Cisco chief security officer John N. Stewart on regulation, automation, and what happens when the Internet of Things bites back.
FORTUNE — There are a million jobs in the computer security industry that executives like John Stewart can’t fill, even as company after company falls victim to a major breach. You know the names: Heartland Payments Systems, Target, even the arts and crafts chain Michael’s.
The hits keep coming, sending corporate boards scurrying to reinforce their companies’ defenses. Which means the pressure is on people like Stewart, Cisco’s CSCO chief security officer, to find the best people in a field of study that has only existed for a handful of years. “You make a lot of bets in a hurry,” he says.
During a recent visit to Fortune‘s New York offices, Stewart explained why cyber-threats have taken over the news cycle and why the computer security industry is playing catch-up to transition from a tools-focused mindset to one focused on efficacy and the end result. “The whole industry has to change,” he says. “We are tech-obsessed.”
It’s the latest in an occasional series we’re calling “Five Minutes on the Future.” (You can read previous editions with Thrillist Media Group CEO Ben Lerer and AVG CEO Gary Kovacs here.) Here’s what Stewart had to say.
It might sound a little passé, but every company — no matter which one is reading Fortune — is now an IT company. And every company, whether they want to be in it or out of it, has some aspect of of security inside to protect themselves.
That’s what every executive has to take to heart, for a couple of reasons. The boardroom — either by self-choice or through what I believe is going to be inspection, regulation, and law, here in the U.S. or outside of the U.S. — is being essentially asked to inspect the computer security protections of their business, whatever businesses that they’re in. They’re going to have to ask some very simple questions, and I think they’re going to largely roll out as: What are the entire set of controls we have in place? How well have they been tested? When’s the last time they were tested? Did we have any violations during that test? Do we have a reporting process if we’ve had a breach? And — and this is the one I usually don’t put on the list of they will ask this, but they should — is there anything else I should know? And I think that really is going to happen to the executive teams of every single major business that exists.
Part of the reason is, as publicly traded companies, you can already see the SEC getting engaged at a much stronger level. They just held hearings a couple of weeks ago talking about what the role of cybersecurity in the board room is going to be like. The FCC is doing exactly the same thing in a different context. And that’s just here in the U.S. So when I lean back and ask, what is the future of security? Part of it is that board rooms have to get engaged.
That will cause an interesting set of downstream effects. The CEOs or presidents of businesses will be asked some tough questions. Those tough questions will then go to the staffs. The staffs will then build up the mature program and be able to respond. All of this will mature the largely tech-savvy, tech-addicted security industry. That’s part one.
Part two? We, in the next few years, had best design security in finally. God knows we’ve talked about this forever. But when you start bringing on three times as many people-less devices on the Internet than people-with devices — which is statistically true in some portions of Europe; it’s starting to happen here in the Americas — then the idea that a human being is going to be there to help [when something goes wrong] is not true.
You’re going to have IPTV cameras here in New York. You’re going to have sensor grids that are for earthquake detection in California. You’re going to have crop-growing water detection systems in Brazil, where they’re going through a very large drought. All of that is computing systems that are Internet-connected and have no person involved. So if you’ve designed in a lack of security, you’re going to have botnets on, say, forests that have IP sensors on them to detect global warming. And I’m not sure what computer emergency response team you call if a forest is attacking your Internet. That’s part of that future.
So that’s the second part: We have to do something different today, or we’re going to get more of the same. And that’s also part of the reason we put out our Grand Security Challenge around the Internet of Things: What security innovation would be necessary?
And then there’s the third part. I’m a little nervous about this, but part of the future of security is, unfortunately and in my opinion, that there’s going to be more accidents. I don’t know if that’s how human beings largely learn; I know that my parents told me not to do a lot of things, and I still did a lot of things anyway, and I learned painfully many times because of it. But it scares me because I see loss of life as a potential here.
There are modernization plants happening in the Middle East where they’re bringing on huge computing platforms as part of natural gas and petrochemical yields, and these brand-new designs are running on all the common operating systems you and I use. If not done correctly and something happens, that will be a computing problem that manifests itself in somebody getting hurt. The Internet going down at the wrong moment? I mean that tongue-in-cheek — I really mean the network you’re on going down at the wrong moment. That can be loss of life if you’re in a hospital, or in the military, or doing something as simple as air traffic control. You name it.
And so part of the security industry in the future, to me, is not exactly good news. I think there are going to be more accidents, and I don’t know that we’re going to be able to avoid all of them. But we best learn very quickly each and every time so that we contain them from being virally problematic.
Oh, and the last one: It’s going to be profitable. I also say that tongue-in-cheek, but the math suggests that the [IT security] industry’s got growth in it, and I think that’s good news for some and maybe not-so-good news for others. But it’s definitely part of what I believe our industry’s going to be like in the future.