Advancing Ciena's Security Strategy: Trust, Resilience, Innovation, and Awareness in Action

1 00:00:00,041 --> 00:00:02,419 Hello, everybody, my name is Ashley Wyant. I'm the 2 00:00:02,419 --> 00:00:06,047 I’m the director and global head of the security governance, 3 00:00:06,047 --> 00:00:08,466 risk, compliance, and customer trust team 4 00:00:08,466 --> 00:00:09,426 here at Ciena. 5 00:00:09,426 --> 00:00:11,219 I'm joined today by our chief information 6 00:00:11,219 --> 00:00:13,763 security officer, Ryan Hammer, and we're going to 7 00:00:13,763 --> 00:00:15,807 talk to you a little bit about our security program. 8 00:00:15,807 --> 00:00:19,728 So Ryan, we have received a lot of investment in 9 00:00:19,728 --> 00:00:21,980 our security program over the years and really 10 00:00:21,980 --> 00:00:23,732 grown it out quite a bit. 11 00:00:23,732 --> 00:00:25,650 How have you spent time to 12 00:00:25,650 --> 00:00:29,904 build that security program and prioritize our 13 00:00:29,904 --> 00:00:32,782 program and align it back to the business objectives? 14 00:00:32,782 --> 00:00:34,951 We've received tremendous support from our executive 15 00:00:34,951 --> 00:00:37,245 leadership team. I think they really understand the 16 00:00:37,245 --> 00:00:41,374 value of a robust security program, not only to protect 17 00:00:41,374 --> 00:00:44,377 the company, but also to really build bridges of 18 00:00:44,377 --> 00:00:45,378 trust with our customers. 19 00:00:45,378 --> 00:00:47,505 The way I think about it is 20 00:00:47,505 --> 00:00:50,425 really across kind of four areas of strategic focus. 21 00:00:50,425 --> 00:00:53,428 The first I refer to as confidently compliant, 22 00:00:53,428 --> 00:00:57,015 understanding what the authoritative requirements are. 23 00:00:57,015 --> 00:00:59,642 Regulatory requirements, it could be customer 24 00:00:59,642 --> 00:01:03,146 contractual or perhaps even just customer expectations. 25 00:01:03,146 --> 00:01:05,106 And then there's a lot of industry standard 26 00:01:05,106 --> 00:01:08,193 practices that help us really anchor our program 27 00:01:08,193 --> 00:01:11,488 in what I would refer to as commercially 28 00:01:11,488 --> 00:01:12,822 reasonable, right? 29 00:01:12,822 --> 00:01:14,908 The second area of focus for us is 30 00:01:14,908 --> 00:01:17,869 around well-defended and resilient operations. 31 00:01:17,869 --> 00:01:20,413 This is the part of the job that never ends. 32 00:01:20,413 --> 00:01:24,626 And we spent a lot of time seeking to anticipate 33 00:01:24,626 --> 00:01:27,462 the nature and the methods 34 00:01:27,462 --> 00:01:29,881 of how we're likely to be attacked. 35 00:01:29,881 --> 00:01:32,300 The third area of focus for us is around 36 00:01:32,300 --> 00:01:34,052 the security of our products. 37 00:01:34,052 --> 00:01:36,012 We have great peers and colleagues 38 00:01:36,012 --> 00:01:37,555 in PLM and R&D who do amazing 39 00:01:37,555 --> 00:01:42,310 work, and we help them understand the requirements. 40 00:01:42,310 --> 00:01:45,105 And then the fourth area of focus for us is, I'd say, 41 00:01:45,105 --> 00:01:46,314 kind of the hardest. 42 00:01:46,314 --> 00:01:49,734 It's about a security and risk-conscious culture. 43 00:01:49,734 --> 00:01:52,612 General awareness, it's the phishing campaigns 44 00:01:52,612 --> 00:01:54,989 we do that everybody loves. 45 00:01:54,989 --> 00:01:56,449 It’s the training that we do. 46 00:01:56,449 --> 00:01:59,869 But it's also some of our kind of outreach. 47 00:01:59,869 --> 00:02:02,163 We have folks who are representing the security 48 00:02:02,163 --> 00:02:05,208 program embedded in various parts of the business. 49 00:02:05,208 --> 00:02:08,419 We call these BISOs or business information security officers. 50 00:02:08,419 --> 00:02:12,632 So I think it's a construct that has really worked fairly well. 51 00:02:12,632 --> 00:02:14,759 And it helps us ensure that we really stay aligned 52 00:02:14,759 --> 00:02:16,970 to what the business is wanting us to do. 53 00:02:16,970 --> 00:02:21,641 Security requires you to be constantly selling 54 00:02:21,641 --> 00:02:26,229 the value proposition, ensuring that we're transparent. 55 00:02:26,229 --> 00:02:28,606 I wanted to ensure that we could distill what 56 00:02:28,606 --> 00:02:31,901 we're doing into a set of outcomes 57 00:02:31,901 --> 00:02:33,570 that resonated with the business. 58 00:02:33,570 --> 00:02:37,031 I want to go back to that first pillar, 59 00:02:37,031 --> 00:02:38,366 ‘Confidently Compliant’. 60 00:02:38,366 --> 00:02:41,578 I'd love to dig into how we use that to build 61 00:02:41,578 --> 00:02:43,246 trust with our customers. 62 00:02:43,246 --> 00:02:47,584 There's a lot out there as far as regulatory 63 00:02:47,584 --> 00:02:50,795 requirements, and we know that our customers 64 00:02:50,795 --> 00:02:54,174 continue to put more and more and higher and 65 00:02:54,174 --> 00:02:56,926 higher expectations on all of their vendors. 66 00:02:56,926 --> 00:03:00,054 So we wanted a framework, 67 00:03:00,054 --> 00:03:04,100 almost a ‘Rosetta Stone’, that allowed us to 68 00:03:04,100 --> 00:03:08,605 correlate, standardize, deduplicate, and normalize 69 00:03:08,605 --> 00:03:10,023 those requirements. 70 00:03:10,023 --> 00:03:12,317 The most important time to have good trust 71 00:03:12,317 --> 00:03:15,862 and transparency with your customers is exactly that 72 00:03:15,862 --> 00:03:18,656 when an incident might occur, which kind of brings 73 00:03:18,656 --> 00:03:22,368 into one of our other, you know, focus areas, which 74 00:03:22,368 --> 00:03:25,330 is well defended and resilient operations. 75 00:03:25,330 --> 00:03:29,417 The way we think about it in general is almost cyclical. 76 00:03:29,417 --> 00:03:33,004 Predict, prevent, detect, respond, recover, and improve. 77 00:03:33,004 --> 00:03:38,051 And we spend a lot of time seeking to anticipate the 78 00:03:38,051 --> 00:03:40,178 nature and the methods 79 00:03:40,178 --> 00:03:42,388 of how we're likely to be attacked. 80 00:03:42,388 --> 00:03:44,933 That amount of practice and effort that we put 81 00:03:44,933 --> 00:03:47,560 into it, as I said, really pays off. 82 00:03:47,560 --> 00:03:51,189 Another thing that I think is really interesting that we do on the 83 00:03:51,189 --> 00:03:55,485 more user behavior side is our security awareness program 84 00:03:55,485 --> 00:03:58,404 tries to make it fun, which I think is important. 85 00:03:58,404 --> 00:04:01,741 Are you inferring security awareness isn’t normally fun? 86 00:04:01,741 --> 00:04:04,577 I'm not inferring anything, I'm just saying 87 00:04:04,577 --> 00:04:06,621 that I have seen security awareness programs that 88 00:04:06,621 --> 00:04:09,457 lead more with a stick instead of a carrot. 89 00:04:09,457 --> 00:04:13,962 And I don't think that's super effective in my experience. 90 00:04:13,962 --> 00:04:16,881 For security, training and awareness to 91 00:04:16,881 --> 00:04:18,800 really resonate, it has to be aligned with the 92 00:04:18,800 --> 00:04:22,762 culture, and I think that there's a lot of really good 93 00:04:22,762 --> 00:04:23,930 work we've done in that area. 94 00:04:23,930 --> 00:04:25,515 Well, I think in closing, 95 00:04:25,515 --> 00:04:28,726 we've talked a lot about our key focus areas. 96 00:04:28,726 --> 00:04:31,521 And as we mentioned before, they're always 97 00:04:31,521 --> 00:04:35,233 evolving, but it's exciting that we're keeping focus on 98 00:04:35,233 --> 00:04:38,278 what our security program is and how it aligns to 99 00:04:38,278 --> 00:04:40,697 what the business is doing, especially now. 100 00:04:40,697 --> 00:04:44,242 Obviously, there's a lot of growth and a lot of new 101 00:04:44,242 --> 00:04:47,453 and exciting things coming out on the technology side. 102 00:04:47,453 --> 00:04:51,499 We want to ensure that we can leverage that 103 00:04:51,499 --> 00:04:54,919 to provide innovative and exciting products 104 00:04:54,919 --> 00:04:57,005 and solutions for our customers, 105 00:04:57,005 --> 00:04:59,048 but we need to do it in a risk-managed manner. 106 00:04:59,048 --> 00:05:01,050 Ryan, I think it's really important what 107 00:05:01,050 --> 00:05:02,969 we've just talked about, so thank you 108 00:05:02,969 --> 00:05:05,179 and thank everybody who's listening.