SolarWinds CEO gives chief security officer authority and air cover to make software security a priority
New leader is also making changes to the software development process to make it harder for attackers to find vulnerabilities.
SolarWinds CEO Sudhakar Ramakrishna is making changes at the board level and in daily operations to change the company’s security mindset. The company launched a Secure by Design initiative in response to the recent cybersecurity attack. This project is designed to build security into the design phase of software development and to make security an ongoing instead of an after-the-fact priority.
During a panel discussion about cybersecurity, Ramakrishna said he used his experience as an engineer and a manager to shape the company’s response to the attack. He created a cybersecurity committee for the board that includes him and two sitting board members. He also said that he has given the company’s chief security officer the power to stop any software release if necessary to address security concerns.
“We’re providing independence, confidence and air cover to build a level of comfort and create a seat at the table,” he said.
He said companies have to raise the profile of security officers to the board level to illustrate the importance of the role to the entire company. “Otherwise it just becomes a cost line item in the P&L,” he said.
Ramakrishna described his plan for changing the company’s security culture during a “Big Breaches” panel discussion with the authors of a new book and several industry security experts.
In a discussion about how to reduce the frequency of these attacks, Jimmy Sanders, head of security for Netflix and ISSA International Board of Directors, said that the industry needs to adopt a different approach to security, one that requires bad actors to succeed with an attack multiple times to gain access instead of just once.
SEE: Identity theft protection policy (TechRepublic Premium)
Ramakrishna said his company is experimenting with an approach like this. The company is testing a design process that uses several parallel build chains simultaneously to create software instead of just one.
“We want to establish software integrity through two or three pipelines to avoid supply chain attacks, and as Jimmy said, to make sure attackers have to be right three different times to succeed,” he said.
The conversation also included Royal Hansen, vice president of security for Google; Robert Rodriguez, chairman and founder of SINET; and Gary McGraw, a software security expert and co-founder of the Berryville Institute of Machine Learning. Neil Daswani, a co-director of Stanford Online’s Advanced Cybersecurity Certificate Program and former CISO for Symantec CBU and LifeLock, and Moudy Elbayadi, a senior vice president and chief technology officer at Shutterfly, wrote the new book “Big Breaches: Cybersecurity for Everyone,” and participated in the discussion as well.
Dan Boneh, the applied cryptography group lead for Stanford University and co-director of the computer security lab and Center for Blockchain Research, moderated the conversation.
The panel discussion covered the root causes of breaches, supply chain security, cloud computing and security and collaboration between the security industry and the federal government. The group discussed the SolarWinds attack as well as what the industry and the U.S. federal government can do to reduce the number of frequency of these attacks.
The root causes of security breaches
Daswani said he sees two buckets for the root cause of security breaches: managerial and technical. The managerial reasons are:
- Failure to prioritize security
- Failure to invest in adequate solutions
- Failure to successfully execue on existing security initiatives
The technical root causes of security breaches are:
- Phishing
- Malware
- Software vulnerabilities
- Third-party compromise
- Unencrypted data
- Unintentional employee mistakes
Daswani said that when organizations do make the right security investments, that provides an adequate defense. He used the example of Google issuing physical security keys to its employees as a successful security investment.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Elbayadi said the industry should prioritize security equally with convenience when building consumer products.
“Business stakeholders don’t want to add more friction for the consumer to engage with the experience, but the bar should be raised on accepted security practices,” he said.
Sanders said that there also should be consequences for companies that consistently fail to follow industry standards for security, such as always encrypting data.
“You wouldn’t allow a car manufacturer to make cars with consistently faulty brakes, but companies continue to get away with these bad security practices,” he said.
Hansen said that another priority should be to prioritize certain open source software packages that are most commonly used in the industry.
“It’s not going to solve every problem but will solve big chunks, and it will teach us tools and methods as well,” he said.
Ramakrishna said the company may never be able to identify “patient zero” in the attack on the company that involved at least four strains of malware. Investigators have narrowed down the likely source to one of these three likely entry points:
- A very targeted spear phishing attack
- A vulnerability in third-party software that was not patched
- Credential compromise of a few specific users
He said the company is going back as far as the end of 2019 to gather evidence.