Rumor Cisco product development engineers penalized for reporting security issues
"A process was instituted at Cisco enabling any product development engineer to report security issues to John Stewart's team and Stewart's team has the ability to force the product VPs to prioritize and fix the issues. The whistle blowers receive no incentive and their identity is not protected. All the squealers were heavily penalized in terms of bonuses, project choices, and advancement opportunities. Many were forced to depart the company."
Fortunately for Cisco's customers and perhaps as a "direct result" of the following blog story, Cisco has now launched a "new tool" that will allow Cisco's product development engineers to anonymously report security vulnerabilities to Cisco PSIRT.
However, unfortunately for Cisco's customers, Cisco's product Vice Presidents continue to appear to have a "hardcore ingrained culture of retaliation" that seeks to penalize ANY Cisco product development engineer who dares to report a security issue with ANY Cisco product.
I mean, even with the new anonymous Cisco security issue reporting tool, Cisco's product development engineers will be risking their professional careers at Cisco by anonymously reporting Cisco product security issues.
How so?
Well, even when Cisco product security issues are reported anonymously, it's obvious to Cisco's product Vice Presidents that such a report will have come from a Cisco product development engineer of that specific Cisco product component team, because who else at Cisco would be looking at the particular code.
Will Cisco's product Vice Presidents now penalize entire Cisco product development engineer teams because a "security issue" was anonymously reported by a member of that team?
In other words, even with the new "anonymous" Cisco product security issue reporting tool, Cisco's product development engineers won't dare to report security issues because of potential retaliation by Cisco's product Vice Presidents against their engineering teams.
The Cisco Threat Response, Intelligence, and Development (TRIAD) organization has a key strategy to execute its mission:
"Collaborating with Cisco product, services, and solutions groups to strengthen security features, functions, and attributes of Cisco offerings."
Well, according to the following 2 Cisco security bombshell comments, the above key strategy for Cisco TRIAD to execute its mission appears to be TOTAL BUNK:
Cisco attempts to take security considerations seriously but its flawed organizational and incentive structure works against itself. John Stewart's team of security advocates all have good intentions, but they aren't product people and have very little impact on real product security. They are simply unskilled bureaucrats and process monkeys with limited influence with the Cisco product teams.
Most of Cisco products have a bazillion security flaws that are well known to the product development engineers. These risks are of little concern to the product development VPs.
Their incentive structure is based around units sold and new revenue from features added. They pay little attention to their engineers' concerns regarding security flaws. The
VPs' bonuses don't get increased by correcting latent security flaws yet to be discovered by the market. Any focus on these security issues costs resources that could be focused on greater VP incentive opportunities.
A process was instituted at Cisco enabling any product development engineer to report security issues to John Stewart's team and Stewart's team has the ability to force the product VPs to prioritize and fix the issues. The whistle blowers receive no incentive and their identity is not protected. As you can imagine, the initial conscientious engineers who squealed about security issues to Stewart's security advocates were not viewed favorably by their VPs who were forced to redirect resources to address the flaws. All the squealers were heavily penalized in terms of bonuses, project choices, and advancement opportunities. Many were forced to depart the company.
This program still exists in theory, but it no longer has any participants. As a result, Cisco has to reactively scramble to address each security flaw already known to its engineers when it is discovered by the market.
The first Cisco security bombshell comment above was then confirmed by the following comment:
You are preaching to the choir. I can speak from experience - its not about doing whats right and getting things done in the best interest of the business, its about pleasing your VP and covering up their incompetence. Its also all about who presents the prettiest PowerPoints that wow everyone, but get nothing done.
Nice to have a policy like this, but its a useless effort when retaliation takes place. Like I said, I can speak from experience. And trust me, its not just limited to this security effort you talk about.
This has been a lingering symptom for a long time, and now it is really rearing its ugly head, especially in light of the October layoff, where I can tell you many colleagues of mine were undeservingly cut simply because their VP did not like them and used this layoff as an excuse to get rid of many good people while maintaining those who contribute to incompetence, and all because the good people cut would not serve the individual best interests of these VPs. This is truly sad. And frankly scary. Anyone wonder why my resume is out there? At least those in the October layoff got severance.
I mean, the above 2 comments appear to call into question the "accuracy of the comment" made by John Stewart earlier today with regard to the Cisco/NSA backdoor crisis:
Finally, the above 2 Cisco security bombshell comments call into question the "effectiveness" of Cisco's highly touted:
