search menu icon-carat-right cmu-wordmark

Global Value Chain – An Expanded View of the ICT Supply Chain

July 2016 Podcast
Presenter Edna M. Conway (Cisco Systems, Inc.), John Haller Interviewer Lisa R. Young

In this podcast, Edna Conway and John Haller discuss the global value chain for organizations and critical infrastructures and how this expanded view can be used to improve ICT supply chain management, including risks to the supply chain.



Organizations “are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the organizations’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.”

In this podcast, Edna Conway, Chief Security Officer, Global Value Chain and Cisco, and John Haller, a member of the CERT Cyber Assurance team, discuss the global value chain for organizations and critical infrastructures and how this expanded view can be used to improve ICT supply chain management, including risks to the supply chain.

About the Speaker

Edna M. Conway (Cisco Systems, Inc.)

Edna Conway is the Chief Security Officer for Cisco in its Global Value Chain. She develops and oversees the deployment of Cisco’s strategy to assess, monitor, and continuously improve the security of its global value chain. Cisco's Value Chain Security Program spans its Supply Chain Operations, Engineering, Worldwide Partner and Services organizations.  In addition, she drives Cisco’s cyber and security protection plan throughout its third party ecosystem. Conway serves or has served on the company’s Cybersecurity Board, Risk and Resiliency Operating Committee and Global Compliance Governance Committee. Conway also serves or has served as a leader in various international security and supply chain standards, public-private partnerships and industry consortia (e.g., ISO, iNEMI, IPC, The Open Group Trusted Technology Forum and The Common Criteria). Her work has been featured in a variety of publications, analyst reports, and case studies, including some referenced at Conway’s discussions on key issues can be found on her Blog. Her recent industry recognition includes being named 2016 Chief Security Officer of the Year by Info Security Products Guide at RSA and being named a 2016 Woman of M2M by Connected World Magazine.

Conway holds an AB from Columbia University, a law degree from the University of Virginia and additional credentials from MIT and Stanford, Carnegie Mellon and New York Universities.

John Haller

John Haller is a member of the technical staff on the Cybersecurity Assurance team within the CERT® Division at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. As a member of this team, Haller performs research on critical infrastructure protection, focusing on methods, tools and techniques for managing external dependency and third party risk. Prior to joining CERT in 2010, Haller was analyzing cybercrime attacks on the financial industry in collaboration with a U.S. law enforcement agency. Haller, a U.S. Army veteran, received his Juris Doctor (cum laude) and Master in Public and Internationaal Affairs from the University of Pittsburgh and is also a Certified Information Systems Security Professional (CISSP).

Lisa R. Young

Lisa Young, Senior Member of the Technical Staff at the Software Engineering Institute at Carnegie Mellon University, has 20+ years of experience in the information technology and telecommunications industry. She holds the designation of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and is experienced in IT governance, information audit and security, and risk management. Ms. Young teaches the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) risk-based security assessment methodology at the Software Engineering Institute. Her current line of research provides guidelines for improving the way organizations manage the processes of security, IT Operations, business continuity, compliance, and audit to support the organization's mission and critical success factors.