Cindi Carter is a Field CISO, Americas, with Check Point Software Technologies.
Last week, information about a high severity vulnerability in a well-known industry purveyor’s firewall devices was made public. With a firewall that has been vulnerable to a critical exploit for a full year, as many as 10,000 organizations may have been at risk.
While I don’t have a personal axe to grind with said security vendor in the recent zero-day vulnerability discovery, I’m pondering how this could happen in the first place. I know that we, as an industry, know better, and can do better.
As a CISO, my mission is human safety – to protect the privacy and security of data in the digital and physical realm. This vulnerability may have jeopardized the safety and well-being of countless people.
The CISO perspective: Vulnerabilities and responsibility
When I think about the planning that goes into creating a holistic cyber security strategy, creating resilience against attacks –adapting at a pace that leaves your head spinning at the end of each day- a failure within the security products that CISOs invested in begs the question, “Now what?”
If security vendors are not going to be as diligent as a CISO, where does that leave us?
And yes, CISOs have layered security, which can help you if your firewall fails. Nonetheless, we have to think about security as a matter of quality.
Investing in quality security is imperative. How can you do business with an organization if you can’t fully trust them?
Recommendations: Vulnerability management
As a CISO, if you purchase a product, you need to understand how that product could be vulnerable and how to take that into account within your security framework. What if the product that you’re investing in fails? Do you have redundancies in your system that can continue to protect your organization?
In addition, it’s incumbent upon security vendors to make devices difficult for hackers to disrupt. Beyond that, security vendors need to patch with a certain level of speed. No matter how obscure the vulnerability, or how improbable an attack may seem, security vulnerabilities only take a single threat actor to exploit.
What this shows
As a CISO, when it comes to your security vendor -or any third party- you have to ask them the tough questions. Are they upholding security with secure design principles in mind? Are they designing with you, as a CISO, in mind?
One of my favorite quotes that pertains to CISOs and vendors alike is, “If you are going to achieve excellence in big things, you develop the habit in little matters. Excellence is not an exception, it is a prevailing attitude.” ~ Colin Powell.
This attitude is embedded in Check Point’s DNA. It epitomizes what Check Point is all about. For more information about Check Point’s firewalls, click here. For information on the 2021 Gartner® Magic Quadrant™ for Network Firewalls, visit this page. Discover further insights, analyses and robust resources when you sign up for the CyberTalk.org newsletter.