Building security in: An interview with Igor Bergman
An executive who feels very strongly about this topic is Igor Bergman, VP Software and Cloud, Advanced Innovation Center at Lenovo. Igor joined us for an exclusive interview, to share his thoughts on the importance of cybersecurity, and how to bake security practices in at every level of the organization.
What’s been keeping you up at night when it comes to security and the current threat landscape?
Honestly, the sheer scope of the threat landscape can be quite daunting. When you’re building solutions for emerging technologies, there are potential risks in all aspects of the product – from the components and firmware that go into devices, many of which come from third-party suppliers, to applications that might run on a user’s PCs, tablets and phones, to the cloud backend they all communicate with. All of these are targets for attackers, and therefore present potential security risks to customers and their data. Any breach has the potential to impact Lenovo’s reputation.
Creating leading products in emerging technologies will mean nothing if our customers can’t trust them.
How do you think security has been impacted by the COVID-19 pandemic, and what steps can organizations take to protect themselves, and their customers?
There’s no question that the number of cyberattacks increased during the pandemic. You may have heard about video conferences being infiltrated because the correct security controls weren’t in place. There have also been breaches reported where remote employees were targeted because the employee’s PC or remote access was not properly secured.
Phishing is also an ongoing, growing problem. Employees are working from home at all hours on networks or PCs that might not be properly secured, making phishing an even bigger problem during the pandemic.To protect themselves, companies need to ensure that the security principles they apply for in-office working are also applied for remote employees. Enabling multi-factor authentication is an important step for protecting against phishing attacks. In fact, Lenovo is a founding member of the FIDO Alliance, an industry group dedicated to reducing an over-reliance on passwords on the internet. By enabling multi-factor authentication, businesses gain an increased level of trust that people accessing their systems and networks really are who they claim to be.
As a leader in technology, what are your thoughts on how teams can build security into software from the outset?
Training is key to building security into software from the start, and not just for security professionals. Everyone involved in product development should receive security training to ensure they understand why it is important and how it can be integrated into all phases of the development process.
Starting with design, we do things like threat modelling, and then integrate more security best practices through development and release. Once security becomes part of the development teams’ culture, it benefits everyone. The product team has fewer security issues to deal with, the security team has more confidence that the development team is doing the right things, and customers are more confident in our solutions.A big part of being successful with an end-to-end approach to security is integrating automation into the process. Everyone is trying to do more with less and automating security scanning tools for basic testing reduces the time that the team spends doing manual scans.
Budgeting time and resources for security at the onset of any project will be key. By doing this, you can help to avoid surprises late in the development process or, even worse, once the product is already in the hands of customers.
What are some of the most common pitfalls you see when it comes to cybersecurity, and how do you recommend addressing these?
Relying on a single or very limited set of tools. For example, having a firewall enabled does not automatically secure your Cloud service. Also, assuming hosting a solution on AWS or Azure automatically makes it secure is a common pitfall. We’ve seen news of so many data breaches occurring simply because businesses did not properly configure or secure the data stored in the Cloud.
“Defense in depth,” or multi-layered security, is important. For Cloud security, processes and controls should cover many different aspects, from pen testing to code reviews to configuration and vulnerability management, to name a few, are all important parts of a complete security program.
What security mistakes have you learned from during your role at Lenovo?
While we have implemented security into all stages of our development processes and continue to evolve and improve, it’s no longer enough to say to customers “trust us.” Customers are much more security-aware than ever before and are asking very pointed, detailed questions about our security practices and controls. By working together, we stay on top of the latest threats and continuously strengthen our security program.
In recent conversations, we’ve discussed security for voice-activated devices. Can you share some of your observations/ learnings in this space? What do the creators of these types of emerging technologies need to be aware of?
Privacy is a key consideration when dealing with the capture and processing of voice input. We want to make sure we’re capturing voice input at the appropriate time -- when users expect it -- and ensure any processing of the voice input in the Cloud is done securely.
Again, we need to make sure customers can trust our solutions and with the many wide-ranging privacy regulations in place around the world, it is important to make sure we’re handling customer data securely.
Hear more from Igor in this podcast episode on Pragmatism in practice.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.