Can Cisco Deliver On Security Strategy?

RSA CONFERENCE 2012 -- San Francisco, Calif. -- After a flux in leadership late last year, Cisco kicked off its efforts to reboot its security image at RSA on Monday with a press and analyst event that acted as a sort of debutante affair for a new team headed by former RSA and VMWare executive Chris Young. But even as the company released a slate of new products, including a next-generation firewall, some analysts remain skeptical of the networking giant’s vision and execution of security strategy given how the IT landscape has changed.

One person who seems confident in Cisco’s ability to deliver security is Young, who joined the company in November as senior vice president of the Security and Government Group. At the event, Young said the fact that he’s the first senior vice president in that position offers proof of Cisco’s upper level management focus on security in every product it delivers.

“What we've brought to the network to what we've done around voice, video, and data, I believe we can do a lot of that with security as well and can really make it part of the network fabric. That’s a big part of why I’m here,” Young said. “Cisco can uniquely deliver the capabilities that no other company can bring because we’re basically the network, and that’s a unique position for us in the industry.”

He pointed to recent statements by Cisco CEO John Chambers -- who was notably absent in favor of Mobile Congress in Barcelona -- as a testament to the company’s concentration on security. That was a lead in to Young recommitting to the SecureX architecture laid out by his predecessor, Tom Gillis, at last year’s RSA. The gist behind SecureX is that Cisco will leverage its presence at the network level to enforce policy on devices regardless of where they are in the enterprise, who owns the device, or whether there is even a user driving that device.

“Last year Cisco announced SecureX; I wasn’t here so I can’t take credit for it, but it really resonated with me because I think it made perfect sense,” he says. “It leverages everything that we can see from the endpoint to the data center up the stack at the application level, understanding identity, understanding the devices that are connecting to the network, and really being able to bring together what we know about each of these points in the infrastructure and the interactions between and among them, and making more intelligent decisions than we've been able to make to date.”

The centerpiece of the product announcements on Monday was the introduction of next-generation firewall capabilities to its ASA CX firewall appliance, as well as enhancements to its TrustSec policy-management platform and its Identity Services Engine.

“We’re starting to roll out some of the strategic proof points that we’re going to be delivering around this embedded security as part of our network architecture and at the core Cisco go-to-market strategy,” Young said. “You’ll start to see us talk more about security as a part of these core architectures as we build through 2012 and beyond.”

However, the security around bring your own device (BYOD), a piece promised by Gillis last year, was still absent from announcements this week, and some analysts seemed to wonder whether Cisco’s announcements were less a reboot than a rehash of promises that it hasn’t delivered on for several years now

“2008 called and asked for its next-generation firewall back,” says Mike Rothman, analyst with Securosis, who believes Cisco is behind the times with its security strategy. One of Rothman’s complaints is that Cisco has had a hard time actually executing on the repeated security architecture announcements that it has made in recent years.

The even bigger question, according to Chenxi Wang, vice president and principal analyst for security and risk at Forrester Research, is whether the Cisco’s road map of promised improvements even lines up with the direction CIOs are taking IT departments with their as-a-service buying patterns. She pressed leadership on this during the Q&A portion of the event.

“I have a number of CIOs at a number of large organizations and looking at this trend of ultimately in three to five years getting out of the game of managing IT infrastructure altogether,” she says. “So the wired network is going to disappear, devices are going to be very different, servers might disappear, and contact is going to go to the cloud and be hosted in an enclave somewhere. Cisco, in my opinion, for right or wrong has always had a fairly network-centric view of security.”

But according to Young, the cloudy outlook is actually good for Cisco’s enterprise security outlook.

“I believe the trends we're seeing happening in IT, even if you take them to an extreme, at the end of the day, the network is the only thing that's left,” he said in response to Wang. “You don’t control the endpoint any longer, you don't have an infrastructure where there's four walls around it, and, wired or wireless service provider or otherwise, Cisco is in the middle of all of that.”

But Wang was unconvinced.

“So he's right by saying, 'OK, if things move to the cloud and you bring all kinds of devices there's still going to be some form of network available,'” she said after the show. “But what they’re not saying is that today their network technology is all single-user. So it’s controlled by a single, authoritative domain, and it's going to be provisioned for this organization. And what is going to be completely different is if it’s in the cloud, it has to be multitenant. Today the traditional technology they’re working on is not easily transformable for that kind of environment. So some kind of innovation has to happen to support a complete outsourced IT environment.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.