A

You're listening to the Cyberwire network, powered by N2K. Security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of try to convince the rest of the company that they should do this.

B

Hello and welcome to another episode of Data Security Decoded. I am your host, Caleb Tolan. And look, it is fall. I am in my monochromatic Costco sweater. I am living my best life. I hope you are too, this fall. Now, before I get into introducing our guest, if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified of new episodes. And if you're already a subscriber, thanks for coming back. We encourage you to leave a rating. Drop a comment below. Let us know what you think about the episode and of the show. Now onto our guest for the hour. Lauren Zabrack is the SVP at the Institute for Security and Technology, a longtime advocate for diversity in cybersecurity through initiatives like New America's Share the Mic in Cyber program. And she's been in national security for years with three stints spanning across defense, military, cyber, and counterterrorism. You name it, she's done it. And she previously led CESA's Secure by Design work and has extensive experience helping organizations strengthen their cyber supply chains and implement secure by default and security by demand practices across complex technology ecosystems. You know, I really had a great time talking about the secure by Design program, vendor security and how organizations can proactively manage cyber supply chain risks. I've left Hila waiting long enough. Let's get into it. All right, Lauren, thank you so much for joining us and welcome to the show. We're starting things off a little bit differently this time and I want to hear something non cyber related that you are obsessed with lately. I'll go first. A couple of weeks ago I was in New York City and I got to see oh Mary with Jinx Monsoon. It's a play on Broadway. Seriously, it was one of the funniest shows I've seen in such a long time. I'm such a theater nerd. I highly recommend it. If anybody's checking it out in the city, Jinx isn't in it anymore, but I highly recommend folks go check it out. What are you obsessed with lately?

A

Okay, so on a couple of other recent podcasts, I've mentioned my love of U2. I've also mentioned my new love of Cheetos. I'm not going to go in that now, I think. Otherwise, I'm kind of just too tired to be fully obsessed with anything. You know, just being a human right now, a parent of two young kids, et cetera. But I will tell you the things that are bringing me joy, and those are drumming. So I'm a drummer. I'm not a great drummer, but I, you know, I love doing it. I've just loved it for, for so long. I'm also taking a dance class, a hip hop dance class, and I just started a creative writing class. So those things.

B

Oh, very cool.

A

Yeah, I love that.

B

I love that. I tried to do some dance classes a couple years ago, and I fell out of the habit of it, but it is very fun. It's a great way to get some exercise and just like you said, bring some joy to your life. That's. That you can't find at a keyboard in front of a monitor.

A

Yes. And the cool thing about this class, it's this hip hop class class. And I saw these women perform at my daughter's dance recital, basically. And these women are all, I would say, 40 plus. Right. So like my age group, 40s, 50s, and I think even some 60s in there. And when I saw them perform at the recital, I was like, yes, I think I found my people. I want to join this class. So now I'm in it, and it's a ton of fun.

B

Oh, I love it. I love it. You're like, I feel seen. I need to be a part of this. That's. That's incredible. Awesome. Awesome. Well, to get into the media conversation, you've described your story as being dedicated to building a safer, more secure future with your career spanning national security, defense, cyber and counterterrorism. And a big project that you undertook when you were at CISA was the Secure by Design challenge. Could you provide a little overview of what that initiative was and the key objectives you focused on during your tenure at cisa?

A

Yes. So let me start with a story. This summer, I. We took our family to Seattle. My son is very into volcanoes. He really wanted to go see Mount Rainier. And so we, we decided to go and, and check out Seattle as well. And, and there's this Museum of Flight there. And at the Museum of Flight, they have this aircraft pavilion. And you go in and it's, it's this outdoor thing, and it's just packed with aircraft, like old decommissioned aircraft. You've got 747s. You've got a real Concorde. I'VE never seen a Concorde that close before. You've got an F14 and just all of these cool planes. I'm an airplane nerd. My father was both a navy and an airline pilot, and so I've got that in, in my blood. My husband is also a bit of an airplane nerd too. And so you walk through here and you know, you're just kind of enthralled, or at least I was. But then, you know, it's, it's very easy to sort of get lost in that. But what you might not see is under or sort of surrounding all the aircraft is this exhibit called the J. Kenneth Higgins exhibit on Safety by Design. And what it really showed, you know, the visitors there is that two things. First, flying used to be extremely unsafe, but now it's one of the safest ways to travel. But we didn't get there by accident, right? There was a concerted effort on the part of industry, on the part of government. And of course, you know, the consumers, the customers were also very invested in making flying safer as well. And so over the years, through systematic study of defects and of incidents and crashes, and you know, learning how these crashes happened in order to prevent them at scale, that led over time to a much, much safer mode of transportation. And so that really helps us to form a model for how we make other industries safer. So the automobile industry followed a very similar trajectory. So did food and medicine, and there are others. But these examples show us how we can do this with software. So at this point, I think we know software is just, it underpins our entire economy, our national security, our public safety, our public health, our daily lives, right? Our water, our hospitals, our energy. These are all things that are powered by software. And yet with few exceptions, our software is built insecurely now. And that of course leads to the ever growing cyber attacks and cyber incidents that we see now. It's not that these software companies are inherently bad. They're simply operating in a market that is completely misaligned. So it's really an economics issue. And so again, looking toward those examples, we have a path forward. We know that that software can be made safer. And so just we really focused on driving adoption with the companies. We looked at really how to provide guidance. And then we also created the Secure by Design pledge. And at the time when we launched it in 2024 at RSA, we had 68 software companies sign on, which we thought was incredible. And we worked with the community, the technical community, the software companies to figure out not only would they Sign it. Right. It wasn't just a pledge that said, yay, I'm going to make more secure software. It was seven concrete actions that these companies committed to work on through the course of the year. And then by the time we left, we had over 300 companies sign on. Now, this pledge, you know, it addressed certain things like eliminating entire classes of vulnerability. It talked about enabling multi factor authentication by default across product lines. It talked about a vulnerability disclosure policy. Those are just a few things, but you can see that they're very concrete, measurable actions that lead to better outcomes. And so that's really what we focused on when we're at cisa. And now that we're at the Institute for Security and Technology, we're really building upon that momentum and the work that we did to continue to drive this mission forward.

B

Right, right. And Rubrik, the, you know, the company chartering this podcast did participate and is participating in the Secure by Design pledge. And to your point, it's, it's an ongoing thing. It's not just a moment in time where you claim you're going to make this, this pledge at a moment in time and then it's done. There's all of these steps that happen, you know, over the next several months and years to ensure that you are advancing the security of your platform. So it's incredibly important and I really love the way that you thought about this and, and how it came from almost this place of this, you know, experience at a museum with, with, you know, aviation and cars and being able to see the connection through how we've seen this happen throughout different phases of history is really, really interesting. So something I'd really be interested in hearing your perspective on is can you share an example of a successful implementation of secure by design and what lessons other companies could take away from that experience?

A

I want to talk about here the secure by design principles. So I think there's a lot of different tactics that companies can take in order to implement those principles, but ultimately they're non technical the principles themselves. So the first one is taking responsibility for your customers security outcomes. Number two is to embrace radical transparency and accountability. And number three is really leading from the top. So ultimately what this tells us is that security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of, you know, try to convince the rest of the company that they should do this. It's the company leadership that should say, this is A priority and therefore orient the different resources and priorities around that particular topic. So I think the companies that truly embrace that, those ideas and again, there are different tactics for doing that and of course there are ways that we know how to again prevent those classes of vulnerability or things that we can do like enabling secure authentication or eliminating default passwords, things like that that are very well known that the company is actually do. And you know, I want to go back to this idea that this is as much and maybe even more of an economics issue than it is a technical one. So we believe that having more secure software is not a technical impossibility, but the, the companies right now are acting rational in a misaligned market and so secure by design. I think at its core is about shifting those incentives in order to drive a change in behavior.

B

Right, right, right. And so shifting away a little bit from the conversation about the vendors and those creating the software themselves more on the side of the companies procuring that software. When evaluating the vendors and third party partners that they're aiming to work with, what are some of the most critical security questions that they should be asking to ensure that their cyber supply chain is protected?

A

I love that we're focusing on the customers. We often think of them as the victims of insecure software. And so a lot of companies will, or software companies will say, well, we're not getting the demand from our customers to build more security features into the product. And then when we've talked to the customers, they're like, well, we do want security, but we don't know how to get it or ask for it. And just taking a step back again to the economics issue, software is what economists would refer to as a credence. Good. Now I know this is an esoteric term, but what that means is that it's very hard to assess the quality of a product or a service both before you consume it and after you consume it. So I'll give you an example. Maybe you know, you've had surgery, right? And you don't know whether, you know going in, is this going to work? And then even after, is this going to work long term? And I can say that from experience, I recently had back surgery to repair a fracture. So I think it's held, I think I'm okay, but we're not going to know for I think a long time. And so another example would be car repairs. You don't know the quality of that service. And even if you, you undergo that service, you still don't quite know, hey, did that actually Work and is my car actually fixed? So the idea that it's a credence good that we can't assess the quality of software before we buy it and then after we start using it is a problem. Right? We don't have the criteria, we don't have the benchmarks in order to fully assess that. Now what we would like to do is move it from that credence status to maybe an experience good where you have to sort of buy a good or a service and then you can assess for yourself whether that is something of quality. So that's like meals that we eat or in your case, a Broadway show you didn't necessarily know going in. But once you've experienced that, you're like, this is amazing, right? And then of course it would be great to move it to a search good where you can fully assess like you look at a piece of clothing and look at the tag. Oh, I can see that, you know, the different materials that this is made, you can feel it, you know that it's good quality. So to that end, what are some questions that we have right now? Well, when we were at cisa, we released a secure by demand guide. So we have, you know, our secure by design and we sort of rolled secure by default underneath that. But we also pushed this idea of secure by demand in this guide. We supplied customers with different questions and some of those questions are things like, does this product support secure authentication? Is it done by default? We also recommended asking the vendors, you know, how are you eliminating entire classes of vulnerability? You know, does it use memory safe languages? How are you eliminating cross site scripting or SQL injections? Things that developers know how to do but often aren't incentivized to do. So does the, you know, does the organization provide security audit logs for free? So those are the things that customers can ask that show outcomes and I think progress toward increased security and safety, Right?

B

Absolutely. And getting answers to some of those questions are, are certainly a way that you can avoid a nightmare scenario. But speaking of nightmare scenarios, my next question for you is not so much very technical, but we are in the scariest month of the year, October.

A

And is that because it's Cyber Security Month?

B

It is also cybersecurity. Yeah, it is Cybersecurity awareness month. It is also Halloween this month. And I know from our conversation prior to our recording, you mentioned you have kids and you mentioned this at the top of the episode as well. Do you have a family costume planned? What, what are you going to be wearing for Halloween? Or is it really mostly focused on the kids this year.

A

My kids are completely obsessed with Halloween. I don't know where this comes from because it's. It's not like I. I really push this on and my husband, same thing. We're like this. This sort of comes out of nowhere, but it's hilarious to us. And they have set themes for each Halloween, and this goes out for a couple of years. This year is Star Wars Halloween, and so they're going to be Darth Vader and Princess Leia. They've recommended that I be C3PO. I don't know how I'm going to pull this off. So, yeah, I don't quite know yet. Typically, I like to sort of make up different costumes, but because they're so invested in this, I'm like, I have to find a way. I'll also say, too, for the record, I'm not necessarily a Star wars girl. I'm more of a Spaceballs girl. And I'm super excited that the sequel is coming out soon, so maybe they'll let me get away with Dot Matrix. We'll see.

B

Very nice. Very nice. And you know, of all of the characters in Star wars that they picked C3PO, at least it's not the most offensive that it could have been, I would imagine, if I were that scenario. Someone saying, like, oh, you should be job of the hut. No, no, that's not on the table. It's not on the table for me.

A

Not gonna happen.

B

That's incredible. Yeah, it's incredible. Awesome. Well, I want to shift gears a little bit and talk about another incredible program that you helped found, and that is the Share the Mic in Cyber Fellowship at New America, which is a think tank in dc. We've had some incredible alumni from this. From the program on this podcast, including Pavlina Pavlova, Gabrielle Hibbert, Michael Razik. If, you know, for the listeners who. Who may have not already heard those episodes, go check them out. They're all really interesting. These folks have done some really impactful research that it's just very fascinating to listen to and is very valuable. So jumping back into the question at hand, though, can you give me a rundown of the goal of what this initiative was originally founded for? And then I'd love to hear more about some of the real world impact that these fellows have. Have created after leaving the program.

A

Well, first, I just want to thank you for having the fellows on to talk about their research. It. It's so great to see them out there and talking about this and I just really appreciate you giving them the platform to do that. Share the Mic in Cyber was created in 2020, and that was at a time, right? We created it to continue to meet the moment. And at that moment in time, the need was visibility and amplification of the voices of black cyber professionals who were working in this industry, doing really important work, but often weren't getting recognized for that. And so the way that we decided to amplify the voices and to create that visibility was to hold eventually five different social media campaigns on both Twitter and LinkedIn. Back then it was Twitter and my co founder, Camille Stewart Gloucester. I just love this story because we essentially met, I would say serendipitously. I saw, I had this thought when I, when I saw the original Share the Mic now campaign, I thought, ooh, this could really be interesting and useful in cyber. And then I saw her post on Twitter something very similar. So I slid into her DMs. Five years later, you know, we're still growing strong, we're very good friends, and it's just been such an amazing ride with her. And then of course with Caitlin Ring Rose as well. So after a couple of years and five different campaigns where, and I think at the height, one of those campaigns generated over 100 million Twitter impressions, which is pretty incredible. We then shifted to, okay, what's the next need of the moment? And so as Camille was going into the White House, into this policy role, and we were looking at this landscape and thinking, okay, where do we need to sort of orient the community now? Where is the most need? And we thought cyber policy would really be benefited by more diverse voices. Our thesis has always been diversity is essential to cybersecurity. So for the last three years, we've held this fellowship, New America, and you're right, we've had, We've supported over 21 different fellows over the last couple of years. They've done, you know, cutting edge research that has demystified the connections between cybersecurity and vulnerabilities and human harm. And I think that's where our value has really shown itself. And we've looked at the different economic and technical and psychological and social harms and shown really how innovation and safety should go hand in hand. And so you mentioned a couple of our fellows at the, at the top of this question. You know, they're looking at things like the gendered impacts of cyber attacks and cyber incidents. And, you know, on that, it's just like when, when critical infrastructure services are simply not available. They've been Disrupted. What are the actual implications and the harms on, you know, especially women looking at an AI bill of materials like a nutrition label. And this was before, you know, that really, that conversation really started to gain traction. Michael Razik did a legal framework for states who are examining, starting or continuing their civilian cyber corps. So again, these, these areas that typically were under explored. And so the fellows, they came in with their ideas and we worked with them to support them and to hone those ideas, to get their research out and then to be able to talk about it. And we're just so proud of not only their work and especially to further these kinds of policy issues and develop recommendations, but to go out and talk to the media, to industry, to policymakers and the executive and congressional branches to talk about these ideas and really shed light on these particular issues. And so, yeah, we're just, we're excited about all the work that we've done. And I'll just sort of preview for now because I don't know exactly when this is coming out, but we will have an announcement, announcement soon on, I guess the next evolution of Share the Mic in Cyber.

B

Incredible. Well, I'm excited to see that come to fruition. And thank you for kind of giving a little bit of a preview of what some of the research was that came out of this program. Because like I mentioned, we had these folks on the podcast and they got to talk about each of those things a little bit more in depth. So people go back and listen to them. They're great. Read their papers, go follow them on LinkedIn, see the incredible work that they're doing because they're out there advocating for some very important things. And I really appreciate you taking the time and putting in all the effort to help build a platform for these folks through the Share the Mic in Cyber program. But Lauren, thank you for joining us for the podcast. This has been an incredible conversation. Where can our listeners find you and learn more about the incredible work that you're doing?

A

I really appreciate that. So I myself, I'm on LinkedIn. Lauren Z. 1010, you can find me at the Institute for Security and Technology. So if you go to security and technology.org you can start to see the work that we're putting out. We just put a paper out this past week on a blueprint for the next 25 years of the CVE program and how it should be reformed. You can also go to New America and check out the work that the fellows from the Share the American Cyber Fellowship did. And also a quick shout out to Bridget Chan, who literally took this idea that we had and made it come to life. So I just want to give her a shout out. And then also you can check out sharethemikencyber.com and also, I think, I think we still have merch, but you can see here, I've got my share, the mike and cyber mug.

B

I love it. I love it. And yes, plus one to that, shout out to Bridget. She's great. She's been wonderful to work with and she's done some really incredible work with this, too. So, Lauren, again, thank you so much for joining. And until next time, thank you. Caleb, Sam.