We kick off Cybersecurity Awareness Month with an interview with Deirdre Hanford, CSO at Synopsys, about personal accountability and cyber security.
What is Cybersecurity Awareness Month?
Tell us a bit about your role as chief security officer at Synopsys and some of your general thoughts or goals regarding Cybersecurity Awareness Month.
First, I have a fairly broad portfolio of responsibilities. One critical aspect of that is Synopsys’ internal security. That means protecting not just our own assets but also those of our customers and our partners—all the folks we do business with. So I’m very passionate about that traditional chief security officer view.
But externally, because we at Synopsys fit in the supply chain of our own customers, we have a great opportunity to help customers design more secure products through our portfolio.
To answer your question about Cybersecurity Awareness Month, I always think of October as Breast Cancer Awareness Month—the month where the world goes pink and we think about a very serious health challenge that many women face. Cybersecurity Awareness Month gives us an opportunity to talk about another important topic. We’re super excited to participate in this program, not only externally to tell our story and contribute to the dialogue nationally and internationally, but also to remind our own employees about their role in cybersecurity and physical security.
With this month’s cybersecurity theme of personal responsibility—Own IT, Secure IT, and Protect IT—how might employees of Synopsys and beyond better focus on personal accountability in terms of an organization’s digital infrastructure?
It’s so easy to sit back and say that cybersecurity is the responsibility and the domain of the IT department. IT departments at Synopsys and across the industry, of course, have a critical role in security. However, each of us interacts with the compute infrastructure and the internet, using applications, so we all have a critical role in protecting our own assets, Synopsys’ assets, and the assets of our employees, customers, and partners.
We really want to use Cybersecurity Awareness Month as an opportunity to remind employees: don’t just defer the ownership of security. Every single person in the company is a guardian of security. I was speaking with a peer CSO last month who told me how easy it was to stand outside a company, look like you’re smoking a cigarette, and then sneak in the side door behind someone who has a badge. As an employee, you have to decide at that moment, are you going to be polite and respectful but ask to see that individual’s badge? Or are you just going to be nice and let that stranger in the building? Every single member of an enterprise has a critical role in security.
That calls to mind all the “villages” at DEF CON that include social engineering contests. They’re entertaining and can be funny but also pretty frightening.
Well, the funny thing is that every single IT department on earth has fake phishing campaigns to see how vulnerable their employee base is. Interestingly, our interns are more vulnerable than our employees. I don’t know what that says, but I’m always seeing these emails come through, and I’m thinking, “This must be a phishing campaign because it looks so bogus.” But then you sit there and wonder, “Is this really a sincere overture? Should I even be considering clicking?” As sophisticated as we think we are on social media, we are always at risk of being outfoxed by someone who’s trying to hook us in some way to click and potentially compromise our infrastructure.
Emerging security trends
What security trends—hardware, software, information, physical—have you seen emerge over the past year or so?
I’ll mention two trends. One is the proliferation of the cloud. More and more of our work is happening on the cloud, and this is putting new pressures on our colleagues in IT, and certainly new pressures on our whole supply chain.
How secure is the infrastructure we’ve put in place? Our partners in the cloud do a great job creating a secure environment, but it’s incumbent upon everyone using the cloud to implement their cloud solution in a secure way, leveraging all the security that our cloud partners provide and making sure that application security is also in full force.
Trend number two: In addition to a need for secure software (and we and several other companies have a business in this area), there is an emerging trend to make sure that the underlying hardware is also secure. At Synopsys we have a large business enabling semiconductor design, providing electronic design automation software tools, and chip design building blocks. We’re hearing increasingly from our partners that they want to build not just a super-cool and highly functioning chip, like an IoT device, but they also require a secure IoT device. They want to make sure that not only the software running on that chip is secure but the underlying hardware is secure as well. It’s exciting for me, having spent a lot of my career on the hardware side, to see security emerge in the requirements of the hardware teams.
That would certainly be a welcome trend.
Well, there are a lot of questions about whether people are willing to pay extra for secure hardware. In automotive, there are a whole host of requirements and standards to make safe and reliable chips for that market. But as security and safety start to blend in some critical markets like automotive, we have to start thinking about what needs to happen in both the hardware and software layers to enable security. I think we’re going to see interesting innovation in hardware security over the coming years.
Automakers have been building safety features into their vehicles now for decades, but it would be great to see a trend toward building in not just features but security.
You know, one gentleman at Microsoft, Galen Hunt (distinguished engineer at Microsoft and managing director at Azure Sphere), talks about when he saw this microcontroller device and a wireless radio connection integrated on a single chip. He realized there would be a lot of processors out there enabling smart thermostats and other IoT devices requiring security. So what are we doing as a hardware community to ensure that those are secure solutions? I think there’s going to be more and more happening in this space in terms of more standardization, more design practices, and companies really starting to differentiate their hardware vis-à-vis the security that it offers.
Top security challenges
What do you see as the top security challenges facing organizations now, and what advice do you have on how to resolve or address those challenges?
A big challenge is the supply chain. At Black Hat, I heard someone who is very deep in the supply chain talk about a vulnerability that wasn’t just one or two levels into a supply chain but multiple levels in. We need to really pay attention to the fact that all our products sit in someone else’s supply chain, and we’re all accountable to one another for security up and down that supply chain.
We’re just starting to grasp that complexity. If you think about a mission-critical energy grid, of course you want to make sure that the whole supply chain feeding that system is safe and secure. But how deep are we looking in the supply chains?
Part of addressing that challenge is having better standards. Part of it is having more sophisticated testing. Maybe part of it is doing a tighter job in the contracts up and down the supply chain in terms of really specifying security expectations. We live and work in a global world with a very complex and deep set of supply chains that all have to stack up and provide a measure of security.
Another challenge is the many basic issues we’ve talked about, like letting in someone who’s trying to walk into your building behind you, or simple adherence to coding standards to build more safe and secure software. While we’re intrigued by esoteric and complex vulnerabilities, during Cybersecurity Awareness Month, let’s also remind ourselves of the basics.
Emerging security risks
What risks do you see emerging or trending?
One of our commercial connections had an issue, probably a man-in-the-middle attack, where invoices were getting intercepted and things were getting doctored. When we talk to the folks who help diagnose situations like that, they say this is fairly common. Suddenly your accounts payable office is trying to pay something by wire, and lo and behold, something’s been corrupted in that chain and they’re paying a bad guy rather than paying the supplier. This is a trend, and I think it’s really scary because this is money getting lost between two partners in the supply chain.
There’s more espionage as well. I heard today that a city up in the North Bay is not open for business this morning because it’s been hit by a virus or some other issue. While we’re unsure of the cause, this seems to be more and more the case: Large enterprises can afford sophisticated IT departments and security teams and programs to protect them, but smaller organizations and municipalities are much more vulnerable, which is unfortunate. I would hate to see some wonderful nonprofit that’s trying to do great things in the community be subject to a cyberattack. That just stinks—an organization is just trying to do good in the world and hitting the wrong side of a bad actor.
Do you have any advice on how to prevent or mitigate security threats?
There’s a host of solutions out there in the marketplace, and a number of great companies are looking to help automate detection and mitigation of security threats. We have to count on technology to address security challenges.
But back to the theme of Cybersecurity Awareness Month, which is “Own IT, Secure IT, Protect IT”: people have to use their common sense across their entire business day. Yes, we want to look at great solutions that come from security vendors, we want to deploy those solutions aggressively, we want to continue to challenge the state-of-the-art in this space. But at the end of the day, people need to make smart decisions. They need to be very cognizant of the links they click, double-check before they pay an invoice, and be courteous and careful at the door.
I think most companies, Synopsys included, require you to go through online security awareness classes. Every year a few new risks are sprinkled into those classes, which shows you that every year there’s some new twist. I’m actually thankful that we are refreshing our knowledge and vigilance in this arena on an ongoing basis.
Of course, we’ll rely on technology, but I hope we can continue to rely on ourselves and our colleagues to do the right thing. I love the theme for Cybersecurity Awareness Month because it really brings us back to individual accountability: Own IT, Secure IT, Protect IT.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Taylor Armerding. Read the original post at: https://www.synopsys.com/blogs/software-security/what-is-cyber-security-awareness-month/