In an enlightening CUBE Conversation, we delved into the intricate world of cybersecurity with two experts: Suzanne Spalding, former Under Secretary for Cyber and Infrastructure at the Department of Homeland Security (DHS), and Carl Windsor, Senior Vice President of Product Technology and Solutions at Fortinet. It was a fascinating conversation for two main reasons: first, we talked about the role of government and commercial vendor partnership in this fight, and second, we discussed the impact on vendors’ time to market, roadmap planning, and release planning. We shed light on the current state and future trajectory of transparency in cybersecurity, a domain increasingly significant in our interconnected digital world.
The conversation highlighted the rapid evolution of the threat landscape and the pressing need for a paradigm shift in how cybersecurity is approached. The concept of “fighting in the light,” as coined by Spalding, underlines the strategic necessity of operating in an environment where transparency is not just a virtue but a tactical advantage and goes beyond sharing threat intelligence. This approach starkly contrasts with traditional secretive methods, particularly prevalent in authoritarian regimes.
Why End-User Organizations Should Care
In an era where cybersecurity threats are no longer confined to the shadows but are increasingly overt and sophisticated, organized as corporations themselves, end-user organizations must prioritize vendor transparency and collective defense strategies. The discussion underscored the crucial role of radical transparency in building trust and confidence in cybersecurity solutions. It’s not just about vendors developing secure products; it’s about how these products and their vulnerabilities are communicated to users, partners, and even competitors.
End-user organizations need to be cognizant of the cybersecurity practices of their vendors. They should be evaluating vendors not just on the basis of their products’ features but also on their approach to handling and disclosing vulnerabilities. This shift towards a more open and collaborative approach to cybersecurity is not just a matter of ethical responsibility but a strategic necessity to fortify defenses against increasingly coordinated and networked adversaries.
Fight in the Light
One of the most striking was the concept of “training to fight in the light,” which advocates for preparedness in a transparent world where secrecy is becoming increasingly difficult to maintain. Coined by Suzanne Spalding some years back, this approach fundamentally redefines traditional cybersecurity tactics. It pivots from the age-old practice of operating in secrecy to embracing transparency as a tactical advantage. In a world where the concealment of data and vulnerabilities is increasingly untenable, “fighting in the light” emphasizes the strength of openness. This strategy involves preparing organizations to operate effectively under the assumption that information and exploits will inevitably become public. And we are not just talking day zero types.
It encourages proactive sharing of threat intelligence, vulnerabilities, and security breaches, fostering a culture of collective defense. By adapting to this transparent environment, organizations can outmaneuver adversaries who rely on secrecy and misinformation. This paradigm shift not only enhances an organization’s resilience against cyber threats but also builds trust with stakeholders, reinforcing the belief that facing challenges in the open is a sign of strength, not weakness. In essence, learning to fight in the light is about transforming transparency from a perceived liability into a strategic asset in the ever-evolving battleground of cybersecurity.
Public Private Partnership
Another key takeaway was the role of governments in shaping cybersecurity norms. Governments, wielding regulatory power and vast resources, are crucial in shaping the cybersecurity landscape. Their involvement often extends beyond mere oversight, evolving into a collaborative partnership with private entities, threat intelligence being a key one. This synergy is crucial for establishing and enforcing cybersecurity norms, standards, and best practices. By providing guidelines, such as those outlined by agencies like the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S., governments can influence private enterprises to adopt more robust and transparent cybersecurity measures.
This includes encouraging the disclosure of vulnerabilities and breaches, which in turn fosters a culture of openness and continuous improvement. My first activity every morning is reading the CISA vulnerability announcements. This is an example of how government agencies serve as a bridge, facilitating information sharing between disparate private entities, thus enabling a more unified defense against cyber threats. Such collaboration is especially vital in countering sophisticated state-sponsored cyber activities. The government’s role in incentivizing and sometimes mandating certain cybersecurity practices while balancing the need for private sector innovation and agility is a delicate yet essential component in the broader quest to fortify digital infrastructures against an ever-expanding threat landscape.
Secure by Design
Lastly, the conversation illuminated the importance of the secure-by-design principle in product development. This is near and dear to my heart as a product person. Carl delved into this principle, underscoring the importance of considering security right from the conceptual stage of product development rather than as a retrospective add-on. Secure by design and being secure from the start encompasses a comprehensive strategy where security considerations are integrated into every phase of the development process. It involves identifying and protecting high-value assets, assuming potential breaches, and developing robust mitigation strategies. This proactive stance in cybersecurity is not just about fortifying defenses but also about simplifying the user’s role in maintaining security. The discussion pointed out the shift from the traditional model of providing hardening guides to customers towards delivering products that are inherently secure out of the box.
Our ANGLE
Organizations must require their vendors to be “Secure by Design” and inspect that they are “fighting in the light.” These are two key considerations that show you are working with an organization that is committed to not only revenue, but to being part of the solution for the entire threat landscape. Questions that organizations should be asking include “What is the rate of disclosures over the past year?” and “What is your Secure by Design philosophy.” In addition to looking at vendors in their actions, organizations need to be applying these principles themselves. We have talked about “shift left” for quite some time now in the application development space, and it still needs to be more widely adopted as the “secure from the start” principle. AI and co-pilots could be significant tools to provide leverage, especially in creating automated QA tests for security vulnerabilities at the unit test level. Organizations need to hold themselves just as accountable as they hold their vendors. This should all be part of learning to fight in the light plan, as the SEC requires disclosures for public companies, this is critical for both public and private.