BradReese.Com Cisco Hardware Quotes Call Toll Free 877-549-2680 or 828-277-7272

Home About Repair Power Supplies Refurbished Blog Quick Links Site Map Contact Us

 
Brad Reese speaks out
Learn more about Brad Reese...
Archive
  Help

Aironet

Power Supplies

VoIP Gateways

Cisco Repair

Refurbished Cisco

Cisco CPQRGs

New Cisco

New HP ProCurve

Cisco Tools

Competitive Lab Tests

Tech Forums

How-to Tutorials

CCIE Gossip

Blogroll

 
View archive of Brad Reese speaks out

Subscribe

Rumor Cisco product development engineers penalized for reporting security issues

"A process was instituted at Cisco enabling any product development engineer to report security issues to John Stewart's team and Stewart's team has the ability to force the product VPs to prioritize and fix the issues. The whistle blowers receive no incentive and their identity is not protected. All the squealers were heavily penalized in terms of bonuses, project choices, and advancement opportunities. Many were forced to depart the company."

Hummelstown, PA:   Tue, 1/7/14 - 11:59pm    View comments
 

Update 1/12/2014:

Fortunately for Cisco's customers and perhaps as a "direct result" of the following blog story, Cisco has now launched a "new tool" that will allow Cisco's product development engineers to anonymously report security vulnerabilities to Cisco PSIRT.

However, unfortunately for Cisco's customers, Cisco's product Vice Presidents continue to appear to have a "hardcore ingrained culture of retaliation" that seeks to penalize ANY Cisco product development engineer who dares to report a security issue with ANY Cisco product.

I mean, even with the new anonymous Cisco security issue reporting tool, Cisco's product development engineers will be risking their professional careers at Cisco by anonymously reporting Cisco product security issues.

How so?

Well, even when Cisco product security issues are reported anonymously, it's obvious to Cisco's product Vice Presidents that such a report will have come from a Cisco product development engineer of that specific Cisco product component team, because who else at Cisco would be looking at the particular code.

Will Cisco's product Vice Presidents now penalize entire Cisco product development engineer teams because a "security issue" was anonymously reported by a member of that team?

In other words, even with the new "anonymous" Cisco product security issue reporting tool, Cisco's product development engineers won't dare to report security issues because of potential retaliation by Cisco's product Vice Presidents against their engineering teams.


 

Cisco

The Cisco Threat Response, Intelligence, and Development (TRIAD) organization has a key strategy to execute its mission:

"Collaborating with Cisco product, services, and solutions groups to strengthen security features, functions, and attributes of Cisco offerings."

Well, according to the following 2 Cisco security bombshell comments, the above key strategy for Cisco TRIAD to execute its mission appears to be TOTAL BUNK:

Cisco security bombshell comment #1

John StewartCisco attempts to take security considerations seriously but its flawed organizational and incentive structure works against itself. John Stewart's team of security advocates all have good intentions, but they aren't product people and have very little impact on real product security. They are simply unskilled bureaucrats and process monkeys with limited influence with the Cisco product teams.

Most of Cisco products have a bazillion security flaws that are well known to the product development engineers. These risks are of little concern to the product development VPs.

Their incentive structure is based around units sold and new revenue from features added. They pay little attention to their engineers' concerns regarding security flaws. The VPs' bonuses don't get increased by correcting latent security flaws yet to be discovered by the market. Any focus on these security issues costs resources that could be focused on greater VP incentive opportunities.

A process was instituted at Cisco enabling any product development engineer to report security issues to John Stewart's team and Stewart's team has the ability to force the product VPs to prioritize and fix the issues. The whistle blowers receive no incentive and their identity is not protected. As you can imagine, the initial conscientious engineers who squealed about security issues to Stewart's security advocates were not viewed favorably by their VPs who were forced to redirect resources to address the flaws. All the squealers were heavily penalized in terms of bonuses, project choices, and advancement opportunities. Many were forced to depart the company.

This program still exists in theory, but it no longer has any participants. As a result, Cisco has to reactively scramble to address each security flaw already known to its engineers when it is discovered by the market.


 

The first Cisco security bombshell comment above was then confirmed by the following comment:
 

Cisco security bombshell comment #2

You are preaching to the choir. I can speak from experience - its not about doing whats right and getting things done in the best interest of the business, its about pleasing your VP and covering up their incompetence. Its also all about who presents the prettiest PowerPoints that wow everyone, but get nothing done.

Nice to have a policy like this, but its a useless effort when retaliation takes place. Like I said, I can speak from experience. And trust me, its not just limited to this security effort you talk about.

This has been a lingering symptom for a long time, and now it is really rearing its ugly head, especially in light of the October layoff, where I can tell you many colleagues of mine were undeservingly cut simply because their VP did not like them and used this layoff as an excuse to get rid of many good people while maintaining those who contribute to incompetence, and all because the good people cut would not serve the individual best interests of these VPs. This is truly sad. And frankly scary. Anyone wonder why my resume is out there? At least those in the October layoff got severance.

 

I mean, the above 2 comments appear to call into question the "accuracy of the comment" made by John Stewart earlier today with regard to the Cisco/NSA backdoor crisis:
 

John Stewart Comment
 

Finally, the above 2 Cisco security bombshell comments call into question the "effectiveness" of Cisco's highly touted:

Nigel Glennie

 

I've reached out to Cisco's crisis/issue and corporate reputation management PR guru, Nigel Glennie, for an official Cisco response:

Email: nglennie@cisco.com

Direct Telephone: 408-527-7541

So far zilch/nada, perhaps Cisco's customers can get a response.
 

Related stories:

Top secret document contradicts Cisco's denial of NSA spy cooperation

Top Secret National Security Agency (NSA) JETPLOW firmware persistence implant (backdoor) for Cisco firewalls

Cisco spy issue could affect the war on global terrorism
 


What's your take?

Contact Brad Reese

Subscribe to Bloggers speak out on BradReese.Com

Brad's Favorite Story Picks

  1. Unconfirmed rumor: Cisco does not adhere to their own NDA regarding CCIE lab exam
  2. Cisco senior management shake-up: Marthin De Beer out, Pankaj Patel in
  3. Top Secret National Security Agency (NSA) JETPLOW firmware persistence implant (backdoor) for Cisco firewalls
  4. Cisco Express Forwarding (CEF), NetFlow and OpenFlow - Mike Patterson
  5. Cisco gold partner MicroTech center of $1.4 billion federal contracting scandal
  6. Cisco spy issue could affect the war on global terrorism
  7. Cisco CCIE emeritus star Greg Ferro SLAMS Cisco's SDN platform: Application Centric Infrastructure (ACI)
  8. Cisco's switching, wireless, security and web conferencing market shares have plunged
  9. Cisco has purchased the domain name Collaborate.Com
  10. Cisco's data center CAGR to plummet -99.51%
  11. Cisco FAC 2013 key takeaway: John Chambers is totally irrelevant
  12. Skype defeats Cisco
  13. ODM Direct server revenue is growing as fast as Cisco's UCS server revenue
  14. Why Cisco's Board of Directors should be replaced
  15. Unconfirmed rumor: Ex-CIA Operations Officer Mike Quinn will retire from Cisco
  16. Cisco's star end-to-end customer, Royal Bank of Scotland, does NOT have 'Good Enough" Network according to its CEO!
  17. This brown company (Infosys) will have to prove its ability to follow the visa regimes of a white world (Cisco)?
  18. Cisco vs. Palo Alto Networks security sales revenue comparison
  19. Are Cisco gray market partners the culprits behind Cisco's -$1 billion revenue shortfall for Q2'FY14?
  20. View the archive of Bloggers speak out on BradReese.Com
 
Subscribe
comments powered by Disqus

CCIE available Metro DC

Supplement Cisco SMARTnet Contracts

 

©2014 Alliance Networking LLC - Home - About - Repair - Power Supplies - Refurbished - Blog - Quick Links - Site Map - Contact Us