Authority Magazine Interview: John Campbell Of Altum Strategy Group On Embedding Security in Product Design and Development

In the face of escalating threats from malicious AI, incorporating cybersecurity best practices into the design and development of products is more crucial than ever, especially for manufacturing companies. How do product security managers incorporate these principles from the ground up? What steps do they take to ensure security is a core facet of their products? As a part of this series, we had the pleasure of interviewing John Campbell.

John is a dynamic business leader with 20+ years of experience designing user-focused, flexible solutions that anticipate future business needs.

John has been the architect and product leader on several innovative technology and data platforms and has led the design and implementation of five full-scope data organizations for both public and private companies ranging from small 500 employee businesses to global 15,000 employee organizations. His experience in data, business process, system implementation, and platform design crosses multiple industries including manufacturing, retail, distribution, 3/4/5PL services, and technology.

He holds two Master’s Degrees from Johns Hopkins University in Applied Physics and Applied and Computational Mathematics.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I am originally from Maryland but had the opportunity at the age of 4 to relocate to Asia and study martial arts until I returned home for college at 18. Martial arts taught me the discipline and focus that has propelled me in my professional career in data and innovation.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I’ve always been drawn to data and how it empowers technologies and processes in all aspects of business. Cybersecurity promotes the protection of the integrity of data and the prevention of its misuse, which inspired me to dive deeper into the intersection of data and cybersecurity and help organizations implement and maintain the practices that enable the best possible data posture.

Can you share the most interesting story that happened to you since you began this fascinating career?

Throughout my tenure at Magic Leap, a cutting-edge Augmented Reality (AR) company, I led the development and design for a unique data product platform for mixed reality that needed to factor security and privacy features at the hardware, OS, and application levels simultaneously. This, in particular, was an interesting period of my career as innovation took center stage.

Are you working on any exciting new projects now? How do you think that will help people?

In my free time, I build and operate networks of autonomous drones in support of citrus orchards. Not only does this give me the opportunity to explore my passion and seek breakthroughs in autonomous technologies, but the drone networks also aim to reduce water and chemical usage while increasing food yields.

How do emerging technologies like AI and machine learning influence the risk to the cybersecurity landscape?

With the global costs of cybercrime expected to exceed $10.5 trillion by 2025, business and society at large need to begin investing heavily in cybersecurity, if they haven’t already. AI-enabled ransomware attacks have doubled every year for the past four years, placing an emphasis on the evolution and increased sophistication of these malicious attacks. These number of AI-enabled breaches will undoubtedly continue to grow exponentially, and the attacks themselves will become more and more complex and effective. However, we have already seen tools such as Emotet begin to incorporate machine learning and advanced AI to increase its effectiveness in contextualizing phishing schemes that target banks and financial institutions. While AI and ML is being employed malevolently, the technology is also providing avenues to keep up with the evolving threat and combat breaches.

Ok, thank you. Let’s now move on to our main topic of Embedding Security in Product Design and Development. Can you share a few reasons why this is so critical in today’s cybersecurity threat environment?

The “lone-wolf” hacker is no longer the main threat for most businesses. Today, cyber-hacking is a multibillion-dollar enterprise, complete with institutional hierarchies and R&D budgets. These attackers are using advanced tools, such as artificial intelligence, machine learning, and automation to detect vulnerabilities and increase the potential surface area of attack. Over the next several years, they will be able to expedite — from weeks to days or even hours — the end-to-end attack life cycle, from reconnaissance through exploitation.

“Security by Design” is a philosophy often mentioned in product development. Can you elaborate on this concept and explain its critical role in today’s manufacturing landscape?

Products that are “secure by design” are those that feature the security of the customer as a core business goal, not just a technical feature. “secure by design” products start with that goal before any development starts and, as such, are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure. Product manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape.

Another term that is important to understand is “secure by default.” These are products that are resilient against prevalent exploitation techniques out of the box, without additional charge to the customer. They protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. “Secure by default” products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.

Together, these two principles move much of the burden of remaining secure to manufacturers or product developers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues.

With the rise of IoT and connected devices, what challenges and opportunities do you foresee in ensuring security remains integral throughout the product development lifecycle?

The proliferation of connected devices, along with the advancement of the complexity in IoT use cases (such as automobiles, healthcare, and smart cities), creates the risk of vulnerabilities that could have catastrophic consequences. The risk profiles of many IoT systems are elevated compared with that of enterprise IT, given the IoT’s control over physical operations. A seamless IoT experience, therefore, requires a foundation of digital trust, functional convergence of the IoT and cybersecurity, and an early-stage integration of cybersecurity in the architecture design and pilot phase.

Traditional approaches to security in the IoT don’t support this secure and seamless experience. IoT buyers often report that there is little multi-layered security embedded in today’s IoT solution designs, leading to vulnerabilities that in turn require regular over-the-air updates and patches, which can’t be reliably implemented. Relative to enterprise IT, solution design in the IoT space lags behind in security assurance, testing, and verification.

Additionally, it’s very challenging to manage IoT cybersecurity because the converged solutions need to be either vertical or use case specific and must include a cross-tech stack layer. Success will hinge on various stakeholders acknowledging the challenges, committing to innovation, and agreeing on industrial standards. And beyond the technical challenges, there is an urgent need for industry talent (with expertise in both the IoT and cybersecurity) which can’t be serviced due to significant labor shortages in this space. This is magnified as embedding IoT skill sets within cybersecurity is still an emerging discipline.

However, the opportunities are also profound if industry can converge the IoT and cybersecurity. By 2030, the IoT suppliers’ market is expected to reach approximately $500 billion in a baseline scenario. In nearly all surveys of executives, a scenario in which cybersecurity concern is completely managed would yield an increase spend on the IoT by an average of 20% — 40%. Moreover, an additional five to ten percentage points of value for IoT suppliers could be unlocked from new and emerging use cases. This implies that the combined total addressable market (TAM) value across industries for IoT suppliers could reach in the range of $625 billion to $750 billion.

Rapid prototyping is becoming the norm in product development. How do you maintain robust security standards during these accelerated design and testing phases?

Cybersecurity is rarely considered among the criteria in the early design phase due primarily to the following:

• Cybersecurity doesn’t directly contribute to revenue.

Customers pay for the features of products, while many customers consider security as a benchmark or a guarantee at the best. They may be willing to pay the premium for a higher security service level, but they can hardly quantify their willingness to pay.

On the contrary, there are multiple pricing tools to evaluate most of the product features, such as Conjoint Analysis, Contingent Valuation, and Economic Value to the Customer. So, the value of cybersecurity can be assessed and drive revenue.

• Cybersecurity can potentially delay time to market.

Cybersecurity designs are not free. They require resources, from cloud infrastructure to hands-on expertise. You may also need dedicated training to implement those designs. That being said, your product may need more time to get ready to be launched.

• Designers and managers typically underestimate how severe the consequences of cybersecurity vulnerabilities can be.

More and more, ransomware cases teach us that security vulnerabilities may be worth more than you thought when they are in the hands of bad actors.

Can you imagine Colonial Pipeline, which suffered a cyberattack in 2021 that forced a costly shutdown and eventual state of emergency, spending $5M for cybersecurity on day one of its IT system development? However, they had to pay $5M when they were under attack.

To solve this dilemma organizations must weave cybersecurity into their product design; it is imperative to make cybersecurity one of the basic design criteria. Does this require deeper knowledge about multiple security considerations? Yes. Will the developing team incur a higher cost or steeper learning curve once they weave cybersecurity into product design? Possibly.

To defer the risk of higher development costs and delays, there are several tactical steps organizations can take, including:

• Utilize a security development environment (for example, Ubuntu’s command-based compliance hardening and vulnerability management).
• Adopt a ‘Security by Design’ framework (NIST SP 800–160, AWS Security by Design Framework, SABSA, COBIT, etc.).

Regardless of the framework, there are 5 underlying components to achieve and maintain security by design.

1. Define business goals, timelines, and priorities.
2. Enumerate business attributes for the above goals. These may include, for example, customer privacy, data accuracy, customer data ownership and customer satisfaction.
3. Identify risks that could affect those attributes. For example, ransomware could affect privacy, or data corruption could affect accuracy and downtime.
4. Use security controls and risk mitigation. For example, encrypt data, obtain cyber insurance, conduct availability testing and so on.
5. Integrate programs and processes to continuously evaluate and update the framework. For example, conduct data footprint assessments, follow encryption and key management best practices, assess data hygiene periodically, perform third-party onboarding, and assess impact to the risk framework.

Given the complexities of the manufacturing supply chain, how do you ensure that security isn’t compromised, especially when integrating components from third-party vendors?

Manufacturing has had a long history of quality inspections of inputs for form-fit-function checks. QA protocols have to be updated to perform hardware and software inspections which ensure that no tampering has occurred. AI capabilities (such as machine learning and machine vision), along with RPA (robotic process automation) can assist teams in timely, low-cost inspections. Additionally, it’s important to work directly with vendors to understand their embedded security by design protocols. Working closely with them and building partnerships to share best practices and leverage cybersecurity criteria will be critical to success across the entire supply chain. When it comes to selecting a vendor, cybersecurity and data partnerships should be considered essential criteria.

As Industry 4.0 and smart factories gain traction, how are strategies and approaches evolving to embed security in products that align with these futuristic manufacturing trends?

Modern manufacturing methods are very sensitive to timing to allow for just-in-time methods of production. Cybercrime such as ransomware, is a one-two punch for manufacturing, crippling the ability to create parts by taking down production lines and blinding the organization with respect to incoming materials, expected shipments, status of production, other critical operational processes of the organization.

Manufacturers also become tempting targets for threat actors because they historically have been vulnerable to cyber-attacks. Often overlooked is the size of their ‘attack surface,’ defined as the total of all potential entry points into their networks, and many are still working with legacy systems that can’t keep up with the pace of today’s threats.

With Industry 4.0, manufacturing has embraced IoT technology. Many of these sensors and automation devices were not designed for security and are not able to be updated or patched. This makes those systems, and the organizations who use them, highly vulnerable. It is incumbent on manufacturers to obtain and maintain the level of IT sophistication necessary to combat an attack, or even recognize that they are being probed/attacked. This is especially timely and important as manufacturing is a relatively unregulated industry, and thus a target with a high-cross section of vulnerabilities.