Podcasts
Data Security Decoded
Ep 38
Data Security Decoded 11.4.25
Ep 38 | 11.4.25

Secure by Design, Secure by Default, Secure by Demand

Show Notes
Transcript

Lauren Zabierek: Security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of try to convince the rest of the company that they should do this. [ Music ]

Caleb Tolin: Hello, and welcome to another episode of "Data Security Decoded". I am your host, Caleb Tolin, and look, it is fall. I am in my monochromatic Costco sweater. I am living my best life. I hope you are, too, this fall. Now, before I get into introducing our guest, if this is your first time joining us, welcome to the show. Make sure you hit that "Subscribe" button so you're notified of new episodes. And if you're already a subscriber, thanks for coming back. We encourage you to leave a rating, drop a comment below. Let us know what you think about the episode and of the show. Now, on to our guest for the hour. Lauren Zabierek is the SVP at the Institute for Security and Technology, a longtime advocate for diversity in cybersecurity through initiatives like New America's ShareTheMicInCyber program. And she's been in national security for years with three stints spanning across defense, military, cyber, and counterterrorism. You name it, she's done it. And she previously led CISA's Secure by Design work and has extensive experience helping organizations strengthen their cyber supply chains and implement security by default and security by demand practices across complex technology ecosystems. You know, I really had a great time talking about the Secure by Design program, vendor security, and how organizations can proactively manager cyber supply chain risks. I've left you waiting long enough. Let's get into it. All right, Lauren, thank you so much for joining us, and welcome to the show. We're starting things off a little bit differently this time and I want to hear something non-cyber-related that you are obsessed with lately. I'll go first. A couple of weeks ago, I was in New York City and I got to see "Oh, Mary!" with Jinkx Monsoon. It's a play on Broadway. Seriously, it was one of the funniest shows I've seen in such a long time. I'm such a theater nerd. I highly recommend it if anybody's checking it out in the city. Jinkx isn't in it anymore, but I highly recommend folks go check it out. What are you obsessed with lately?

Lauren Zabierek: Okay, so on a couple of other recent podcasts, I've mentioned my love of you, too. I've also mentioned my new love of Cheetos. I'm not going to go into that now. I think otherwise, we're kind of just too tired to be fully obsessed with anything, you know, just being a human right now, a parent of two young kids, et cetera. But I will tell you the things that are bringing me joy, and those are drumming. So I'm a drummer. I'm not a great drummer, but I -- you know, I love doing it. I've just loved it for so long. I'm also taking a dance class, a hip-hop dance class. And I just started a creative writing class. So those things are --

Caleb Tolin: Oh, very cool.

Lauren Zabierek: Yeah. [laughs]

Caleb Tolin: I love that, I love that. I tried to do some dance classes a couple years ago and I fell out of the habit of it, but it is very fun. It's a great way to get some exercise, and just like you said, bring some joy to your life that's -- that you can't find at a keyboard in front of a monitor. [laughs]

Lauren Zabierek: Yes. And the cool thing about this class is it's this hip-hop class. And I saw these women perform at my daughter's dance recital basically. And these women are all, I would say, 40-plus, right, so like my age group, 40s, 50s, and I think even some 60s in there. And when I saw them perform at the recital, I was like, "Yes. I think I found my people. I want to join this class." So now I'm in it and it's a ton of fun.

Caleb Tolin: Oh, I love it, I love it. You're like, "I feel seen. I need to be a part of this." That's --

Lauren Zabierek: Yeah. [laughs]

Caleb Tolin: -- incredible. Awesome, awesome. Well, to get into the meat of the conversation, you've described your story as being dedicated to building a safer, more secure future with your career spanning national security, defense, cyber, and counterterrorism. And a big project that you undertook when you were at CISA was the Secure by Design challenge. Could you provide a little overview of what that initiative was and the key objectives you focused on during your tenure at CISA?

Lauren Zabierek: Yes. So let me start with a story. This summer, I -- we took our family to Seattle. My son is very into volcanoes. He really wanted to go see Mount Rainier. And so we decided to go and check out Seattle as well. And there's this Museum of Flight there. And at the Museum of Flight, they have this aircraft pavilion. And you go in and it's this outdoor thing, and it's just packed with aircraft, like old, decommissioned aircraft. You've got 747s, you've got a real Concorde. I have never seen a Concorde that close before. You've got F -- an F14 and just all of these cool planes. I'm an airplane nerd. My father was both a Navy and an airline pilot, and so I've got that in my blood. My husband is also a bit of an airplane nerd, too. And so you walk through here and, you know, you're just kind of enthralled, or at least I was. But then, you know, it's very easy to sort of get lost in that. But what you might not see is under or sort of surrounding all of the aircraft is this exhibit called the "J. Kenneth Higgins Exhibit on Safety by Design". And what it really showed, you know, the visitors there is that two things. First, flying used to be extremely unsafe. But now it's one of the safest ways to travel. But we didn't get there by accident, right? There was a concerted effort on the part of industry, on the part of government, and of course, you know, the consumers, the customers were also very invested in making flying safer as well. And so over the years, through systematic study of defects, and of incidents, and crashes and, you know, learning how these crashes happened in order to prevent them at scale, that led over time to a much, much safer mode of transportation. And so that really helps us to form a model for how we make other industries safer. So the automobile industry followed a very similar trajectory, so did food and medicine, and there are others. But these examples show us how we can do this with software. So at this point, I think we know, software is -- just it underpins our entire economy, our national security, our public safety, our public health, our daily lives, right, our water, our hospitals, our energy. These are all things that are powered by software, and yet, with few exceptions, our software is built insecurely. Now, and that, of course, leads to the ever-growing cyberattacks and cyber incidents that we see. Now, it's not that these software companies are inherently bad, they're simply operating in a market that is completely misaligned. So it's really an economics issue. And so, again, looking toward those examples, we have a path for, we know that that software can be made safer, and so just we really focused on driving adoption with the companies. We looked at really how to provide guidance and then we also created the Secure by Design pledge. And at the time when we launched it in 2024 at RSA, we had 68 software companies sign on, which we thought was incredible. And we worked with the community, the technical community, the software companies to figure out not only would they sign it -- right, it wasn't just a pledge that said, "Yay, I'm going to make more secure software," it was seven concrete actions that these companies committed to work on through the course of the year. And then by the time we left, we had over 300 companies sign on. Now, this pledge, you know, it addressed certain things like eliminating entire classes of vulnerability. It talked about enabling multifactor authentication by default across product lines. It talked about a vulnerability disclosure policy. Those are just a few things. But you can see that they're very concrete, measurable actions that lead to better outcomes. And so that's really what we focused on when we're at CISA. And now that we're at the Institute for Security and Technology, we're really building upon that momentum and the work that we did to continue to drive this mission forward.

Caleb Tolin: Right, right. And Rubrik, the -- you know, the company chartering this podcast, did participate and is participating in the Secure by Design pledge. And to your point, it's an ongoing thing. It's not just a moment in time where you claim you're going to make this pledge at a moment in time and then it's done. There are all of these steps that happen, you know, over the next several months and years to ensure that you are advancing the security of your platform. So it's incredibly important. And I really love the way that you thought about this and how it came from almost this place of this, you know, experience at a museum with, you know, aviation and cars, and being able to see the connection through how we've seen this happen throughout different phases of history is really, really interesting. So something I'd really be interested in hearing your perspective on is can you share an example of a successful implementation of Secure by Design and what lessons other companies could take away from that experience?

Lauren Zabierek: I want to talk about here the Secure by Design principles. So I think there are a lot of different tactics that companies can take in order to implement those principles. But ultimately, they're nontechnical, the principles themselves. So the first one is taking responsibility for your customers' security outcomes. Number two is to embrace radical transparency and accountability. And number three is really leading from the top. So ultimately, what this tells us is that security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of, you know, try to convince the rest of the company that they should do this. It's the company leadership that should say, "This is a priority," and therefore, orient the different resources and priorities around that particular topic. So I think the companies that truly embrace that -- those ideas -- and again, there are different tactics for doing that. And of course, there are ways that we know how to, again, prevent those classes of vulnerability or things that we can do like enabling secure authentication or eliminating default passwords, things like that that are very well-known that the companies actually do. And you know, I want to go back to this idea that this is as much, maybe even more of an economics issue than it is a technical one. So we believe that having more secure software is not a technical impossibility. But the companies right now are acting rational in a misaligned market. And so Secure by Design I think at its core is about shifting those incentives in order to drive a change in behavior.

Caleb Tolin: Right, right, right. And so shifting away a little bit from the conversation about the vendors and those creating the software themselves, more on the side of the companies procuring that software, when evaluating the vendors and third-party partners that they are aiming to work with, what are some of the most critical security questions that they should be asking to ensure that their cyber supply chain is protected?

Lauren Zabierek: I love that we're focusing on the customers. We often think of them as the victims of insecure software. And so a lot of companies will -- or software companies will say, "Well, we're not getting the demand from our customers to build more security features into the product." And then when we've talked to the customers, they're like, "Well, we do want security, but we don't know how to get it or ask for it." And just taking a step back, again, to the economics issue, software is what economists would refer to as a "credence good". Now, I know this is an esoteric term. But what that means is that it's very hard to assess the quality of a product or a service, both before you consume it and after you consume. So I'll give you an example. Maybe, you know, you've had surgery, right, and you don't know whether, you know, going in, "Is this going to work," and then even after, "Is this going to work long-term?" And I, you know, can say that from experience. I recently had back surgery to repair a fracture. So I think it's held. I think I'm okay, but we're not going to know for, I think, a long time. And so, you know, another example would be car repairs. You don't know the quality of that service, and even if you undergo that service, you still don't quite know, "Hey, did that actually work," and, "Is my car actually fixed?" So the idea that it's a credence good, that we can't assess the quality of software before we buy it, and then after we start using it, is a problem. Right, we don't have the criteria, we don't have the benchmarks in order to fully assess that. Now, what we would like to do is move it from that credence status to maybe an experienced good where you have to sort of buy a good or a service and then you can assess for yourself whether that is something of quality. So that's like meals that we eat or, in your case, a Broadway show. You didn't necessarily know going in, but once you've experienced that, you're like, "This is amazing," right? And then, of course, it would be great to move it to a search good where you could fully assess like, you know, you look at a piece of clothing and look at the tag, "Oh, I can see that, you know, the different materials that this is made." You can feel it. You know that it's good quality. So to that end, what are some questions that we have right now? Well, when we were at CISA, we released a Secure by Demand guide. So we have, you know, our Secure by Design and we sort of rolled Secure by Default underneath that, but we also pushed this idea of Secure by Demand. In this guide, we supplied customers with different questions, and some of those questions are things like, "Does this product support secure authentication? Is it done by default?" We also recommended asking the vendors, you know, "How are you eliminating entire classes of vulnerability" You know, "Does it use memory-safe languages? How are you eliminating cross-eyed scripting or SQL injections," things that developers know how to do but often aren't incentivized to do so. Does the -- you know, does the organization provide security audit logs for free? So those are the things that customers can ask that show outcomes and I think progress toward increased security and safety.

Caleb Tolin: Right, absolutely. And getting answers to some of those questions are certainly a way that you can avoid a nightmare scenario. But speaking of nightmare scenarios, my next question for you is not so much very technical, but we are in the scariest month of the year, October, and --

Lauren Zabierek: Is that because it's --

Caleb Tolin: -- I know you've been --

Lauren Zabierek: -- Cybersecurity month? [laughs]

Caleb Tolin: It is also Cybersecurity -- yeah, it is Cybersecurity Awareness Month. It is also Halloween this month. And I know from our conversation prior to our recording you mentioned you have kids and you mentioned this at the top of the episode as well. Do you have a family costume planned, what are you going to be wearing for Halloween, or is it really mostly focused on the kids this year?

Lauren Zabierek: My kids are completely obsessed with Halloween. I don't know where this comes from because it's not like I really push this on them. My husband is the same thing, we're like, "This sort of comes out of nowhere," but it's hilarious to us. And they have set themes for each Halloween. And this goes out for a couple of years. This year is Star Wars Halloween. And so they're going to be Darth Vader and Princess Leia. They've recommended that I be C-3PO. I don't know how I'm going to pull this off. So yeah, I don't quite know yet. Typically, I like to sort of make up different costumes, but because they're so invested in this, I'm like, "I have to find a way." I'll also say, too, for the record, I'm not necessarily a "Star Wars" girl, I'm more of a "Spaceballs" girl. And I'm super excited that the sequel's coming out soon. So maybe they'll let me get away with Dot Matrix. We'll see.

Caleb Tolin: Very nice, very nice. And you know, of all of the characters in "Star Wars" that they picked, C-3PO, at least it's not the most offensive that it could have been.

Lauren Zabierek: Yeah, true.

Caleb Tolin: I would imagine if I were in that scenario, someone sang like, "Oh, you should be Jabba the Hutt," "No, no, that's not on the table. [laughter] It's not on the table for me." But --

Lauren Zabierek: Not going to happen.

Caleb Tolin: -- that's incredible. Yeah, it's incredible. Awesome. Well, I want to shift gears a little bit and talk about another incredible program that you help found and that is the ShareTheMicInCyber Fellowship at New America, which is a think tank in DC. We've had some incredible alumni from this -- from the program on this podcast, including Pavlina Pavlova, Gabrielle Hibbert, Michael Razeeq. If -- you know, for the listeners who may have not already heard those episodes, go check them out. They're all really interesting. These folks have done some really impactful research that it's just very fascinating to listen to and it's very valuable. So jumping back into the question at hand, though, can you give me a rundown of the goal of what this initiative was originally founded for, and then I'd love to hear more about some of the real-world impact that these fellows have created after leaving the program.

Lauren Zabierek: Well first, I just want to thank you for having the fellows on to talk about their research. It's so great to see them out there and talking about this, and I just really appreciate you giving them the platform to do that. ShareTheMicInCyber was created in 2020. And that was at a time, right, we created it to continue to meet the moment. And at that moment in time, the need was visibility and amplification of the voices of black cyber professionals who were working in this industry, doing really important work, but often weren't getting recognized for that. And so the way that we decided to amplify the voices and to create that visibility was to hold eventually five different social media campaigns on both Twitter and LinkedIn. Back then it was Twitter. And my cofounder Camille Stewart Gloster -- you know, I just love this story because we essentially met, I would say, serendipitously. I saw -- I had this thought -- when I saw the original Share the Mic Now campaign, I thought, "Ooh, this could really be interesting and useful in cyber," and then I saw her post on Twitter something very similar. So I slid into her DMs. Five years later, you know, we're still going strong. We're very good friends, and it's just been such an amazing ride with her, and then of course with Katelyn Ringrose as well. So after a couple of years and five different campaigns where -- and I think at the height, one of those campaigns generated over 100 million Twitter impressions, which is pretty incredible -- we then shifted to, "Okay, what's the next need of the moment?" And so as Camille was going into the White House into this policy role and, you know, we were looking at this landscape and thinking, "Okay, where do we need to sort of orient the community now? Where is the most need?" And we thought cyber policy would really be benefited by more diverse voices. Our thesis has always been diversity is essential to cybersecurity. So for the last three years, we've held this fellowship, New America. And you're right, we've had -- we've supported over 21 different fellows over the last couple of years. They've done, you know, cutting-edge research that has demystified the connections between cybersecurity and vulnerabilities and human harm. And I think that's where our value has really shown itself and, you know, we've looked at the different economic and technical and psychological and social harms that, you know, and shown really how innovation and safety should go hand in hand. And so you mentioned a couple of our fellows at the top of this question. You know, they're looking at things like the gendered impacts of cyberattacks and cyber incidents. And you know, on that, it's just like when critical infrastructure services are simply not available, they've been disrupted, what are the actual implications and the harms on, you know, especially women looking at an AI bill of materials, so like a nutrition label. And this was before, you know, that conversation really started to gain traction. Michael Razeeq did a legal framework for states who are examining -- starting or continuing their civilian CyberCore, so again, these areas that typically were underexplored. So the fellows, they came in with their ideas and we worked with them to support them and to hone those ideas to get their research out and then to be able to talk about it. And we're just so proud of not only their work in especially to further these kinds of policy issues and develop recommendations, but to go out and talk to the media, to industry, to policymakers and the executive and congressional branches, to talk about these ideas and really shed light on these particular issues. And so yeah, we're just -- we're excited about all the work that we've done and I'll just sort of preview for now because I don't know exactly when this is coming out, but we will have an announcement soon on, I guess, the next evolution of ShareTheMicInCyber.

Caleb Tolin: Incredible. Well, I'm excited to see that come to fruition. And thank you for kind of giving a little bit of a preview of what some of the research was that came out of this program. Because like I mentioned, we had these folks on the podcast and they got to talk about each of those things a little bit more in depth. So people, go back and listen to them. They're great. Read their papers, go follow them on LinkedIn. See the incredible work that they're doing because they're out there advocating for some very important things. And I really appreciate you taking the time and putting in all the effort to help build a platform for these folks through their ShareTheMicInCyber program. But Lauren, thank you for joining us for the podcast. This has been an incredible conversation. Where can our listeners find you and learn more about the incredible work that you're doing?

Lauren Zabierek: I really appreciate that. So I myself -- I'm on LinkedIn, laurenz1010. you can find me at the Institute for Security and Technology. So if you go to securityandintechnology.org, you can start to see the work that we're putting out. We just put a paper out this past week on a blueprint for the next 25 years of the CVE program and how it should be reformed. You can also go to New America and check out the work that the fellows from the ShareTheMicInCyber Fellowship did, and then also a quick shout-out to Bridget Chan, who literally took this idea that we had and made it come to life. So I just want to give her a shout-out. And then also you can check out sharethemicincyber.com. And also, I think we still have merch, right, you can see here I've got my ShareTheMicInCyber mug. [laughs]

Caleb Tolin: I love it, I love it. And yes, plus one to that shout-out to Bridget. She's great. She's been wonderful to work with and she's done some really incredible work with this, too. So Lauren, again, thank you so much for joining, and until next time.

Lauren Zabierek: Thank you, Caleb. [ Music ]

Data Security Decoded
Podcast Info
HOST(S):
Caleb Tolin
As the host of Data Security Decoded, Caleb Tolin dives deep with cyber experts to deliver actionable, vendor-agnostic insights to reduce data security risks and improve cyber resilience outcomes. Caleb asks the incisive questions that you need answered, extracting actionable guidance for defenders. Come be obsessed with improving your organization's cyber resilience.
Schedule: Two times per month. Every other Tuesday.
Credits: Data Security Decoded is a podcast by Rubrik.
Creator: Rubrik
Data Security Decoded