Authority Magazine Interview: John Campbell Of Altum Strategy Group On Embedding Security in Product Design and Development
This interview was conducted by Authority Magazine and posted to their website. The original interview can be found here.
An Interview With David Leichner
Rather than treating cybersecurity as an afterthought, companies should embed it in the design of software from inception, including the use of a software bill of materials. One important way to create a secure software development life cycle (SSDLC) is to have security and technology risk teams engage with developers throughout each stage of development.
In the face of escalating threats from malicious AI, incorporating cybersecurity best practices into the design and development of products is more crucial than ever, especially for manufacturing companies. How do product security managers incorporate these principles from the ground up? What steps do they take to ensure security is a core facet of their products? As a part of this series, we had the pleasure of interviewing John Campbell.
John is a dynamic business leader with 20+ years of experience designing user-focused, flexible solutions that anticipate future business needs.
John has been the architect and product leader on several innovative technology and data platforms and has led the design and implementation of five full-scope data organizations for both public and private companies ranging from small 500 employee businesses to global 15,000 employee organizations. His experience in data, business process, system implementation, and platform design crosses multiple industries including manufacturing, retail, distribution, 3/4/5PL services, and technology.
He holds two Master’s Degrees from Johns Hopkins University in Applied Physics and Applied and Computational Mathematics.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I am originally from Maryland but had the opportunity at the age of 4 to relocate to Asia and study martial arts until I returned home for college at 18. Martial arts taught me the discipline and focus that has propelled me in my professional career in data and innovation.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I’ve always been drawn to data and how it empowers technologies and processes in all aspects of business. Cybersecurity promotes the protection of the integrity of data and the prevention of its misuse, which inspired me to dive deeper into the intersection of data and cybersecurity and help organizations implement and maintain the practices that enable the best possible data posture.
Can you share the most interesting story that happened to you since you began this fascinating career?
Throughout my tenure at Magic Leap, a cutting-edge Augmented Reality (AR) company, I led the development and design for a unique data product platform for mixed reality that needed to factor security and privacy features at the hardware, OS, and application levels simultaneously. This, in particular, was an interesting period of my career as innovation took center stage.
Are you working on any exciting new projects now? How do you think that will help people?
In my free time, I build and operate networks of autonomous drones in support of citrus orchards. Not only does this give me the opportunity to explore my passion and seek breakthroughs in autonomous technologies, but the drone networks also aim to reduce water and chemical usage while increasing food yields.
How do emerging technologies like AI and machine learning influence the risk to the cybersecurity landscape?
With the global costs of cybercrime expected to exceed $10.5 trillion by 2025, business and society at large need to begin investing heavily in cybersecurity, if they haven’t already. AI-enabled ransomware attacks have doubled every year for the past four years, placing an emphasis on the evolution and increased sophistication of these malicious attacks. These number of AI-enabled breaches will undoubtedly continue to grow exponentially, and the attacks themselves will become more and more complex and effective. However, we have already seen tools such as Emotet begin to incorporate machine learning and advanced AI to increase its effectiveness in contextualizing phishing schemes that target banks and financial institutions. While AI and ML is being employed malevolently, the technology is also providing avenues to keep up with the evolving threat and combat breaches.
Ok, thank you. Let’s now move on to our main topic of Embedding Security in Product Design and Development. Can you share a few reasons why this is so critical in today’s cybersecurity threat environment?
The “lone-wolf” hacker is no longer the main threat for most businesses. Today, cyber-hacking is a multibillion-dollar enterprise, complete with institutional hierarchies and R&D budgets. These attackers are using advanced tools, such as artificial intelligence, machine learning, and automation to detect vulnerabilities and increase the potential surface area of attack. Over the next several years, they will be able to expedite — from weeks to days or even hours — the end-to-end attack life cycle, from reconnaissance through exploitation.
“Security by Design” is a philosophy often mentioned in product development. Can you elaborate on this concept and explain its critical role in today’s manufacturing landscape?
Products that are “secure by design” are those that feature the security of the customer as a core business goal, not just a technical feature. “secure by design” products start with that goal before any development starts and, as such, are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure. Product manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.
Another term that is important to understand is “secure by default.” These are products that are resilient against prevalent exploitation techniques out of the box, without additional charge to the customer. They protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. “Secure by default” products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.
Together, these two principles move much of the burden of remaining secure to manufacturers or product developers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues.
With the rise of IoT and connected devices, what challenges and opportunities do you foresee in ensuring security remains integral throughout the product development lifecycle?
The proliferation of connected devices, along with the advancement of the complexity in IoT use cases (such as automobiles, healthcare, and smart cities), creates the risk of vulnerabilities that could have catastrophic consequences. The risk profiles of many IoT systems are elevated compared with that of enterprise IT, given the IoT’s control over physical operations. A seamless IoT experience, therefore, requires a foundation of digital trust, functional convergence of the IoT and cybersecurity, and an early-stage integration of cybersecurity in the architecture design and pilot phase.
Traditional approaches to security in the IoT don’t support this secure and seamless experience. IoT buyers often report that there is little multi-layered security embedded in today’s IoT solution designs, leading to vulnerabilities that in turn require regular over-the-air updates and patches, which can’t be reliably implemented. Relative to enterprise IT, solution design in the IoT space lags behind in security assurance, testing, and verification.
Additionally, it’s very challenging to manage IoT cybersecurity because the converged solutions need to be either vertical or use case specific and must include a cross-tech stack layer. Success will hinge on various stakeholders acknowledging the challenges, committing to innovation, and agreeing on industrial standards. And beyond the technical challenges, there is an urgent need for industry talent (with expertise in both the IoT and cybersecurity) which can’t be serviced due to significant labor shortages in this space. This is magnified as embedding IoT skill sets within cybersecurity is still an emerging discipline.
However, the opportunities are also profound if industry can converge the IoT and cybersecurity. By 2030, the IoT suppliers’ market is expected to reach approximately $500 billion in a baseline scenario. In nearly all surveys of executives, a scenario in which cybersecurity concern is completely managed would yield an increase spend on the IoT by an average of 20% — 40%. Moreover, an additional five to ten percentage points of value for IoT suppliers could be unlocked from new and emerging use cases. This implies that the combined total addressable market (TAM) value across industries for IoT suppliers could reach in the range of $625 billion to $750 billion.
Rapid prototyping is becoming the norm in product development. How do you maintain robust security standards during these accelerated design and testing phases?
Cybersecurity is rarely considered among the criteria in the early design phase due primarily to the following:
- Cybersecurity doesn’t directly contribute to revenue.
Customers pay for the features of products, while many customers consider security as a benchmark or a guarantee at the best. They may be willing to pay the premium for a higher security service level, but they can hardly quantify their willingness to pay.
On the contrary, there are multiple pricing tools to evaluate most of the product features, such as Conjoint Analysis, Contingent Valuation, and Economic Value to the Customer. So, the value of cybersecurity can be assessed and drive revenue.
- Cybersecurity can potentially delay time to market.
Cybersecurity designs are not free. They require resources, from cloud infrastructure to hands-on expertise. You may also need dedicated training to implement those designs. That being said, your product may need more time to get ready to be launched.
- Designers and managers typically underestimate how severe the consequences of cybersecurity vulnerabilities can be.
More and more, ransomware cases teach us that security vulnerabilities may be worth more than you thought when they are in the hands of bad actors.
Can you imagine Colonial Pipeline, which suffered a cyberattack in 2021 that forced a costly shutdown and eventual state of emergency, spending $5M for cybersecurity on day one of its IT system development? However, they had to pay $5M when they were under attack.
To solve this dilemma organizations must weave cybersecurity into their product design; it is imperative to make cybersecurity one of the basic design criteria. Does this require deeper knowledge about multiple security considerations? Yes. Will the developing team incur a higher cost or steeper learning curve once they weave cybersecurity into product design? Possibly.
To defer the risk of higher development costs and delays, there are several tactical steps organizations can take, including:
- Utilize a security development environment (for example, Ubuntu’s command-based compliance hardening and vulnerability management).
- Adopt a ‘Security by Design’ framework (NIST SP 800–160, AWS Security by Design Framework, SABSA, COBIT, etc.).
Regardless of the framework, there are 5 underlying components to achieve and maintain security by design.
- Define business goals, timelines, and priorities.
- Enumerate business attributes for the above goals. These may include, for example, customer privacy, data accuracy, customer data ownership and customer satisfaction.
- Identify risks that could affect those attributes. For example, ransomware could affect privacy, or data corruption could affect accuracy and downtime.
- Use security controls and risk mitigation. For example, encrypt data, obtain cyber insurance, conduct availability testing and so on.
- Integrate programs and processes to continuously evaluate and update the framework. For example, conduct data footprint assessments, follow encryption and key management best practices, assess data hygiene periodically, perform third-party onboarding, and assess impact to the risk framework.
Given the complexities of the manufacturing supply chain, how do you ensure that security isn’t compromised, especially when integrating components from third-party vendors?
Manufacturing has had a long history of quality inspections of inputs for form-fit-function checks. QA protocols have to be updated to perform hardware and software inspections which ensure that no tampering has occurred. AI capabilities (such as machine learning and machine vision), along with RPA (robotic process automation) can assist teams in timely, low-cost inspections. Additionally, it’s important to work directly with vendors to understand their embedded security by design protocols. Working closely with them and building partnerships to share best practices and leverage cybersecurity criteria will be critical to success across the entire supply chain. When it comes to selecting a vendor, cybersecurity and data partnerships should be considered essential criteria.
As Industry 4.0 and smart factories gain traction, how are strategies and approaches evolving to embed security in products that align with these futuristic manufacturing trends?
Modern manufacturing methods are very sensitive to timing to allow for just-in-time methods of production. Cybercrime such as ransomware, is a one-two punch for manufacturing, crippling the ability to create parts by taking down production lines and blinding the organization with respect to incoming materials, expected shipments, status of production, other critical operational processes of the organization.
Manufacturers also become tempting targets for threat actors because they historically have been vulnerable to cyber-attacks. Often overlooked is the size of their ‘attack surface,’ defined as the total of all potential entry points into their networks, and many are still working with legacy systems that can’t keep up with the pace of today’s threats.
With Industry 4.0, manufacturing has embraced IoT technology. Many of these sensors and automation devices were not designed for security and are not able to be updated or patched. This makes those systems, and the organizations who use them, highly vulnerable. It is incumbent on manufacturers to obtain and maintain the level of IT sophistication necessary to combat an attack, or even recognize that they are being probed/attacked. This is especially timely and important as manufacturing is a relatively unregulated industry, and thus a target with a high-cross section of vulnerabilities.
Here is the main question of our interview. What are your “5 Best Practices for Embedding Security in Product Design and Development”?
1 . Implementing zero-trust architecture
The core concept of zero-trust is simple: assume everything is hostile by default. It’s a major departure from the network security model built on the centralized data center and secure network perimeter, a model in use since the 1990s.
In contrast, a zero-trust approach treats all traffic, even if it’s already inside the perimeter, as hostile. For example, workloads are blocked from communicating until they are validated by a set of attributes, such as a fingerprint or identity. Identity-based validation policies result in stronger security that travels with the workload wherever it communicates — in a public cloud, a hybrid environment, a container, or an on-premises network architecture.
Because protection is environment-agnostic, zero-trust secures applications and services even if they communicate across network environments, requiring no architectural changes or policy updates. Zero trust securely connects users, devices, and applications using business policies over any network, enabling safe digital transformation.
Zero trust is about more than just user identity, segmentation, and secure access. It’s a strategy upon which to build a cybersecurity ecosystem. At its core are three tenets: Terminating every connection, which enables the architecture to inspect all traffic, including encrypted traffic, in real time before it reaches its destination; protecting data using granular context-based policies, which takes into consideration context such as user identity, device, location, type of content, and the application being requested when verifying access requests; and reducing risk by eliminating the attack surface, which eliminate risk of lateral movement and prevent compromised devices from infecting other resources by connecting users directly to the apps and resources they need instead of networks.
2 . Leveraging behavior analytics
Unfortunately, employees often fall victim to targeted cyber-attacks. Analytics solutions can monitor attributes, such as access requests or device health, and establish a baseline to identify anomalous intentional or unintentional user behavior or device activity. These tools can not only enable risk-based authentication and authorization but also orchestrate preventive and incident response measures.
3 . Utilizing secure software development
Rather than treating cybersecurity as an afterthought, companies should embed it in the design of software from inception, including the use of a software bill of materials. One important way to create a secure software development life cycle (SSDLC) is to have security and technology risk teams engage with developers throughout each stage of development.
Another way is to ensure that developers learn certain security capabilities best employed by development teams themselves (for instance, threat modeling, code and infrastructure scanning, and static and dynamic testing). Depending on the activity, some security teams can shift to agile product approaches; some can adopt a hybrid approach based on agile-Kanban tickets; and some — especially highly specialized groups, such as penetration testers and security architects — can “flow to work” in alignment with agile sprints and ceremonies.
4 . Automation implemented through a risk-based approach
As the level of digitization accelerates, organizations can use automation to handle lower-risk and rote processes, freeing up resources for higher-value activities. Critically, automation decisions should be based on risk assessments and segmentation to ensure that additional vulnerabilities are not inadvertently created. In practice, organizations can apply automated patching, configuration, and software upgrades to low-risk assets but use more direct oversight for higher-risk ones.
5. Use of defensive AI and machine learning for cybersecurity
Much as attackers adopt AI and machine-learning techniques, cybersecurity teams will need to evolve and scale up the same capabilities. Specifically, organizations can use these technologies and outlier patterns to detect and remediate noncompliant systems. Teams can also leverage machine learning to optimize workflows and technology stacks so that resources are freed to focus on cybersecurity and ‘security by design’ protocols.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂
I would love to see federal mandates that declare the “Three Laws of Data”:
- Individuals, and possibly extended to any legal entity, solely own their data, regardless of whether that data has been created by them or that the data describes, defines, or represents them.
- Any entity who wishes to utilize an individual’s data would be required to obtain explicit permission to the data (duration and scope to be set by the data owner) and, as appropriate, provide compensation.
- Organizations — manufacturers, product developers, cloud and telecommunication providers etc. — who store, transmit, or utilize an individual’s data would be 100% responsible for that data and be held liable for any misuse, including any resulting damages.
How can our readers further follow your work online?
Readers can follow me on LinkedIn or contact Altum Strategy Group if they any specific needs to be addressed.
This was very inspiring and informative. Thank you so much for the time you spent on this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.
- Date October 6, 2023
- Tags Insights, Intelligence, Data & Technology, Intelligence, Data & Technology Insights, Manufacturing, Manufacturing Insights, Resilience, Risk & Governance, Resilience, Risk & Governance Insights