many other security architects, Rich West got an early start into the world of IT. Whether it was as a child optimizing memory allocation in order to play computer games or war dialing BBS systems, a teenager building and refurbishing clone computers for spending money, a college engineering student getting into mischief or building networks to play games with others online, Rich told us how his wandering path into security is common among peers, about hard realities learned while drawing his first grown-up paychecks and why he tries to get our employees to click on links they shouldn’t.
What was your first job and what did you learn from it?
I worked during high school in a fast-food restaurant as a cook. I learned more life lessons from that job than anything I’ve ever done. For one, it’s difficult to raise a family doing certain types of jobs for certain wages. It’s not that I didn’t already know it, but it was right in my face that life isn’t very fair and just working hard doesn’t necessarily mean you’re going to live a comfortable life.
Many of my co-workers at the restaurant worked long hours doing manual labor in tough conditions, but they really struggled financially and were trying to raise children on that salary. Any job you can learn in a day probably is not going to be something you have a career in.
What background do you need for Information Security?
The best people in security have played a little bit of offense and a little bit of defense. If you’ve never tried to get into something, you haven’t really thought about what works and what doesn’t work. When I used to play a little offense, I knew there were defensive people out there—but I probably didn’t know their playbook, the tools they had, the skills they had. It also helps to have actually run IT systems.
Almost all of Infosec’s best Security Architects and Investigators have some sort of IT background. They understand how systems are designed and how administrators think. That allows them to know their weaknesses, and thus how to best help defend them. I’m lucky that I spent 9 years working in Cisco’s IT Networking department running our internal network before joining Infosec.
How does your job help Cisco and its customers?
Security can be an accelerator. A business may think security inhibits them, but if you have incidents that knock a production system offline, then the business has clearly been disrupted. If you have to tell customers that you’ve lost their data—if you, as a person inside of Cisco, have to re-image your machine—these incidents will impact the company’s ability to operate and the bottom line. Enabling the business in a secure fashion is Cisco Infosec’s core mission. Ten to 12 years ago, Information Security was kind of viewed as a cult of ‘No.’ I think we’ve worked very hard to become a cult of ‘Yes.’
Give us a highlight of your job.
It’s easy to write a policy, but the fun part of it is partnering with IT or other parts of the business to make that a reality. Taking something we have written down that’s almost aspirational, and turning that into something every single person in this company uses is a definite highlight. Many times when we do our job well, our employees don’t really even notice that they are using a more secure solution. My teammates and I can’t take sole credit for any of these projects.
There are a lot of partnerships, and every system that Cisco’s employees or customers touch—whether it’s endpoints, telephony, collaboration tools, the network, applications—one of my teammates has done something to help secure it. Our goal whenever possible is to use Cisco products and solutions to secure our business. If we can do that, then our customers can as well. Being customer zero for our security products and helping to build them to solve real business problems is very, very cool.
What’s a common misconception about your job?
I’m not sure that many of our employees recognize the balance Infosec strikes between its goal to secure and protect Cisco and customer data while also seeking to protect personal privacy. Someone may look at our Trusted Device Policy and say, “That’s Big Brother watching me, and the company is overstepping its bounds.” The policies that we have are challenged within our organization. If we can’t live with a solution, then it’s not right for the company either.
What might surprise a lot of people is that some of the biggest employee privacy advocates in the company are on the Information Security team. We’re focused on answering the question, “Who will watch the watchers?” There are checks and balances. And we actually do a lot of things that might impede security because we have employee privacy and protecting personal data in mind.
Tell us how you’re helping improve employee’s awareness of security?
Our team does a bit of phishing as part of employee targeted awareness training. The whole point of phishing is to try to get people to stop and think about what they click. We’ve created some phishes that were so good we couldn’t send them because they would’ve potentially caused chaos. But the bad guy doesn’t care about chaos; the bad guy just cares that he phishes successfully and he got you. That’s typically the first step in any successful offensive campaign and some of these phishes are very good.
What do you like best about working at Cisco?
I think the two things that I like the most about Cisco are the fact that I’m surrounded by very intelligent people, and that we’re supported by the company by being given the flexibility to be good at our jobs and our personal lives. Based on my experiences from 17 years at Cisco, it’s a unique culture that I believe starts at the top.
What advice would you give to someone looking to join Cisco?
I’d say, come on down! My advice to anybody is to look for the best possible team with the best talent, because that’s where you’re going to learn the most. I always tell people if you’re the smartest person in the room, you need to leave that room—because you’re not learning anything by staying there. I want to work with the best talent in the industry and believe that we need great minds to tackle the security issues of tomorrow.
Are you ready to explore job opportunities at Cisco?
Connect everything. Innovate everywhere. Benefit everyone.