UPDATED 16:49 EST / MAY 10 2024

Jim Richberg, head of cyber policy at Fortinet Inc. and Suzanne Spaulding, former Undersecretary at the Department of Homeland Security and Fortinet team member discuss the new Security by Design pledge with theCUBE at RSA Conference 2024 SECURITY

New ‘Secure by Design’ pledge could transform the cybersecurity industry

The technology industry has previously been characterized by a lack of transparency around security. The new Secure by Design pledge, overseen by the Cybersecurity and Infrastructure Security agency, could be set to change.

“It’s a non regulatory solution that allows you to say ‘I can drive progress,’” said Jim Richberg (pictured right), head of cyber policy, global field chief information security officer of Fortinet Inc. “We have been bemoaning users failing to do things. This is the part of the national strategy of stop blaming the victims, move more of the responsibility to the manufacturers.”

Richberg and Suzanne Spaulding (left), former Undersecretary at the Department of Homeland Security and Fortinet team member spoke with theCUBE Research’s Dave Vellante and principal analyst at ZK Research, Zeus Kerravala, at the RSA Conference, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the details of the new pledge and how cybersecurity has evolved over the last decade. (* Disclosure below.)

Jim Richberg, head of cyber policy at Fortinet Inc. and Suzanne Spaulding, former Undersecretary at the Department of Homeland Security and Fortinet team member, talk about how the security landscape has evolved at RSAC.

Jim Richberg (far right) and Suzanne Spaulding (one from the right) talk about the need for more transparency in the security industry in a conversation with theCUBE at RSAC.

A pledge to better protect customers

Creating a standard for transparency in the tech and manufacturing industries has been difficult because companies rarely want to give an advantage to their competitors by admitting vulnerabilities, but Spaulding and Richberg argue that it is a necessity.

“It’s really important to disclose that information, both to protect your customers so that they can take action on that quickly, but also again, to enhance the marketplace and enhance all of our understanding,” said Spaulding. “The reality is until we figure out how to have 100% safe code writing … everyone is going to have vulnerabilities. And that’s where we are today. Everyone has vulnerabilities.”

Generative artificial intelligence only makes the landscape more complex, and more dangerous, since it offers attackers new methods to threaten business infrastructure. By addressing vulnerabilities from the outset, as outlined in the pledge, companies will better protect themselves and their customers.

“It’s not only the right thing to do, it’s more efficient to do the process securely from the inside,” Richberg said. “We’re addressing vulnerabilities that have been around for a long time. It’s a way of saying relying on individual customers and small businesses to do these things is just not rational.”

Shifting the industry to a “secure-to-market” mindset

The Secure by Design pledge gives companies a standard for robust cybersecurity and transparency, but it is not obligatory. However, CISA will now be able to report which companies are abiding by the pledge.

“You’re supposed to report, publicly, how you’ve done on implementation. And the pledge has got straightforward goals,” said Richberg, explaining that there is a flexible expansion section for companies to fill out their security strategy. “[It’s] not telling any company that signed the pledge, ‘you have to do it this way.’”

Knowing which companies are being rigorous and transparent about their cybersecurity will also allow customers to make more informed decisions. Spaulding talks about changing the culture around cybersecurity so that instead of a “first-to-market” mindset, companies have a “secure-to-market” one.

We don’t have to live with this level of insecurity in our network system, we don’t have to take that as a given,” she said. “We can in fact strive to create code more safely, to create development operation processes that are more secure. There are players who are meeting that standard who can set best practices.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE Research’s coverage of the RSA Conference

https://www.youtube.com/watch?v=2Mo7TKn9tso

(* Disclosure: Fortinet Inc. sponsored this segment of theCUBE. Neither Fortinet nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU