Cisco’s New CISO – Securing the Future One Challenge at a Time

A conversation with Mike Hanley

Cisco’s new chief information security officer (CISO), Mike Hanley, has taken on his latest role amidst some very unique circumstances. Protecting the world’s largest networking and security company, supporting unprecedented numbers of remote workers, and moving many more applications into the cloud is no easy feat. Not to mention leading a team of Cisco professionals who themselves are navigating the challenges this calendar year has brought.

A responsibility this monumental requires a leader who is a resilient people person and problem solver. Thankfully, that’s exactly what we’ve gotten with Mike Hanley.

Mike began his security career working on R&D programs for the U.S. government at the CERT Coordination Center. He continued to hone his skills when he joined security startup Duo (now a part of Cisco). Mike originally joined Duo to lead Duo Labs, the company’s security R&D team. Later, he was asked to be the Vice President of Security and build the company’s security team from the ground up before becoming the CISO for Cisco.

As you can probably tell, Mike is not one to back down from a challenge. As security, IT, and the world as a whole continue to change dramatically, his analytical thinking, nimble decision-making, and compassionate leadership will no doubt serve him well in his new position. To top it off, Mike previously worked at an IT help desk, and he has six children, so he’s no stranger to strategic problem-solving.

We are thrilled to have Mike on board. We recently connected with him to discuss his role, the current state of security, and how his work impacts our customers.

Q: What are some of the biggest challenges facing you as Cisco’s CISO?

Mike: We’re living through a once-in-a-century pandemic, which means I’ve been in this job for three months and I haven’t met the vast majority of my team in person yet. I am spending a lot of time thinking about how we can have more than just transactional work conversations, but also really learn what motivates people, the challenges they’re facing, and how we can help them do their best work.

Being present and authentic with your team is critical for persevering during these difficult times. I feel that if I’m honest with my team about my day-to-day experience and the limitations of working from home with a full house, they will know that it is safe for them to be open as well. Besides, I have six kids who periodically run into my Webex meetings, so it would be hard for me to hide that anyway!

Q: What is it like being the CISO for the world’s largest networking and security company? It must come with its own set of benefits, as well as pressures?

Mike: I’m a product guy, so I love being able to work at a company where we have a lot of cool security products. It’s also very beneficial for me to be able to talk to some of our security leaders within Cisco about what they’re building and what they’re hearing from customers, as well as share my thoughts on what’s working for us and what I’m hearing from my peers in other companies.

I like and use all of the tools that we’re building. For example, I have Cisco Meraki gear in my house. We’re using Cisco Umbrella to secure Cisco’s own global DNS infrastructure. We have Cisco Duo protecting every single one of our employees, and we’re building a zero-trust network with these and many other Cisco security technologies.

As far as specific pressures for this role, Cisco is one of the most important companies in the world. Everyone runs on Cisco, whether it’s in the building that they’re in or through somebody else that they rely on. So there’s a real opportunity for us to earn our customers’ trust every day by being excellent in this space, and they deserve our continued attention and focus. I’m always asking myself, “How do we continue to do better tomorrow than we did today or yesterday?”

Q: Along the lines of being even better tomorrow than today, what are some of your goals for your new position?

Mike: For one, I’m really excited to bring some of how we thought about security at Duo into the rest of Cisco. Really taking a design-centric approach to how we solve problems and making security delightful for people to use and experience. Everything that we do involves interacting with people who are just trying to get their jobs done, and it’s easy for security to become complex. Complexity is the enemy of our ability to sustain and operate a safe and secure infrastructure. Simplicity is key.

Additionally, Cisco is undergoing a pretty significant shift in how the company is set up to drive digital transformation for our customers. So for me that means a modernization and reimagination of our internal security program – how we build and secure applications, how we securely operate services, and so on. It’s about rethinking the underlying technologies, processes, and skill sets that allow us to continue serving as an innovative and trustworthy security partner to our customers.

Q: Within Cisco’s security business, we are also working hard to reduce complexity so that it doesn’t impede our customers’ progress. Our efforts have recently resulted in the launch of our integrated Cisco SecureX platform. What are your thoughts on this approach?

Mike: Cisco SecureX is an important part of where the industry needs to go with respect to simplifying how we interact with all the security tools we have. Security buyers often have dozens of different tools from multiple vendors, and generally have to use a fair amount of duct tape to get them to work together. This creates complexity, cost, and overhead. So to be able to take a product portfolio, present it in one location, and show how products actually work together to create a more integrated, seamless experience is frankly where I hope the rest of the industry will follow. It’s great that Cisco is ahead of the game in this space.

Q: I’m glad you mentioned the complexity that results from working with so many vendors. In our latest CISO Benchmark Report, 81% of respondents said they find it challenging to manage a multi-vendor environment. It’s definitely a prominent issue, and one that we’re working to solve. Staying on the topic of Cisco technologies, you mentioned Duo earlier, and how you use it to protect our employees. You also happen to have joined Cisco via the acquisition of Duo, a pioneer in multi-factor authentication (MFA). Could you please explain the importance of MFA as part of a comprehensive security strategy?

Mike: The way people are working, the devices that they’re working from, and the types of applications that they’re consuming are all radically changing at once. Having MFA is not a new thing, but the innovation is in how people experience it. Going all the way back to the 80s, we had tokens with changing passcodes, but the usability factor just wasn’t that high.

There’s no substitute for getting a push notification to your phone, which is a device everyone has and does most of their work on anyway, and it’s how most people experience Duo MFA. It’s very easy to use and goes back to the need for simplicity in security. Overall, passwords are just a really difficult thing for us to rely on as humans. Using MFA gives you an extra layer of protection to confirm that you really are who you say you are in an authentication process.

Q. What challenges do you see on the horizon in the next year or so when it comes to security?

Mike: This year has created some unique challenges as people have tried to provision for remote working all the time and provide that connected experience securely. I think next year will create some different hurdles as we figure out how the pendulum will settle between where we were before and where we are right now. How will we accommodate both those who want to work remotely as well as those who want to go to the office?

Q: Thank you, Mike, for this insight. It’s always great to learn about what goes on behind the scenes to help make Cisco such a leader in the industry. Last question: If you could leave security teams with three quick pieces of advice, what would they be?

Mike: First of all, be kinder than necessary to everybody that you work with. Secondly, complexity is the enemy of security. And lastly, diverse teams and backgrounds can lead you to great and non-traditional results.

When it’s all said and done, we deliver strong, simplified security to our customers when we’re deploying it ourselves. We are on a mission to make our security technology as easy to use as it is effective, and we’re excited to collaborate with Mike on fine-tuning our strategy to better protect our customers around the world.