BlackBerry’s vice president of product security discusses what the Biden government’s cybersecurity executive order means for the software industry.
Christine Gadsby is the vice president of product security at Canadian multinational corporation BlackBerry, which specializes in enterprise software and IoT technology.
This means that she must ensure that the company’s software supply chain is protected. This includes a wide range of responsibilities such as the security posture of software, how security is built into the design phase, as well as advisory communications.
She has been with BlackBerry for over 13 years, prior to which she worked for Microsoft as a senior security organizational development consultant.
‘An attacker has to be right once and the defenders have to be right every time’
– CHRISTINE GADSBY
What are some of the biggest challenges you face in today’s IT landscape?
One of the most obvious challenges facing many businesses is the absolute explosion of endpoints as businesses are forced to work remotely. Ultimately, what happens is that attackers have a much more convenient and available attack surface to work from, so it’s not just people working from their favorite coffee shop or the library or their home.
Attackers now have suitable times. People work at dinner time, people work at 2pm on Saturdays and that really wasn’t the case before the pandemic where companies could really count on their corporate security strategy to lock up a lot of employees who were behind a lot of great security walls working on a property. If you spread that out, all those endpoints just get everywhere.
So it’s like looking at security through a locked front door, but now there’s no front door. It’s pretty much everywhere.
So I think that’s probably the biggest challenge most businesses face right now. How do we deal with that attack surface spread because it’s just a lot bigger than before.
I’ve heard a lot about ‘safety culture’, but how is it really built in? You have to get to a more tactical level and think about: ‘What are the business plans for HR and finance and legal and how do you really create that prevention-first methodology?’
There really isn’t a single window in a front door anymore. An attacker has to be right once and the defenders have to be right every time, and then how do you go into business planning and really promote it as a business function and mindset and culture? And how do you approach that data and use that intelligence to make smarter decisions?
What do you think of digital transformation in your industry?
I’m probably biased here, but I don’t see an industry with more challenges than security, especially for companies that make security software. Digital transformation is extremely important because it is kind of the new normal and there is so much critical data to manage in terms of security.
I think there are some tactical things we focused on that helped. First, that’s just recognizing that everything has to go through a digital transformation when it comes to security, because that AI model where we learn from our own intelligence is really going to force that digital transformation.
So that’s the first thing, but second, we have to recognize that there’s a skills gap. And in the industry, there is a skills gap with digital transformation. I know that’s a common concern that many companies share.
We certainly promote training programs that focus on those key areas of digital skills. On the non-technical side, that’s looking at collaboration tooling and project management, and then on the technical side, to make sure there’s this one, three, five year plan to make sure we can adapt and thrive and that is in every area.
I think the only place I’ll highlight where it’s really critical is vulnerability management. The purpose of all that vulnerability data is to make a signal usable so that you don’t just end up with 18 different dashboards of data.
In a world of digital transformation, that data comes to you with things to take care of, as opposed to so much noise that you don’t even know where to start and therefore miss a critical signal.
What major trends do you see coming down the line?
I’m really excited about some of the work that’s happening in the software supply chain itself. With the Cybersecurity Executive Order released by US President Biden, I’m very excited to see some of those controls put in place.
I’m really excited to see some of the things it’s forcing a hand on, for example things like the software bill of materials in particular. There’s a lot of really great work happening in the industry on how we build a software list for software in the supply chain? How do we fix its components? How do we look at what’s inside? How do we make that available?
What I’m especially excited about is the industry coming together to work on this. Security is usually a hard nut because you have a lot of companies trying to come up with their own solutions. But with a software list of materials, we’ve had a lot of great work groups and a lot of great leaders who come up and really bring companies and their minds together.
As a result, it will make the software supply chain more transparent. It forces vendors to patch their software vulnerabilities. It will enable users of software to have transparency, it will enable them to see under the hood what content is actually in the software they consume and place in their environment.
10 things you should know straight to your inbox every weekday. Sign up for the Daily Brief, the overview of essential sci-tech news in Silicon Republic.