A panel at the RSAC 2024 event discusses the importance of reporting and transparency in the cybersecurity industry. They stress the need for organizations to disclose breaches and vulnerabilities to protect consumers and improve the marketplace. The panel references the Secure by Design pledge released by CISA, which encourages vendors to disclose vulnerabilities. Transparency and information sharing are seen as crucial in combating cybersecurity threats. The panel also discusses the challenges of standardizing disclosures and fostering collaboration among industry players. Manufacturers taking responsibility for security and securing critical infrastructure are highlighted. The panelists believe initiatives like Secure by Design can drive progress and make the marketplace more secure. Addressing vulnerabilities and sharing information is emphasized to stay ahead of adversaries. Best practices and guidelines are necessary as technology advances and reliance on network systems grows. The convergence of physical and digital worlds has changed the notion of physical security, with new vulnerabilities created by drones and remotely controlled systems. A national cyber strategy and initiatives like Secure by Design aim to promote transparency in cybersecurity. By embracing transparency, corporations can make informed decisions and effectively address vulnerabilities. Small and medium-sized businesses are also supported in their cybersecurity efforts. The goal is for initiatives like Secure by Design to reduce bad practices and encourage transparency. The ultimate goal is a more secure and resilient cybersecurity ecosystem. All stakeholders, including vendors, must prioritize customer needs and work together for the benefit of all.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Fortinet Content Library. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For Fortinet Content Library
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for Fortinet Content Library.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Fortinet Content Library. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to Fortinet Content Library
Please sign in with LinkedIn to continue to Fortinet Content Library. Signing in with LinkedIn ensures a professional environment.
A panel at the RSAC 2024 event discusses the importance of reporting and transparency in the cybersecurity industry. They stress the need for organizations to disclose breaches and vulnerabilities to protect consumers and improve the marketplace. The panel references the Secure by Design pledge released by CISA, which encourages vendors to disclose vulnerabilities. Transparency and information sharing are seen as crucial in combating cybersecurity threats. The panel also discusses the challenges of standardizing disclosures and fostering collaboration among industry players. Manufacturers taking responsibility for security and securing critical infrastructure are highlighted. The panelists believe initiatives like Secure by Design can drive progress and make the marketplace more secure. Addressing vulnerabilities and sharing information is emphasized to stay ahead of adversaries. Best practices and guidelines are necessary as technology advances and reliance on network systems grows. The convergence of physical and digital worlds has changed the notion of physical security, with new vulnerabilities created by drones and remotely controlled systems. A national cyber strategy and initiatives like Secure by Design aim to promote transparency in cybersecurity. By embracing transparency, corporations can make informed decisions and effectively address vulnerabilities. Small and medium-sized businesses are also supported in their cybersecurity efforts. The goal is for initiatives like Secure by Design to reduce bad practices and encourage transparency. The ultimate goal is a more secure and resilient cybersecurity ecosystem. All stakeholders, including vendors, must prioritize customer needs and work together for the benefit of all.
Former UndersecretaryDepartment of Homeland Security
Jim Richberg
Head of Cyber Policy, Global Field CISOFortinet
Dave Vellante
Co-Founder & Co-CEOSiliconANGLE Media, Inc.
HOST
search
Dave Vellante
>> Hi everybody. Welcome back to the special CUBE presentation here at RSAC 2024. We're inside of Moscone West, this is day four. And we're going to talk about a very important topic that really is starting to take shape in the industry and as it relates to public policy, because not all organizations share the same sort of standards on reporting and transparency when it comes to breaches, and so we sometimes don't hear about it until way after the fact and we read about it in the news, other companies actually disclose upfront. So there really aren't any great standards to go by, so that creates confusion in the marketplace. I'm Dave Vellante, along with my co-host, Zeus Kerravala of ZK Research, and we're really excited to have Jim Richberg here.
Dave Vellante
He is the head of cyber policy and the global field CISO at Fortinet, and Suzanne Spaulding, who is the Former Undersecretary Department of Homeland Security, and she's part of the Fortinet Advisory Council. Folks, welcome to theCUBE, welcome to this panel. Thanks so much for taking some time with us.
Jim Richberg
>> .
Suzanne Spaulding
>> Thank you, great to be here.
Dave Vellante
>> You guys just came off another panel called No More Secrets. Suzanne, this is something that you coined in 2010, so pretty prescient. I'd like you to start, each of you, Suzanne, you can start, introduce yourself, tell us a little bit about your background, and why you're so passionate about this topic.
Suzanne Spaulding
>> Yeah. Well, Dave, first of all, great to be here, looking forward to the conversation. So I wrote this blog in 2010 called No More Secrets, trying to raise awareness that the shelf life of secrets was vanishingly short, and the idea that you could somehow have a monopoly on information, including the discovery of a vulnerability, for any length of time, and that others weren't going to discover that information, or that you could keep information secret for any length of time, was really increasingly a myth, and that we needed to learn how to operate in that environment. So the idea is, we all know that if you train to fight in the dark, you could meet your adversary at night, or you could turn off the light, and you'd have the advantage, think about the daredevil. But what we have is a transparent world that's coming at us full steam ahead, where lights are being turned on all over the world, and the darkness that allows you to keep secrets is vanishing, it's going away. So we need to train to fight in the light, and whoever can learn to operate with a level of radical transparency is going to have the advantage in the world that's coming at us.
Dave Vellante
>> Great, thank you for that. So Jim, I think radical transparency is something that is near and dear to your heart. Tell us about your background, and what's your premise on this topic?
Jim Richberg
>> So Dave, I came Fortinet after a full career in the federal government. Suzanne and I were long-time colleagues on cybersecurity, I was doing it before we called it cybersecurity. And from my perspective, the biggest problem in cybersecurity is not people, process, or technology, it was metrics. It's the fact that we lack bad data. Is the incidence of ransomware, X, 2X, or 3X? We're really guessing, we're throwing darts at a dartboard. The same thing applies on defense. What is the prevalence of a given class of vulnerability? Is it getting better or worse over time? So radical transparency is a way of saying, we're going to have to enable people to make informed decisions as consumers, and frankly, as policy issues. And this week, CISA released the Secure by Design Pledge that 68 vendors signed, I was one of the leads from the IT sector in negotiating, collaborating with CISA to evolve that pledge. And several of the items are about vulnerability, but one says, "You really should be disclosing the vulnerabilities that you discover." The baseline is if it's critical or high or someone's exploiting it, but we'd like to see you go further. So this is all, Dave, about saying, "Look, the market works best when information flows." And in cybersecurity, we've had too much opacity about issues like vulnerability.
Dave Vellante
>> We have history on disclosure. I go back decades to the Tylenol situation, and it became a PR case study. But it really hasn't trickled into the technology industry generally, and the cybersecurity industry specifically, and that's really what you guys are trying to create some standards around, isn't it?
Suzanne Spaulding
>> Yeah, and it's really important, because when I was undersecretary at the Department of Homeland Security, and I had the great honor of leading the men and women who worry about strengthening the security and resilience of our critical infrastructure that we depend upon every single day, all day, every day, and I would go around and talk to companies about the importance of disclosure, and of course, this was before we had the mandated incident disclosure that finally came, and they would say, "Look, we can't disclose, because our competitors aren't disclosing, and therefore we look like we're the only ones this is happening to and it puts us at a competitive disadvantage, and our competitors are going to use this against us." And so, we evolved, to the point where we said, "There's not enough market incentive to disclose breaches, we have to require that, and because we need that information to get better, we all need to be sharing information and increasing our understanding so that we can all progress."
Vulnerability disclosure is much the same. It's really important to disclose that information, both to protect your customers so that they can take action on it quickly, but also, again, to enhance the marketplace, and enhance all of our understand. The worry is that people will say, "Oh, you're disclosing an awful lot of vulnerabilities, you must be insecure." And the reality is, until we figure out how to have 100% safe code writing and 100% secure products and services, everyone is going to have vulnerabilities, and that's where we are today. Everyone has vulnerabilities, and what distinguishes them is, are you hearing about the vulnerability from your vendor, or are they burying it a few weeks down the road in a general update with lots of new features, et cetera? That's the difference.
Zeus Kerravala
>> I don't actually think we'll ever get to a world where we have zero.
Suzanne Spaulding
>> No, no. No and-
Zeus Kerravala
>> And the hard part for buyers on this is it is confusing. And I think the media in some ways treats companies that report vulnerabilities unfairly because they take these things and they blow them up. And there's a lot of factors from a buyer's standpoint, and what you have to look at is, how broad is the product line? How deep do you go? How many versions back are you supporting? And then so a company like Fortinet, Cisco, Palo Alto, you're going to have more than a point product company just by the very nature of what you do. And so you can look at it as a bad thing. I recently wrote a Forbes post where I talked about it and I said, it's a good thing to report vulnerabilities because customers do need to know. And to your point, it's about transparency. And so you can't fix what you don't know. And it is a fact of life, and the most important thing is you need to do what's right for the customer. And I think the steps you've taken with Secure by Design is the right thing for the customer.
Jim Richberg
>> Put yourself in the customer's shoes, flaws exist, someone's going to find them, who would you rather find them, the manufacturer or a third-party researcher who tells the manufacturer and gives them time to fix it, or an adversary? That's the worst case, is you only find out after the bad thing has happened. So the reality is in an imperfect world where people try to do better, but perfection is not, .
Zeus Kerravala
>> And that is one thing to look at too, a is piece of advice is, what percent of the vulnerabilities are actually discovered by the company? Because if it's a high percentage externally, that means the vendors aren't actually looking for them. But it's an imperfect science today though.
Dave Vellante
>> And there's so many examples in the physical world, I think about automobile manufacturers and recalls, but it still hasn't translated over into the digital world. But this is a bipartisan issue. I mean, people hopefully aren't disagreeing on this, but I think sometimes the industry, as you say, they're very nervous, they sometimes think the government is finger-wagging. So how do you address that perception that immediately gets the industry to be defensive? I mean, obviously this initiative is designed to do so. I wonder if you could talk about that a little bit .
Suzanne Spaulding
>> Yeah, you're absolutely right. I mean, this is the road that CISA navigates, that we had to navigate. You need the trust and cooperation of industry in order to be able to make advances here. And the Secure by Design pledge I think is just a terrific example of how you can navigate that challenge. This was arrived at in consultation, full consultation with the private sector on what is reasonable, what is doable, what should our expectations be? I think they pushed, CISA pushed hard to make that as robust as possible, but it's still voluntary, but companies have signed up by name. It gives a standard that technology analysts, for example, can write about, "This product has signed the pledge, has provided transparency. Here's how their processes meet the pledge and are secure." So I think providing that level of transparency is a way of making the marketplace work and not having yet to resort to regulation and mandates.
Jim Richberg
>> And to build on that point, when we were collaborating on building this, we said, "Don't tell us what to do and how to do it, let's agree on common goals." Leave it to each company to figure out, because to your point, different companies, different sizes, different foci in the market, we'll each figure out how to do it and how to measure. That was the other important point. You're not just signing a one-and-done pledge. You're supposed to report how you have done publicly on implementation. And the pledge has got straightforward goals and then there's typically an expansion, what does this mean? Why is this important? Some examples of implementation. And some examples of how you might report on it, but I'll underscore their examples. They're not telling any company that signed the pledge, you have to do it this way.
Suzanne Spaulding
>> That's also an important way of making sure that it is relevant for a longer period of time as the dynamics of the threat and response .
Dave Vellante
>> This is super important because frankly, the technology industry has been very poor at self-regulation. And so because you're now fighting in the light and you have standards that analysts can actually evaluate objectively organizations on, that creates a peer... It's like a locker room in football where the veterans are teaching the rookies and there's a culture that permeates, and that really is what you're trying to affect. It won't happen overnight, but over a course of years do both.
Zeus Kerravala
>> Well, and I think the standardization is huge too, because if you're a startup and you're coming to market, you may take some shortcuts and not do secure passwords or there's a lot of things if you follow the standards, Secure by Design isn't just a tagline, it actually is, you're building security into the design and hopefully for other vendors that maybe didn't follow those best practices, their level of just quality of product goes up because they do follow best practices set forth by companies that have been doing it a long time.
Jim Richberg
>> Well, we felt that in creating this pledge, we needed it to have immediate impact. So yes, we'll focus on things like mitigate persistent classes of vulnerability like SQL injection, but if the failure to change passwords from install, the failure to use MFA, the failure to apply security patches are over and over again implicated as the top causes a breach, you got to hit those head on. You have to say, "These are unacceptable." And those are pretty binary. It's like, "Reduce this, eliminate that." So we said, "Do those," and then go for some of the more, not aspirational, but some of the things that may be a little longer to take effect.
Suzanne Spaulding
>> Yeah, and this is, to your point as well, this is what CISA means and the administration, the National Cyber Director, when they talk about shaping the ecosystem. It is, how can we drive that culture where it isn't first to market, but it is secure to market? And that's really what we see, what they're hoping to do here.
Dave Vellante
>> And it will transcend, it should transcend, I think it will the administration, and it will carry through. Because there's a roadmap here, to your point, Jim. CISA pushed, I like that, the industry maybe pushed back a little bit and said, "We really can't succeed." They said, "Okay, but then here's a timeline." So there is a roadmap here, correct?
Jim Richberg
>> Yeah, so this is 12 months, and frankly, there's nothing that says if you've succeeded, and for instance at Fortinet, some of these, we've already... Some of us came into this process knowing this is not only doable, we're doing it. This is the right thing to do. It's good for our company, it's good for our customers. So we're not coming up with these totally aspirational things. So we knew this was realistic, but this is also envisioned as a serial process. We tried not to boil the ocean and say, "We will solve all of cybersecurity with this pledge." We said, "Let's pick a number of goals." We wanted to have an on-ramp for especially small companies to say, "Well, okay, after 12 months, I can look and see what have some people done that have succeeded?" Or even better, what sounded like a good idea, but someone tried it and it didn't work. Because if I'm a small business and I'm interested in the pledge, I probably don't have the resources to try twice. I need to succeed the first time. So Dave, to your point, not one and done, it will transcend administrations. The company's signed up to do something regardless. So I think this is going to have legs.
Zeus Kerravala
>> Did that then help the argument that smaller companies might have of you're adding a lot of extra costs and a lot of extra time to our development process versus somebody like a Fortinet. But now if you lay it out for them, then there's not a lot of trial and error, so hopefully... Yeah.
Jim Richberg
>> And you can make the argument that isn't it better to do it right the first time rather than fix problems after something's released? That's what we recognize at Fortinet, that it's not only the right thing to do, it's actually more efficient to do the process securely from the inside. And then we're addressing vulnerabilities that have been around for a long time. This is simply a way of saying relying on individual customers and small businesses to do these things is just not rational.
Suzanne Spaulding
>> And then by providing that transparency, allowing customers to see who is following most closely the framework for Secure by Design, who is maybe lagging behind, et cetera, they can make informed decisions about their risk appetite. Not everyone has the same risk profile, and so there should be a place for a diverse set of players in the market.
Dave Vellante
>> And there's a little gamification here too, because we know the technology industry, companies who are doing well will market this. It'll start getting into RFPs-
Zeus Kerravala
>> Yes, that's the big test.
Dave Vellante
>> And that again, is this sort of self-adjudicating mechanism. Will solutions providers, you mentioned earlier, Jim, there's a lack of metrics, will solution providers change the way in which they develop or provide products to maybe address that or to support this initiative?
Jim Richberg
>> I think you will find this getting put into RFPs because people said this is voluntary, but if this becomes the expected standard of performance, then why would I not put that in, to the point we've been making, if some products in the marketplace meet it and some don't, then yeah, I'm going to go ahead and say this. So it's a non-regulatory solution that allows you to say, "I can drive progress."
And a lot of these things we look at and go, "We have been bemoaning these users failing to do things," this is part of the national strategy of saying, stop blaming the victims, move more of the responsibility to the manufacturers. Just like we changed automotive safety from the '50s and '60s of saying, "All right, you died in an accident, it was solely the motorist's fault," to a whole lot of things were done from designing safer roads and teaching driver's ed in school. What move the needle more than anything else was saying, "Manufacturers, you're responsible for designing safe vehicles," starting with seat belts and cars that wouldn't tip over at 25 miles an hour to where we are now with the plethora of automation. It's not to absolve the driver of responsibility, but it's to say it's a partnership not, "Good luck, put this all together. Maybe it'll run, maybe it'll be secure. That's your problem."
Dave Vellante
>> Well, the transparency piece, however though, it does extend beyond the solutions' provider, so carrying through the example of a driver, if a driver's texting, okay, that's the driver's fault, but if the driver happens to be a large multinational corporation that left the S3 bucket open, it's not the fault of the cloud provider, for example, that disclosure, that transparency should transcend just the technology community, should it not? And what can be done to broaden the adoption of these standards?
Suzanne Spaulding
>> Well, part of that will be captured in the incident reporting requirement. That is a regulatory mandate, particularly for those critical goods and services that we really depend upon. So the requirement that that end user disclosed when they've had a cyber incident and the kind of detail that they have to disclose about that should get at some of that, providing us with more information about what tools are effective, which are not, what are the kinds of things that end users need pay particular attention to doing.
Zeus Kerravala
>> One of the topics that comes up here every year, and I never see a lot of movement in is the request for vendors to be able to share more information between them. And there's a little bit done on the threat intel side, but for the most part we're still talking about closed walls. And are you hopeful that this initiative actually will stimulate more of that?
Jim Richberg
>> Well, it certainly will on the vulnerability side because it not only says disclose the vulnerabilities but make a disclosure of the common weakness enumeration and the common platform enumeration. Don't just say, "I had this," I had this and it fit in this class, and here's the taxonomy that is machine shareable. We were on a panel earlier today and CISA said, "We have this National Vulnerabilities Database. We wanted to look at the population by category of vulnerability. The data was so bad that we couldn't, because most of the reports we had were so incomplete beyond the here was the CVE, we couldn't even make judgments." So yes, to your point, we start saying, "Are we doing better at mitigating this memory class or this traversal?" If you don't have the data, you don't know what's working and what's not working.
Dave Vellante
>> In your view, is the industry doing a good enough job of sharing information? I mean, go back 10 years, at times there were attempts to monetize some of that threat intelligence, and I think that has changed. But I'm wondering from your perspective where we are today in regards to the collaboration across industry of things like threat intelligence.
Suzanne Spaulding
>> Well, Fortinet of course was one of the founders of the Cyber Threat Alliance, and I remember actually, I think it was in the context of an RSA meeting, Michael, Daniel and I sitting down with the heads of a couple of the founders of CTA, and they were describing this idea they had. They were going to take what had been proprietary, closely held information, which was their threat intelligence, and they were actually going to pool it for the common good, and they were instead going to compete on what they could do with that threat information. And I remember thinking what a breakthrough that was and how brilliant that was. And CTA has been very successful I think in sort of expanding that model.
Zeus Kerravala
>> There have been other attempts to do that, and I think CTA has been the first one that's actually stuck around more than a couple years.
Suzanne Spaulding
>> Yeah. Yeah.
Jim Richberg
>> Yeah, yeah.
Suzanne Spaulding
>> There's a long way to go, but they've made great progress on that. And that's what we need to do, our adversaries are really good at sharing information and acting as a network and we need to do the same.
Zeus Kerravala
>> But I think your question, the answer's no. I think there's small pockets of it, but for the most part it's not really an industry best practice to share outside of basic threat intel with your competitors.
Dave Vellante
>> Because it's such a competitive industry, but-
Zeus Kerravala
>> The thing is, I've always said, if you do what's best for the customer, everyone wins, and I think this industry sometimes forgets that.
Dave Vellante
>> point, the adversary is exceedingly capable. The industry's got to .
Zeus Kerravala
>> And they've got no problem sharing info.
Jim Richberg
>> Getting away from saying I found something that is in fact an exploitable vulnerability, but I'm going to sweep it under the carpet, I'm going to just put it in the next upgrade cycle. There are companies that will look at the features and say, "I don't need this update because it's not worth the hassle." Don't hide security problems. The reality is everybody has them, and we all live in glass houses, so we need to resist the temptation to say, "Look at what happened to them," because it's them this week, it'll be you next week.
Zeus Kerravala
>> Well, also the consequences of the breaches is so much bigger today than it was even a few years ago. You think of just the interconnection of everything in the world, your HVAC system gets breached and so your point-of-sale system winds up... That wasn't a case a decade ago. And so I think just the overall stakes and implications are so much greater today.
Suzanne Spaulding
>> Not to mention the geopolitical context in which we find ourselves. We used to take some comfort in that those adversaries with the greatest capabilities had less intent than say, Iran, North Korea that showed intent to disrupt, but less capability. Now we have Russia with great incentive to cause-
Zeus Kerravala
>> And capabilities....
Suzanne Spaulding
>> and capabilities. And China, which is clearly demonstrating their intent to be disruptive.
Dave Vellante
>> I remember years ago I was interviewing Dr. Robert Gates, former Defense Secretary, and we were having this... It was quite some time ago, probably 2016. And we were talking just about that issue. And I said, "Yeah, but doesn't the United States have the best... Can't we attack?" And he said, "You know what? We've got the most to lose, so we have to be very careful. And that brings up a really important point around critical infrastructure. And I think this AI wave has really shined a light, to continue that metaphor, on the exposure to critical infrastructure. And this is why initiatives like this I think are so important because I think on a scale to one to 10 in terms of how vulnerable we are, we're closer to a one than we are a 10 as it relates to critical infrastructure.
Jim Richberg
>> And I think Suzanne and I are both pretty passionate about this one. It's a very heterogeneous environment. You've got, take even the power sector. Yes, you've got large, well-resourced electrical companies and you've got small rural electrical co-ops where they don't have full-time cyber people. It needs to be plug and play. They are horribly vulnerable and they're on the same grid as the big guys. So it is an uneven vulnerability. It's asymmetric compared to our opponents. And we have 16, we have some that we consider more critical than others, but frankly from my perspective, if you take away power, the power sector, the other 15 and all of society have a bad day as soon as the batteries run out.
Zeus Kerravala
>> I think to your point of critical infrastructure too, there's a lot of old technology out there that's deemed critical that I think with some standards in place, you can actually then make an educated decision on whether to refresh or upgrade or not because if it's not at least adhering to the basic levels of Secure by Design, then that would at least expose that that's a weakness in the infrastructure.
Dave Vellante
>> It used to be air-gapped and we didn't have to worry about it, and now it's like everything's .
Jim Richberg
>> And to build on that point, we've already heard from some in critical infrastructure in the operational technology community that they would like to... Secure by Design is about product. But when you put it in an operational technology environment, they say, "We would like to have secure by deployment principles. Because I may have really smart field engineers who know how to run a power plant or do wastewater treatment, they don't know cybersecurity. So give me best practices, give me the equivalent seven things I should do when I'm deploying my infrastructure to make them more secure.
Suzanne Spaulding
>> Yeah, and as we upgrade all of this old technology, the electric grid, that goes back to the 70's, and as we are getting more and more smart, we are getting more and more network dependent even as we do that. And if we don't build this in a way that is resilient, we are going to be in big trouble. When Russia took down the power in Ukraine in 2015, you remember that they attacked several power plants and over a quarter of a million customers lost power. They got that back on, not because the cyber ninjas got the bad guys out of the network, but because they had guys who knew where the breakers were that had been flipped by the remote access and they got in trucks, they drove out to where the , and they physically put those back in place. We need to be thinking about analog resilience, physical redundancy, all the different ways in which we can operate in a degraded fashion, plan on, do everything you can to keep the bad guys from getting in, then assume they've gotten in, now how are you going to operate?
Dave Vellante
>> This is so true because the physical and digital worlds are definitely coming together. It used to be physical security was this thing. Yeah, we'll just put a lot of gates up in front of the data center and until now, today you could have a drone inside of, and the -
Suzanne Spaulding
>> And the gates are all remotely controlled.
Dave Vellante
>> Yeah, totally.
Zeus Kerravala
>> I mean, you look at coming into the Moscone Center, they have the Evolv X-ray systems. I mean, just think of how much data's coming off of those on everything you carry.
Dave Vellante
>> Well think about how many conferences don't, actually. I mean, I go to a lot of conferences, it's still a minority that actually have metal detectors that you walk through when you come in.
Zeus Kerravala
>> But the amount of data they collected off of there.
Suzanne Spaulding
>> These are connected, right?
Dave Vellante
>> Absolutely. What did it take to get this off the ground? What was the anatomy of this initiative? I mean, when you started to talk about this... We're at a point we said, "Wow, this is never going to be able to get done." And how did you get it done?
Jim Richberg
>> We had a new national cyber strategy that came out last year, and it was largely predicated on the idea that we've had a market failure in cybersecurity. It's been optional for companies to do, and they pay a literal price for doing it, and others, a free ride. This whole transparency idea, people in the marketplace, they want to make informed decisions, they got to get the information to flow. So really, I think it really got kickstarted by the National Strategy that then led in very short order to CISA, starting with its partners domestically and internationally to come up with Secure by Design, which included radical transparency, embrace radical transparency within corporations on IT, heresy, but we've got to start doing it.
Suzanne Spaulding
>> Yeah. Eric Goldstein was on our panel this morning, he talked about the importance of being able to visualize, to envision a better future that we don't have to live with this level of insecurity in our network system. We don't have to take that as a given, that we can in fact strive to write code more safely to create the development operations processes that are more secure. There are players who are meeting that standard who can set best practices and create and shape that ecosystem.
Zeus Kerravala
>> And then even how your customers respond, because even that's very inconsistent company to company. So even when you report your CVs, not all companies understand what to do with them or what's affected.
Suzanne Spaulding
>> Yeah.
Jim Richberg
>> Yeah.
Suzanne Spaulding
>> They're increasing every year, the increasing size of RSA is testament to how many innovative and creative people there are out there trying to think about how to help companies of all sizes solve these challenges and an increasing focus, I'm glad to see on small and medium-sized businesses and how to help them.
Dave Vellante
>> Well, I think too, the other thing that do, you brought it up at the beginning about media, we're media, so I don't want to media, but I have seen a number of reactions to what were really benign hacks, but the media overblows it, but the company was afraid to disclose it, botched the PR, stock price dropped 10, 20% for something that was really not that big of a deal. So I think this type of transparency, people will get used to it and say, "Okay, this is okay. This is not a bad company. They're coming clean and they're doing the right thing." So I really applaud the efforts that you guys are making here.
Zeus Kerravala
>> As a customer, I'd like to know.
Dave Vellante
>> Absolutely.
Zeus Kerravala
>> And I'd like to know immediately, don't hide the ball.
Dave Vellante
>> I'd like each of you to maybe make a final statement on where you'd like to see this go, what you hope the outcome will be, and then we can wrap.
Jim Richberg
>> So even if we look at, on Secure by Design, the number of companies, if you collectively look at our market share by segment, and overall, if these companies do the things in the pledge, I think a year from now, CISA will be able to say it's made a difference. I mean, some of us have actually challenged CISA to say, you're going to have to be not the scorekeeper, we're not asking them to evaluate what companies say they're doing, but at least collate it, put it in one place so that we as an industry, we as consumers can look at it and say, what worked and what didn't work. And then we can take those lessons learned and say, okay, pledge version 1.0, or if we knocked most of this off the list as an industry, 2.0. But we set this out to be, to set the bar high enough that if we do this it will make a difference and it'll challenge even the big players. But also not to set it so high that if I'm a small company, I look at this and say, "No, that's not going to happen in this budget cycle." So I think being able to look a year back and say, "Yeah, what we did has reduced the prevalence of these bad practices, more companies have signed onto it. We're seeing this transparency in the marketplace, now let's take this to the next step."
Suzanne Spaulding
>> Yeah. Yeah, absolutely. And we've talked about the business case for this, the competitive advantage, how we're going to create these market pressures. But I also think it's really important for companies increasingly to take some responsibility for their actions and the impact that it has on their community, on their nation, and on the world, and if you will, to do the right thing to be responsible. And particularly, as I say to my friends in the critical infrastructure industries, CEOs, you do not want to be the company who allows China to put a gun to our head and deter us from taking actions that are in our national interest because you have left a vulnerability open or you have not done the things that you could do to make it harder for them and now you're being held at risk. So I think there's a sense of both personal responsibility and a vested interest here.
Zeus Kerravala
>> I look at everything through the customer's eyes, and companies are spending more money than ever on cyber, they're falling behind and what's frustrating is the lack of transparency. And I think this industry, for whatever reason, has pushed off standardization and openness. And I think if you look historically at any industry, transparency and openness creates a rising tide in which everybody wins. And I think we're so scared here to admit we're weak, and where we made a mistake or where something was wrong, that I think vendors have made bad decisions in the past. And I think this is one where I implore the vendor industry, be open, be transparent, and do what's best for the customer, because that's ultimately going to create winners for everybody. And that should be the ultimate goal for this entire show is to make sure that the customer can do what they need to do.
Dave Vellante
>> I mean, I'll add that I think cyber awareness is everybody's responsibility. We know that human error is the vast majority of the cause of cyber breach-
Jim Richberg
>> It's huge....
Dave Vellante
>> and transparency now puts that responsibility in more hands. And now we can apply good peer pressure to organizations and each other. So guys, thank you so much, Jim, Suzanne, Zeus for participating in this panel. Fantastic initiative and great job. Really appreciate it.
Zeus Kerravala
>> Congratulations.
Jim Richberg
>> Thank you, it's been great talking with you.
Dave Vellante
>> Okay, and thank you for watching. Keep it right there. We're live from RSAC 2024. We're here in Moscone. Stop by and see us if you're still at the show. You're watching theCUBE.
>> Hi everybody. Welcome back to the special CUBE presentation here at RSAC 2024. We're inside of Moscone West, this is day four. And we're going to talk about a very important topic that really is starting to take shape in the industry and as it relates to public policy, because not all organizations share the same sort of standards on reporting and transparency when it comes to breaches, and so we sometimes don't hear about it until way after the fact and we read about it in the news, other companies actually disclose upfront. So there really aren't any great standards to go by, so that creates confusion in the marketplace. I'm Dave Vellante, along with my co-host, Zeus Kerravala of ZK Research, and we're really excited to have Jim Richberg here.
Dave Vellante
He is the head of cyber policy and the global field CISO at Fortinet, and Suzanne Spaulding, who is the Former Undersecretary Department of Homeland Security, and she's part of the Fortinet Advisory Council. Folks, welcome to theCUBE, welcome to this panel. Thanks so much for taking some time with us.
Jim Richberg
>> .
Suzanne Spaulding
>> Thank you, great to be here.
Dave Vellante
>> You guys just came off another panel called No More Secrets. Suzanne, this is something that you coined in 2010, so pretty prescient. I'd like you to start, each of you, Suzanne, you can start, introduce yourself, tell us a little bit about your background, and why you're so passionate about this topic.
Suzanne Spaulding
>> Yeah. Well, Dave, first of all, great to be here, looking forward to the conversation. So I wrote this blog in 2010 called No More Secrets, trying to raise awareness that the shelf life of secrets was vanishingly short, and the idea that you could somehow have a monopoly on information, including the discovery of a vulnerability, for any length of time, and that others weren't going to discover that information, or that you could keep information secret for any length of time, was really increasingly a myth, and that we needed to learn how to operate in that environment. So the idea is, we all know that if you train to fight in the dark, you could meet your adversary at night, or you could turn off the light, and you'd have the advantage, think about the daredevil. But what we have is a transparent world that's coming at us full steam ahead, where lights are being turned on all over the world, and the darkness that allows you to keep secrets is vanishing, it's going away. So we need to train to fight in the light, and whoever can learn to operate with a level of radical transparency is going to have the advantage in the world that's coming at us.
Dave Vellante
>> Great, thank you for that. So Jim, I think radical transparency is something that is near and dear to your heart. Tell us about your background, and what's your premise on this topic?
Jim Richberg
>> So Dave, I came Fortinet after a full career in the federal government. Suzanne and I were long-time colleagues on cybersecurity, I was doing it before we called it cybersecurity. And from my perspective, the biggest problem in cybersecurity is not people, process, or technology, it was metrics. It's the fact that we lack bad data. Is the incidence of ransomware, X, 2X, or 3X? We're really guessing, we're throwing darts at a dartboard. The same thing applies on defense. What is the prevalence of a given class of vulnerability? Is it getting better or worse over time? So radical transparency is a way of saying, we're going to have to enable people to make informed decisions as consumers, and frankly, as policy issues. And this week, CISA released the Secure by Design Pledge that 68 vendors signed, I was one of the leads from the IT sector in negotiating, collaborating with CISA to evolve that pledge. And several of the items are about vulnerability, but one says, "You really should be disclosing the vulnerabilities that you discover." The baseline is if it's critical or high or someone's exploiting it, but we'd like to see you go further. So this is all, Dave, about saying, "Look, the market works best when information flows." And in cybersecurity, we've had too much opacity about issues like vulnerability.
Dave Vellante
>> We have history on disclosure. I go back decades to the Tylenol situation, and it became a PR case study. But it really hasn't trickled into the technology industry generally, and the cybersecurity industry specifically, and that's really what you guys are trying to create some standards around, isn't it?
Suzanne Spaulding
>> Yeah, and it's really important, because when I was undersecretary at the Department of Homeland Security, and I had the great honor of leading the men and women who worry about strengthening the security and resilience of our critical infrastructure that we depend upon every single day, all day, every day, and I would go around and talk to companies about the importance of disclosure, and of course, this was before we had the mandated incident disclosure that finally came, and they would say, "Look, we can't disclose, because our competitors aren't disclosing, and therefore we look like we're the only ones this is happening to and it puts us at a competitive disadvantage, and our competitors are going to use this against us." And so, we evolved, to the point where we said, "There's not enough market incentive to disclose breaches, we have to require that, and because we need that information to get better, we all need to be sharing information and increasing our understanding so that we can all progress."
Vulnerability disclosure is much the same. It's really important to disclose that information, both to protect your customers so that they can take action on it quickly, but also, again, to enhance the marketplace, and enhance all of our understand. The worry is that people will say, "Oh, you're disclosing an awful lot of vulnerabilities, you must be insecure." And the reality is, until we figure out how to have 100% safe code writing and 100% secure products and services, everyone is going to have vulnerabilities, and that's where we are today. Everyone has vulnerabilities, and what distinguishes them is, are you hearing about the vulnerability from your vendor, or are they burying it a few weeks down the road in a general update with lots of new features, et cetera? That's the difference.
Zeus Kerravala
>> I don't actually think we'll ever get to a world where we have zero.
Suzanne Spaulding
>> No, no. No and-
Zeus Kerravala
>> And the hard part for buyers on this is it is confusing. And I think the media in some ways treats companies that report vulnerabilities unfairly because they take these things and they blow them up. And there's a lot of factors from a buyer's standpoint, and what you have to look at is, how broad is the product line? How deep do you go? How many versions back are you supporting? And then so a company like Fortinet, Cisco, Palo Alto, you're going to have more than a point product company just by the very nature of what you do. And so you can look at it as a bad thing. I recently wrote a Forbes post where I talked about it and I said, it's a good thing to report vulnerabilities because customers do need to know. And to your point, it's about transparency. And so you can't fix what you don't know. And it is a fact of life, and the most important thing is you need to do what's right for the customer. And I think the steps you've taken with Secure by Design is the right thing for the customer.
Jim Richberg
>> Put yourself in the customer's shoes, flaws exist, someone's going to find them, who would you rather find them, the manufacturer or a third-party researcher who tells the manufacturer and gives them time to fix it, or an adversary? That's the worst case, is you only find out after the bad thing has happened. So the reality is in an imperfect world where people try to do better, but perfection is not, .
Zeus Kerravala
>> And that is one thing to look at too, a is piece of advice is, what percent of the vulnerabilities are actually discovered by the company? Because if it's a high percentage externally, that means the vendors aren't actually looking for them. But it's an imperfect science today though.
Dave Vellante
>> And there's so many examples in the physical world, I think about automobile manufacturers and recalls, but it still hasn't translated over into the digital world. But this is a bipartisan issue. I mean, people hopefully aren't disagreeing on this, but I think sometimes the industry, as you say, they're very nervous, they sometimes think the government is finger-wagging. So how do you address that perception that immediately gets the industry to be defensive? I mean, obviously this initiative is designed to do so. I wonder if you could talk about that a little bit .
Suzanne Spaulding
>> Yeah, you're absolutely right. I mean, this is the road that CISA navigates, that we had to navigate. You need the trust and cooperation of industry in order to be able to make advances here. And the Secure by Design pledge I think is just a terrific example of how you can navigate that challenge. This was arrived at in consultation, full consultation with the private sector on what is reasonable, what is doable, what should our expectations be? I think they pushed, CISA pushed hard to make that as robust as possible, but it's still voluntary, but companies have signed up by name. It gives a standard that technology analysts, for example, can write about, "This product has signed the pledge, has provided transparency. Here's how their processes meet the pledge and are secure." So I think providing that level of transparency is a way of making the marketplace work and not having yet to resort to regulation and mandates.
Jim Richberg
>> And to build on that point, when we were collaborating on building this, we said, "Don't tell us what to do and how to do it, let's agree on common goals." Leave it to each company to figure out, because to your point, different companies, different sizes, different foci in the market, we'll each figure out how to do it and how to measure. That was the other important point. You're not just signing a one-and-done pledge. You're supposed to report how you have done publicly on implementation. And the pledge has got straightforward goals and then there's typically an expansion, what does this mean? Why is this important? Some examples of implementation. And some examples of how you might report on it, but I'll underscore their examples. They're not telling any company that signed the pledge, you have to do it this way.
Suzanne Spaulding
>> That's also an important way of making sure that it is relevant for a longer period of time as the dynamics of the threat and response .
Dave Vellante
>> This is super important because frankly, the technology industry has been very poor at self-regulation. And so because you're now fighting in the light and you have standards that analysts can actually evaluate objectively organizations on, that creates a peer... It's like a locker room in football where the veterans are teaching the rookies and there's a culture that permeates, and that really is what you're trying to affect. It won't happen overnight, but over a course of years do both.
Zeus Kerravala
>> Well, and I think the standardization is huge too, because if you're a startup and you're coming to market, you may take some shortcuts and not do secure passwords or there's a lot of things if you follow the standards, Secure by Design isn't just a tagline, it actually is, you're building security into the design and hopefully for other vendors that maybe didn't follow those best practices, their level of just quality of product goes up because they do follow best practices set forth by companies that have been doing it a long time.
Jim Richberg
>> Well, we felt that in creating this pledge, we needed it to have immediate impact. So yes, we'll focus on things like mitigate persistent classes of vulnerability like SQL injection, but if the failure to change passwords from install, the failure to use MFA, the failure to apply security patches are over and over again implicated as the top causes a breach, you got to hit those head on. You have to say, "These are unacceptable." And those are pretty binary. It's like, "Reduce this, eliminate that." So we said, "Do those," and then go for some of the more, not aspirational, but some of the things that may be a little longer to take effect.
Suzanne Spaulding
>> Yeah, and this is, to your point as well, this is what CISA means and the administration, the National Cyber Director, when they talk about shaping the ecosystem. It is, how can we drive that culture where it isn't first to market, but it is secure to market? And that's really what we see, what they're hoping to do here.
Dave Vellante
>> And it will transcend, it should transcend, I think it will the administration, and it will carry through. Because there's a roadmap here, to your point, Jim. CISA pushed, I like that, the industry maybe pushed back a little bit and said, "We really can't succeed." They said, "Okay, but then here's a timeline." So there is a roadmap here, correct?
Jim Richberg
>> Yeah, so this is 12 months, and frankly, there's nothing that says if you've succeeded, and for instance at Fortinet, some of these, we've already... Some of us came into this process knowing this is not only doable, we're doing it. This is the right thing to do. It's good for our company, it's good for our customers. So we're not coming up with these totally aspirational things. So we knew this was realistic, but this is also envisioned as a serial process. We tried not to boil the ocean and say, "We will solve all of cybersecurity with this pledge." We said, "Let's pick a number of goals." We wanted to have an on-ramp for especially small companies to say, "Well, okay, after 12 months, I can look and see what have some people done that have succeeded?" Or even better, what sounded like a good idea, but someone tried it and it didn't work. Because if I'm a small business and I'm interested in the pledge, I probably don't have the resources to try twice. I need to succeed the first time. So Dave, to your point, not one and done, it will transcend administrations. The company's signed up to do something regardless. So I think this is going to have legs.
Zeus Kerravala
>> Did that then help the argument that smaller companies might have of you're adding a lot of extra costs and a lot of extra time to our development process versus somebody like a Fortinet. But now if you lay it out for them, then there's not a lot of trial and error, so hopefully... Yeah.
Jim Richberg
>> And you can make the argument that isn't it better to do it right the first time rather than fix problems after something's released? That's what we recognize at Fortinet, that it's not only the right thing to do, it's actually more efficient to do the process securely from the inside. And then we're addressing vulnerabilities that have been around for a long time. This is simply a way of saying relying on individual customers and small businesses to do these things is just not rational.
Suzanne Spaulding
>> And then by providing that transparency, allowing customers to see who is following most closely the framework for Secure by Design, who is maybe lagging behind, et cetera, they can make informed decisions about their risk appetite. Not everyone has the same risk profile, and so there should be a place for a diverse set of players in the market.
Dave Vellante
>> And there's a little gamification here too, because we know the technology industry, companies who are doing well will market this. It'll start getting into RFPs-
Zeus Kerravala
>> Yes, that's the big test.
Dave Vellante
>> And that again, is this sort of self-adjudicating mechanism. Will solutions providers, you mentioned earlier, Jim, there's a lack of metrics, will solution providers change the way in which they develop or provide products to maybe address that or to support this initiative?
Jim Richberg
>> I think you will find this getting put into RFPs because people said this is voluntary, but if this becomes the expected standard of performance, then why would I not put that in, to the point we've been making, if some products in the marketplace meet it and some don't, then yeah, I'm going to go ahead and say this. So it's a non-regulatory solution that allows you to say, "I can drive progress."
And a lot of these things we look at and go, "We have been bemoaning these users failing to do things," this is part of the national strategy of saying, stop blaming the victims, move more of the responsibility to the manufacturers. Just like we changed automotive safety from the '50s and '60s of saying, "All right, you died in an accident, it was solely the motorist's fault," to a whole lot of things were done from designing safer roads and teaching driver's ed in school. What move the needle more than anything else was saying, "Manufacturers, you're responsible for designing safe vehicles," starting with seat belts and cars that wouldn't tip over at 25 miles an hour to where we are now with the plethora of automation. It's not to absolve the driver of responsibility, but it's to say it's a partnership not, "Good luck, put this all together. Maybe it'll run, maybe it'll be secure. That's your problem."
Dave Vellante
>> Well, the transparency piece, however though, it does extend beyond the solutions' provider, so carrying through the example of a driver, if a driver's texting, okay, that's the driver's fault, but if the driver happens to be a large multinational corporation that left the S3 bucket open, it's not the fault of the cloud provider, for example, that disclosure, that transparency should transcend just the technology community, should it not? And what can be done to broaden the adoption of these standards?
Suzanne Spaulding
>> Well, part of that will be captured in the incident reporting requirement. That is a regulatory mandate, particularly for those critical goods and services that we really depend upon. So the requirement that that end user disclosed when they've had a cyber incident and the kind of detail that they have to disclose about that should get at some of that, providing us with more information about what tools are effective, which are not, what are the kinds of things that end users need pay particular attention to doing.
Zeus Kerravala
>> One of the topics that comes up here every year, and I never see a lot of movement in is the request for vendors to be able to share more information between them. And there's a little bit done on the threat intel side, but for the most part we're still talking about closed walls. And are you hopeful that this initiative actually will stimulate more of that?
Jim Richberg
>> Well, it certainly will on the vulnerability side because it not only says disclose the vulnerabilities but make a disclosure of the common weakness enumeration and the common platform enumeration. Don't just say, "I had this," I had this and it fit in this class, and here's the taxonomy that is machine shareable. We were on a panel earlier today and CISA said, "We have this National Vulnerabilities Database. We wanted to look at the population by category of vulnerability. The data was so bad that we couldn't, because most of the reports we had were so incomplete beyond the here was the CVE, we couldn't even make judgments." So yes, to your point, we start saying, "Are we doing better at mitigating this memory class or this traversal?" If you don't have the data, you don't know what's working and what's not working.
Dave Vellante
>> In your view, is the industry doing a good enough job of sharing information? I mean, go back 10 years, at times there were attempts to monetize some of that threat intelligence, and I think that has changed. But I'm wondering from your perspective where we are today in regards to the collaboration across industry of things like threat intelligence.
Suzanne Spaulding
>> Well, Fortinet of course was one of the founders of the Cyber Threat Alliance, and I remember actually, I think it was in the context of an RSA meeting, Michael, Daniel and I sitting down with the heads of a couple of the founders of CTA, and they were describing this idea they had. They were going to take what had been proprietary, closely held information, which was their threat intelligence, and they were actually going to pool it for the common good, and they were instead going to compete on what they could do with that threat information. And I remember thinking what a breakthrough that was and how brilliant that was. And CTA has been very successful I think in sort of expanding that model.
Zeus Kerravala
>> There have been other attempts to do that, and I think CTA has been the first one that's actually stuck around more than a couple years.
Suzanne Spaulding
>> Yeah. Yeah.
Jim Richberg
>> Yeah, yeah.
Suzanne Spaulding
>> There's a long way to go, but they've made great progress on that. And that's what we need to do, our adversaries are really good at sharing information and acting as a network and we need to do the same.
Zeus Kerravala
>> But I think your question, the answer's no. I think there's small pockets of it, but for the most part it's not really an industry best practice to share outside of basic threat intel with your competitors.
Dave Vellante
>> Because it's such a competitive industry, but-
Zeus Kerravala
>> The thing is, I've always said, if you do what's best for the customer, everyone wins, and I think this industry sometimes forgets that.
Dave Vellante
>> point, the adversary is exceedingly capable. The industry's got to .
Zeus Kerravala
>> And they've got no problem sharing info.
Jim Richberg
>> Getting away from saying I found something that is in fact an exploitable vulnerability, but I'm going to sweep it under the carpet, I'm going to just put it in the next upgrade cycle. There are companies that will look at the features and say, "I don't need this update because it's not worth the hassle." Don't hide security problems. The reality is everybody has them, and we all live in glass houses, so we need to resist the temptation to say, "Look at what happened to them," because it's them this week, it'll be you next week.
Zeus Kerravala
>> Well, also the consequences of the breaches is so much bigger today than it was even a few years ago. You think of just the interconnection of everything in the world, your HVAC system gets breached and so your point-of-sale system winds up... That wasn't a case a decade ago. And so I think just the overall stakes and implications are so much greater today.
Suzanne Spaulding
>> Not to mention the geopolitical context in which we find ourselves. We used to take some comfort in that those adversaries with the greatest capabilities had less intent than say, Iran, North Korea that showed intent to disrupt, but less capability. Now we have Russia with great incentive to cause-
Zeus Kerravala
>> And capabilities....
Suzanne Spaulding
>> and capabilities. And China, which is clearly demonstrating their intent to be disruptive.
Dave Vellante
>> I remember years ago I was interviewing Dr. Robert Gates, former Defense Secretary, and we were having this... It was quite some time ago, probably 2016. And we were talking just about that issue. And I said, "Yeah, but doesn't the United States have the best... Can't we attack?" And he said, "You know what? We've got the most to lose, so we have to be very careful. And that brings up a really important point around critical infrastructure. And I think this AI wave has really shined a light, to continue that metaphor, on the exposure to critical infrastructure. And this is why initiatives like this I think are so important because I think on a scale to one to 10 in terms of how vulnerable we are, we're closer to a one than we are a 10 as it relates to critical infrastructure.
Jim Richberg
>> And I think Suzanne and I are both pretty passionate about this one. It's a very heterogeneous environment. You've got, take even the power sector. Yes, you've got large, well-resourced electrical companies and you've got small rural electrical co-ops where they don't have full-time cyber people. It needs to be plug and play. They are horribly vulnerable and they're on the same grid as the big guys. So it is an uneven vulnerability. It's asymmetric compared to our opponents. And we have 16, we have some that we consider more critical than others, but frankly from my perspective, if you take away power, the power sector, the other 15 and all of society have a bad day as soon as the batteries run out.
Zeus Kerravala
>> I think to your point of critical infrastructure too, there's a lot of old technology out there that's deemed critical that I think with some standards in place, you can actually then make an educated decision on whether to refresh or upgrade or not because if it's not at least adhering to the basic levels of Secure by Design, then that would at least expose that that's a weakness in the infrastructure.
Dave Vellante
>> It used to be air-gapped and we didn't have to worry about it, and now it's like everything's .
Jim Richberg
>> And to build on that point, we've already heard from some in critical infrastructure in the operational technology community that they would like to... Secure by Design is about product. But when you put it in an operational technology environment, they say, "We would like to have secure by deployment principles. Because I may have really smart field engineers who know how to run a power plant or do wastewater treatment, they don't know cybersecurity. So give me best practices, give me the equivalent seven things I should do when I'm deploying my infrastructure to make them more secure.
Suzanne Spaulding
>> Yeah, and as we upgrade all of this old technology, the electric grid, that goes back to the 70's, and as we are getting more and more smart, we are getting more and more network dependent even as we do that. And if we don't build this in a way that is resilient, we are going to be in big trouble. When Russia took down the power in Ukraine in 2015, you remember that they attacked several power plants and over a quarter of a million customers lost power. They got that back on, not because the cyber ninjas got the bad guys out of the network, but because they had guys who knew where the breakers were that had been flipped by the remote access and they got in trucks, they drove out to where the , and they physically put those back in place. We need to be thinking about analog resilience, physical redundancy, all the different ways in which we can operate in a degraded fashion, plan on, do everything you can to keep the bad guys from getting in, then assume they've gotten in, now how are you going to operate?
Dave Vellante
>> This is so true because the physical and digital worlds are definitely coming together. It used to be physical security was this thing. Yeah, we'll just put a lot of gates up in front of the data center and until now, today you could have a drone inside of, and the -
Suzanne Spaulding
>> And the gates are all remotely controlled.
Dave Vellante
>> Yeah, totally.
Zeus Kerravala
>> I mean, you look at coming into the Moscone Center, they have the Evolv X-ray systems. I mean, just think of how much data's coming off of those on everything you carry.
Dave Vellante
>> Well think about how many conferences don't, actually. I mean, I go to a lot of conferences, it's still a minority that actually have metal detectors that you walk through when you come in.
Zeus Kerravala
>> But the amount of data they collected off of there.
Suzanne Spaulding
>> These are connected, right?
Dave Vellante
>> Absolutely. What did it take to get this off the ground? What was the anatomy of this initiative? I mean, when you started to talk about this... We're at a point we said, "Wow, this is never going to be able to get done." And how did you get it done?
Jim Richberg
>> We had a new national cyber strategy that came out last year, and it was largely predicated on the idea that we've had a market failure in cybersecurity. It's been optional for companies to do, and they pay a literal price for doing it, and others, a free ride. This whole transparency idea, people in the marketplace, they want to make informed decisions, they got to get the information to flow. So really, I think it really got kickstarted by the National Strategy that then led in very short order to CISA, starting with its partners domestically and internationally to come up with Secure by Design, which included radical transparency, embrace radical transparency within corporations on IT, heresy, but we've got to start doing it.
Suzanne Spaulding
>> Yeah. Eric Goldstein was on our panel this morning, he talked about the importance of being able to visualize, to envision a better future that we don't have to live with this level of insecurity in our network system. We don't have to take that as a given, that we can in fact strive to write code more safely to create the development operations processes that are more secure. There are players who are meeting that standard who can set best practices and create and shape that ecosystem.
Zeus Kerravala
>> And then even how your customers respond, because even that's very inconsistent company to company. So even when you report your CVs, not all companies understand what to do with them or what's affected.
Suzanne Spaulding
>> Yeah.
Jim Richberg
>> Yeah.
Suzanne Spaulding
>> They're increasing every year, the increasing size of RSA is testament to how many innovative and creative people there are out there trying to think about how to help companies of all sizes solve these challenges and an increasing focus, I'm glad to see on small and medium-sized businesses and how to help them.
Dave Vellante
>> Well, I think too, the other thing that do, you brought it up at the beginning about media, we're media, so I don't want to media, but I have seen a number of reactions to what were really benign hacks, but the media overblows it, but the company was afraid to disclose it, botched the PR, stock price dropped 10, 20% for something that was really not that big of a deal. So I think this type of transparency, people will get used to it and say, "Okay, this is okay. This is not a bad company. They're coming clean and they're doing the right thing." So I really applaud the efforts that you guys are making here.
Zeus Kerravala
>> As a customer, I'd like to know.
Dave Vellante
>> Absolutely.
Zeus Kerravala
>> And I'd like to know immediately, don't hide the ball.
Dave Vellante
>> I'd like each of you to maybe make a final statement on where you'd like to see this go, what you hope the outcome will be, and then we can wrap.
Jim Richberg
>> So even if we look at, on Secure by Design, the number of companies, if you collectively look at our market share by segment, and overall, if these companies do the things in the pledge, I think a year from now, CISA will be able to say it's made a difference. I mean, some of us have actually challenged CISA to say, you're going to have to be not the scorekeeper, we're not asking them to evaluate what companies say they're doing, but at least collate it, put it in one place so that we as an industry, we as consumers can look at it and say, what worked and what didn't work. And then we can take those lessons learned and say, okay, pledge version 1.0, or if we knocked most of this off the list as an industry, 2.0. But we set this out to be, to set the bar high enough that if we do this it will make a difference and it'll challenge even the big players. But also not to set it so high that if I'm a small company, I look at this and say, "No, that's not going to happen in this budget cycle." So I think being able to look a year back and say, "Yeah, what we did has reduced the prevalence of these bad practices, more companies have signed onto it. We're seeing this transparency in the marketplace, now let's take this to the next step."
Suzanne Spaulding
>> Yeah. Yeah, absolutely. And we've talked about the business case for this, the competitive advantage, how we're going to create these market pressures. But I also think it's really important for companies increasingly to take some responsibility for their actions and the impact that it has on their community, on their nation, and on the world, and if you will, to do the right thing to be responsible. And particularly, as I say to my friends in the critical infrastructure industries, CEOs, you do not want to be the company who allows China to put a gun to our head and deter us from taking actions that are in our national interest because you have left a vulnerability open or you have not done the things that you could do to make it harder for them and now you're being held at risk. So I think there's a sense of both personal responsibility and a vested interest here.
Zeus Kerravala
>> I look at everything through the customer's eyes, and companies are spending more money than ever on cyber, they're falling behind and what's frustrating is the lack of transparency. And I think this industry, for whatever reason, has pushed off standardization and openness. And I think if you look historically at any industry, transparency and openness creates a rising tide in which everybody wins. And I think we're so scared here to admit we're weak, and where we made a mistake or where something was wrong, that I think vendors have made bad decisions in the past. And I think this is one where I implore the vendor industry, be open, be transparent, and do what's best for the customer, because that's ultimately going to create winners for everybody. And that should be the ultimate goal for this entire show is to make sure that the customer can do what they need to do.
Dave Vellante
>> I mean, I'll add that I think cyber awareness is everybody's responsibility. We know that human error is the vast majority of the cause of cyber breach-
Jim Richberg
>> It's huge....
Dave Vellante
>> and transparency now puts that responsibility in more hands. And now we can apply good peer pressure to organizations and each other. So guys, thank you so much, Jim, Suzanne, Zeus for participating in this panel. Fantastic initiative and great job. Really appreciate it.
Zeus Kerravala
>> Congratulations.
Jim Richberg
>> Thank you, it's been great talking with you.
Dave Vellante
>> Okay, and thank you for watching. Keep it right there. We're live from RSAC 2024. We're here in Moscone. Stop by and see us if you're still at the show. You're watching theCUBE.
