I recently participated in a panel with a group of women who are on the front lines of security at Intel – each with their own unique cross-industry background and niche area of security expertise. These talented security professionals help analyze, research and mitigate today’s top cyberthreats.
We came together to discuss the challenges facing the security industry in the coming year and beyond, and the discussion could not have been more important or timely. Over the past year, we have witnessed an expanded attack surface for adversaries to capitalize on, thanks to technology advancements, a growing supply chain, the shift toward remote or hybrid work and more.
Maggie Jauregui, offensive security researcher, Katie Noble, director of Intel’s Product Security Incident Response Team and Bug Bounty, Amit Elazari, director of Global Cybersecurity Policy, and I discussed how this evolving attack surface will touch all areas of security in 2022 – from hardware to supply chain to policy regulations. In addition to sharing potential security implications in the coming year, we all shared the challenges we face as women in cybersecurity and how we can and should work together to support each other in this industry.
Overall, my biggest takeaway from my peers was that it will take ecosystem collaboration to move the security industry forward, whether through established programs like bug bounties, among government policymakers or by partnering together to create an inclusive workplace environment.
Establishing Visibility Will Be a Priority for Bolstering Firmware
To many, firmware is a “dream entry point for threat actors.” Jauregui touched on how firmware is a great target because it is where bad actors can “hide out and persist,” gaining significant power over the physical properties of a platform. The good news is there are accessible, intuitive ways to improve firmware defenses. The first step is asset awareness and understanding your organization’s overall security infrastructure. This visibility is a critical component of addressing firmware security in the coming year and becomes even more important as attacks against the firmware and hardware of devices continue to rise.
To bolster critical visibility, it is essential to continually update and design products with security in mind. Jauregui suggested businesses should think about this notion the same way a car is made: From the moment a car is designed, it’s not ready to be sold – even a year later it might not be ready to hit the lot. Updates and adjustments are needed throughout the process.
It is also critical that we create a forum and foster industrywide collaboration. Mitigating threats starts with spreading awareness of the vulnerabilities and attacks we are seeing. This includes partnering with security researchers from a variety of backgrounds to help explain threats and their complexities.
Prioritizing Proactive versus Reactive Security Awareness
Along with this need for greater visibility and industry collaboration comes the need to shift toward proactive security measures. Many organizations today rely on reactive responses to threats. In the coming years, businesses will need to increasingly partner with researchers in developing coordinated vulnerability disclosure and bug bounty programs to stay ahead of threats. Noble sees this as an opportunity to encourage more information-sharing within the industry, which is critical for proactive measures. Simply put, “If you see something, say something.”
We already see a trend of proactive measures moving beyond the cybersecurity field. The U.S. government and regulators globally are focused on the importance of coordinated vulnerability disclosure programs and practices. Elazari believes this demonstrates the importance of security on a grander scale, as well as an increased emphasis on vulnerability remediation.
Implementing bug bounties and vulnerability management programs will continue to bleed into other industries as well. We now see such programs across verticals, whether in the banking or airline industry, or in election security. Even the Department of Defense has started to prioritize researcher collaboration. Not only does this create a shift and drive toward a security-first mindset, but it also opens more doors for researchers and security professionals across the board. This provides the foundation for a more holistic culture where policymakers, researchers, hackers and other entities are eager to collaborate.
Women in Cybersecurity: Recognizing Mentorship versus Sponsorship
It’s difficult to discuss a holistic approach to security and fostering a welcoming culture without touching on inclusion. The Aspen Institute found that only 24 percent of cybersecurity workers self-identify as women. It is more important now than ever that we create a platform for women in the field, as opposed to competing against one another. As Jauregui put it, “If one of us wins, that's a win for all of us.”
While mentorship is impactful, it’s not just about women lifting other women up. Mentors can (and should) come from all backgrounds and include men as well. That said, we need to encourage an intentional shift toward prioritizing sponsorship in the workplace. While mentors support, teach and guide, sponsors go a step further – advocating for a person when they are not there. This idea of vouching for someone who “isn’t in the room” is an essential part of strengthening and encouraging inclusion. This shift from mentorship to sponsorship can empower the next generation of cyber professionals, inspiring younger generations starting out in this line of work and preparing them to be confident, empowered leaders in security.
The security industry is no different from other fields in its ability to benefit from creating an inclusive environment that brings together people of different backgrounds and unique perspectives. It is what ultimately will fuel and advance the technology space moving forward.
Perhaps Noble put it best: “Technology is agnostic. Technology doesn't care about who you are, where you live, what your ethnicity is, what your orientation is – it doesn't care. It's by its nature inclusive, and I think it's really important that we honor that.”
Suzy Greenberg is vice president in the Intel Product Assurance and Security Group at Intel Corporation.