Secure by design: A blueprint for the future of cybersecurity

The shield of transparency has emerged as an invaluable asset in the world of cybersecurity, especially as digital connections and cyber threats continue to increase significantly.

Organizations must work collaboratively to promote transparency, reduce the costs of secrecy and collectively defend against the evolving threat landscape. By adopting “secure-by-design” principles and leveraging automation, organizations can stay ahead of the curve in an environment where cybersecurity challenges continue to grow in complexity and frequency, according to Suzanne Spaulding (pictured, left), former Undersecretary for cyber and infrastructure at the Department of Homeland Security.

“It’s really imperative that government create an environment in which companies are strongly encouraged and rewarded for getting this out,” she said. “I think [the Cybersecurity & Infrastructure Security Agency] is doing a great job with that. If you look at their guidance on Secure By Design, one of their key principles is radical transparency.”

Spaulding and Carl Windsor (right), senior vice president of product technology and solutions at Fortinet Inc., spoke with Rob Strechay, industry analyst  with theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the pivotal role of transparency, secure-by-design principles and the evolving landscape of cybersecurity. (* Disclosure below.)

Balancing security and transparency

There is a delicate balance between product security and transparency. As a major player in the cybersecurity industry, Fortinet recognizes the duty of care it owes to its customers, according to Windsor Promptly disclosing vulnerabilities and providing organizations with the information needed to make informed risk-based decisions is of paramount importance.

Fortinet’s commitment to transparency extends to working with third-party responsible disclosure organizations, ensuring that vulnerabilities are disclosed openly. This approach enables organizations to assess risks and make timely upgrades to secure their systems, Windsor added.

“This is another reason why that radical transparency is important,” he said. “You’ve got to give the customers the level of information they need to be able to make those decisions. Give them the information as early as possible, as rapidly as possible so they can make those risk-based decisions on whether to upgrade.”

Government entities should play a significant role in promoting transparency, according to Spaulding. Government agencies play a pivotal role in incentivizing companies to disclose vulnerabilities and reducing the stigma associated with such disclosures. CISA is one example of a government agency actively encouraging radical transparency. CISA’s guidance on Secure By Design underscores the importance of openness and quick acknowledgment of breaches and vulnerabilities.

“This radical transparency is going to look ugly at first, but that is a good thing, and it really has to be done that way,” Spaulding said. “Government needs to lead by example. Government needs to display that same radical transparency, be very transparent and quick about acknowledging breaches and vulnerabilities that they find.”

Secure-by-design principles

Secure-by-design principles emphasize integrating security considerations from the outset of product development. By thinking about security, threat models and potential vulnerabilities from the project’s inception, organizations can build inherently secure products. Secure by design aims to shift the responsibility for secure configuration away from organizations, ensuring that products are secure “out of the box.” This proactive approach is crucial in an era where the pace of change and the frequency of patches and disclosures have become daunting, Windsor pointed out.

“Build products that are simple for the customers to use and then have a hardening guide to make them more and more secure over time,” he said. “Build security into the product from the start. It’s a whole paradigm shift for the way that we operate in the cybersecurity space.”

Using automation in mitigating risks is also important. As the rate of change in the cybersecurity ecosystem accelerates, organizations must find ways to keep up, including automatic upgrading and virtual patching technologies. While these technologies don’t eliminate the need for upgrades, they offer breathing space and additional layers of defense for organizations striving to maintain security in an ever-changing environment, according to Windsor.

“The pace of change has got to continue,” he said. “I think the difficulty for our customers is how they manage that pace of change so we can create patches and continue to fix issues. What we need to do is to give them the tools that they need to make the decision of whether they need to upgrade and how quickly they need to upgrade and then put other mitigations in place. It doesn’t get away from the need to upgrade, but it might give some breathing space to allow them to get through that upgrade process.”

Here’s theCUBE’s complete video interview with Suzanne Spaulding and Carl Windsor:

(* Disclosure: Fortinet Inc. sponsored this segment of theCUBE. Neither Fortinet nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE