Cisco: Digital sovereignty in a fast-paced, complex regulatory environment

  • Digital sovereignty is about achieving digital autonomy across the entire end-to-end ecosystem and infrastructure.
  • Governments and organizations are demanding protections on data transferred outside their national borders, which means there are more data localization requirements around the world.
  • Tech Wire Asia spoke to Cisco’s SVP and chief security and trust officer Brad Arkin on digital sovereignty and data privacy, as well as the role of security in these areas.

In a post-GDPR world, more governments and organizations outside of the European Union have focused on digital sovereignty — with far more data localization requirements being set in place over the last few years. Privacy has become table stakes for business today. In fact, according to the Cisco 2022 Data Privacy Benchmark Study, 90% of organizations say their customers would not buy from them if they did not adequately protect customer data

Complementing these findings, in a separate annual global review of consumers’ perceptions and behaviors on data privacy, Cisco found that this year’s survey showed consumers’ top priority is for organizations to be more transparent on how their personal data is used. This year, 81% of respondents on the 2022 Consumer Privacy Survey agreed that the way an organization treats personal data is indicative of how it views and respects its customers, highlighting critical need for transparency.

This is the highest percentage since Cisco began tracking it in 2019 — and it is more apparent that ever-evolving technologies simply make it more difficult for consumers to trust companies with their data. Brad Arkin, the chief security and trust officer at Cisco, shared how data privacy and digital sovereignty are becoming a challenge for businesses as they navigate the complex and evolving regulatory environment.

The interview below has been edited for length and clarity.

What are some key digital sovereignty trends as well as the challenges associated with it?

It feels like we are heading towards a more fragmented global technical environment as each country is coming up with their own security and compliance requirements. How do big multinationals confront those fragmented territories? Over the past few years we’ve seen an increasing number of countries, different industries, and sectors pushing for specific requirements — that data needs to be stored locally, and potentially have constraints around who can operate the services. Fragmentation is happening and sometimes it’s different for each industry vertical. That too is creating a lot more work for tech companies that want to provide services to customers around the world.

So how does Cisco overcome the variety of bureaucracy in place, considering your presence worldwide?

The biggest thing that we’ve come up with is called the Cloud Control Framework (CCF). For example, when Germany, Spain or Japan set their own standards, even though they have different names they’re all similar in what they’re asking of us. 

The issue is meeting those fast-evolving requirements for security certifications and standards across the globe, which is becoming increasingly important, and extremely challenging and resource- and time-intensive for cloud-based software providers.

That is when the Cisco CCF fits perfectly. Essentially, the CCF is a comprehensive set of international and national security compliance and certification requirements, aggregated in one framework. It empowers teams to make sure cloud products and services meet security and privacy requirements, using a simplified rationalized compliance and risk management strategy that saves significant resources. 

For Cisco, the CCF is the foundational method for us to accelerate certification achievements across our cloud offerings and establish a strong security baseline. It is the result of years of standards research to certify SaaS products for multiple standards for repeatable practices and efficiencies. The CCF offers a structured “build-once-use-many” approach for achieving the broadest range of international, national, and regional certifications.

Since it has been so useful for us, we’ve made the Cloud Control Framework an open-source resource. Now, anybody can download it and use it to figure out what might work for their environment. Because it’s open-source, our customers can download and study it too. 

Since we are discussing compliance, Australia recently had a huge privacy overhaul because of the series of data breaches that was ongoing. Has that in any way impacted Cisco’s operation there?

The big thing in Australia that drives the work we’re doing around compliance attainment is IRAP — the Information Security Registered Assessors Program, governed and administered by the Australian Cyber Security Centre (ACSC). It is basically an escalating series of standards, so  if it’s a commercial application, or a classified government application, there’s a ladder of more or less controls.

IRAP is just one example of what we have put into our Cloud Control Framework. Each of our engineering teams, when looking at the opportunity to do business in Australia, work out the incremental work needed to achieve IRAP compliance. If the business case is there, and it makes sense, we bring in the auditors and get verification that we comply with IRAP. After this process, we are allowed to sell into that environment. 

So that’s at the top of my mind when I think about Australia and so far it hasn’t been a big change. We understand this compliance motion since we do it with other countries and this is just another way we need to ensure details are correct. That’s also when we use things like Cloud Control Framework to make it as efficient as possible. 

What about the way data is being approached and regulated in APAC? 

A lot of changes to the regulatory environment are being considered in APAC. Vietnam is thinking through a lot of changes in the way that they look at service delivery, but it isn’t something that has come into force yet. The advice that I give to policymakers is to really think about what primary outcomes they’re driving for, and work backwards from there.

Lastly, is data sovereignty a barrier to cloud adoption?

It is a growing barrier to adoption because of the cost of complying with increasing requirements. When considering which countries are valuable to business, incremental data sovereingty requirements drive up costs, which may tip the balance on whether it is economical to expand into a region. 

Our goal is to serve our customers, we want to solve problems. We’re always looking to lower costs wherever we can. Things like Cloud Control Framework is one way to do that, but when you have things like an individual data center for every country, it’s less efficient than doing one regionally to serve multiple countries. That’s something which may tip the business case balance, where it ends up not being worthwhile.