 Welcome everyone to this CUBE Conversation discussing the state of transparency in cybersecurity. I'm your analyst and host, Rob Streche. I'm joined today by Suzanne Spalding, former Undersecretary for Cyber and Infrastructure at the Department of Homeland Security and Carl Windsor, Senior Vice President of Product Technology and Solutions at Fortinet. Welcome both of you. Hello. Hey, Rob. I'm excited for this because I think again this is one of those I think really big moments in cyber that really is about how are we gonna really achieve better resilience within our products and how are we going to really get together? Here at the CUBE Research, we've been discussing the threat landscape has been really evolving and very rapidly changing over the past few years to put it mildly. And today, I think this is gonna be a great discussion where we dive deeper into the importance of transparency in network and cyber security and specifically examine how trust and confidence can be built by vendors into their products and solutions so that people can have more confidence going forward that they're really approaching cyber in a way that helps everyone and bigger tent type of atmosphere. So let's kind of get into it with Suzanne. With your background being at the Department of Homeland Security, you really had a pretty unique viewpoint into this. And let's kind of dive into that a little bit and get your view on the need for secure data and IP being balanced with the need for more, no more secrets and what some will call fighting into the light or fighting in the light. What is that view? What's your view on that? And how do people really and vendors really balance that out? Yeah, thank you, Rob. Great to be here to chat with you. So I do think it's important to put this conversation in that broader context. And I sort of coined this phrase, I talk about it as training to fight in the light. And I've been talking about this since 2010 or even earlier. And the notion is really pretty basic. If you trained to fight in the dark, you could meet your adversary at night or you could turn off the lights and you'd have the advantage. I think we need to recognize that a transparent world is coming at us full steam ahead, one in which the lights are being turned on all over the place. And whoever can figure out how to operate most effectively in a transparent world is gonna have the advantage, right? That's the notion of training to fight in the light. It is the idea that transparency is a great strength. It's a great strength of democracies in contrast with authoritarian and totalitarian regimes. Democracies are used to the imperatives for transparency, whereas dictators need dark corners in which to hide secrets from their public. So we have an advantage and we should lean into that advantage. It is also, part of that is also recognizing coming to grips with that reality that that is the world that's coming at us. And it is both because it is just increasingly difficult to keep secrets, the shelf life of secrets is vanishingly short, we are all aware of that. But the costs of then trying to keep information secret keep growing, both the direct costs, the costs, the amount of money that's being spent on cybersecurity, but also the indirect costs. And we'll talk about that today. The costs in terms of benefits that are lost by holding information close instead of sharing that information. And in the national security and Homeland Security world, we got a school done that after 9-11 particularly where that we recognized that we needed to share that information with all of our defenders in order to increase our security. And we see that in cybersecurity. It is absolutely the case that we need to be sharing that information with all of our network defenders. Information, we need that radical transparency because our adversaries are networked and they are sharing information. We need to share information that can help all of us do a better job in cybersecurity. It's absolutely imperative. Yeah, I think that is key. I mean, we're seeing that not only nation states but these bad actors are actually more or less incorporating as corporations and really very well organized, having hierarchies and being able to act as small companies almost like vendors on the other side of the fence here. But I think people may not really understand what does it really mean for transparency and what does transparency really mean, I guess you could say. And you've been an advocate for the importance of this in cybersecurity throughout your career. What does transparency look like in cyber and from a cyber vendor's perspective? Yeah, so it's on both sides. One aspect of that is you've got to assume as I say, really take on board the difficulty of keeping information secret. And therefore you've got to identify and minimize the amount of information that you really need to protect as opposed to trying to protect everything equally. And that's inherent in the NIST cybersecurity framework that starts with identify. Identify your truly high value assets and then you can really focus your efforts on protecting that kind of information. And it also then assumes that in your planning you have to assume that you're gonna have a breach, right? And you've got to figure out all the ways in which you're gonna mitigate the consequences of that disruption, of that breach. Those are two ways in which understanding this radical world of transparency that we are in is important for cybersecurity. And then as I said on the flip side, making sure that then you are sharing everything you possibly can, leaning forward, that we are all sharing information about breaches, about vulnerabilities, about what we know about threat information so that we can have the kind of collective defense, which is really our only hope against an incredibly dynamic and evolving environment. Yeah, I think that is true. It becomes more dynamic. It seems like every day, and especially with AI, now we're getting clean malware versus really badly worded malware and stuff of that nature, which was a little bit easier to track, but you're getting to see it coming out of the LLMs and stuff of that nature. But let's bring Carl in on this, because I think I wanna get a vendor's perspective on what's going on. I mean, from a Fortinet perspective, how do you see that dynamic relationship between product security and the importance of transparency? Because you have intellectual property, you have trade secrets and things of that nature, but how do you strike the balance? Yeah, so Fortinet, last year, shipped 50% of all the worldwide firewalls. So we have a duty of care to our customers. We know that. So we have to really balance security with transparency. So how can we secure our products, but at the same time get as much information out into the wild, exactly as Suzanne said. So her point about fighting in the light is really important to us. And we have a saying which is, sunlight is the greatest disinfectant. So we will look at our products. We will look for vulnerabilities. We will work with our outside partners who are doing responsible disclosure. And the key thing is to secure the products, to look for the issues that may lie, to fix them rapidly, but then to get as much information out to the customer as possible. So they know, give them the information that they need to assess the risk. And then most importantly, is to upgrade when they need to. And if we don't give them that transparency, that radical transparency that Suzanne talked about, they can't make those risk decisions of when to upgrade, how quickly to upgrade. So that is why we've embraced working with the third party responsible disclosure organizations, people who are providing us with information and then getting the vulnerabilities we discover out into the wild. Last year, we discovered 83% of all of the vulnerabilities that we published were actually our own. And we're not hiding things. We're making sure that things that others, other vendors may have published as being a crash or a bug. We make sure that if there's any risk, we give our customers the information that they need to make that risk-based decision. That's great. And I think to that point, I mean my morning reading over of email of CISA's, every vulnerability that's come out the night before have been published. It's always fascinating to see. And I think as a community, it seems like certain organizations are doing a better job. So it's great to hear how you, Fortinet is leaning into that. But Suzanne, let's kind of bring you back in and continue on that thought. What do you think is the best path forward here? And is more government, I guess you could say, more involvement from government entities, really the right path forward or something that should be done? Well, let me start by saying, I think government can play an important role here by encouraging the kind of behavior that Carl has just described. Which is for companies to be quick to get out information about their own vulnerabilities and not government can help reduce the stigma attached with that, right? Because everybody, every everyone who's developing products, that nobody is coding perfectly. So everyone has vulnerabilities. And the only real difference is, are you being told about them as a customer? Are you getting the information that you need then to address and mitigate those vulnerabilities? And it's really imperative, I think, that government create an environment in which companies are strongly encouraged and rewarded for getting this out. And I think CIS is doing a great job with that. If you look at their guidance on Secure by Design, one of their key principles is they call it radical transparency. And one of the things that they explicitly note in there is that when you first start implementing that, it is gonna look ugly. And I remember this when I was the undersecretary at DHS, when we did it across government through our Continuous Diagnostics and Monitoring program, we began to get much greater insights into what was happening on our government networks. And it was pretty ugly at first, but it was better to get that information, get it out, share it widely in order to be able to improve things. And it was a sign of progress, frankly, that we saw these higher numbers of concerning incidents. And that is what we've got to help our, the broader ecosystem understand is that this radical transparency is gonna look ugly at first, but that is a good thing. And it really has to be done that way. And then government needs to lead by example. Government needs to display that same radical transparency, be very transparent and quick about acknowledging breaches and vulnerabilities that they fight. Yeah, no, I do like the work that CISA has done. And I think again, the White House had kind of their foot in this year with the National Cybersecurity Strategy that really again, picked up on CISA and the secure by design and secure by default aspects. And again, having been a product person myself and built software over the years, I kind of look at it as that that's critical to achieving your customer's trust as well. Is that transparency? And I think that's a total key here. Is that transparency is a key foundation to both elements, secure by design and secure by default. Can you share your insights into what is meant by or how you're going to meet those goals for cybersecurity and how it's going to really be met from an industry perspective? Well, from our point of view, I mean, secure by design is something that we've had in place for a long while. So it's about thinking about security really before you even write a line of code from the right to the start where you just think of how you're going to design the system, what methodology you're going to use, threat model, what do you expect the threats to be on your product? So that's something that we've been doing for a long while at Fortinet. I think what the whole secure by design, secure by default idea or concept is, is really to shift the balance from customers and the end users needing to understand what can be sometimes a complex system and be able to configure it and use it in the right ways to try and shift that. And as the experts, the vendors ourselves is to be able to build the product from the ground up in a secure manner and configured securely by default. One of the things we've always done as vendors historically is create hardening guides. So build products that are simple for the customers to use and then have a hardening guide to make them more secure over time. We've got to change move away from that and take the owners from the customer for that initial secure configuration. So build security into the product from the start and then have a loosening guide is to change the way of thinking so that everything comes out of the box secure and maybe they have to sort of disable some of the features that we, or settings to make it less secure but easier for them to use. It's a whole paradigm shift for the way that we operate in the cybersecurity space, I think. So, and one definitely that is gonna benefit for a long time to come, be a big benefit. Yeah, I would agree. I think that again, from the past when I actually managed firewalls in a very distant past life. And when you look at it, you shut the ports off and let somebody complain about the port not being open kind of concept. But that was kind of the poor man's view of that back in the day when it was, we were just getting started with firewalls. But, Carl, do you expect the rate of change to be challenged with this? The pace of patches and disclosures, changes in code across the ecosystem really is, I mean, pretty phonetic. I mean, especially in this where you're finding things. Do you expect that to change from an industry perspective or from a Fortinet perspective? So I think the pace of change has got to continue. I think the difficulty for our customers is how they manage that pace of change. So we can create patches and continue to fix issues. But as we speak to our customers, they are finding the pace a little bit phonetic. I won't get away from, we can't get away from that. But it's so really what we need to do is to give them the tools that they need. One, to make the decision of whether they need to upgrade and how quickly they need to upgrade. And then put other mitigations in place. So things like, well, can we help them with automatic upgrading to get them to the next release as rapidly as possible? Can we help them with other tools like virtual patching technologies? It doesn't get away from the need to upgrade, but it might give some breathing space to allow them to get through that upgrade process. But this is another reason why that radical transparency is important. Because you've got to give the customers the level of information they need to be able to make those decisions. So give them the information as early as possible, as rapidly as possible, so they can make those risk-based decisions on whether to upgrade. So yes, I think the pace has got to continue. It's okay to say, oh, I'm not going to patch for this release or I don't have time to patch, but threat actors are going to abuse that gap between the updates. So the more we can do to keep the pace of fixing problems and then giving the customers the information they need to make the risk-based decision, but then provide other tooling in between to try and mitigate those risks, things like the virtual patching, as I mentioned, absolutely critical to the customers. Yeah, I mean, we like to say that Patch Tuesday has turned into Hack Wednesday. I mean, and how do you really stay out of that loop? So now this has been fantastic. And I think again, we've been talking to our customers and recommending radical transparency and actually rating the organizations you work with on that radical transparency, because I think again, that's one of the things that you wanna see that they're participating in that. So I wanna thank you both, Suzanne and Carl for coming on board here. This has been a ton of fun and flew by, but I really appreciate you sharing some of the insights into that and what others can look for when they're looking at vendors. Thank you, thanks for the time. Thanks, Rob. And thank you for watching this CUBE Conversation. I'm your analyst and host, Rob Streche. You're watching theCUBE, your leader in enterprise technology, news and analysis. See you soon.