In recent years, we've witnessed cybercriminals enhance their operations and introduce more sophisticated tactics in efforts to compromise organizations around the globe. All we need to do is look at recent news headlines to know that attackers' efforts to expand and infiltrate corporate networks have been and continue to be prevalent. From research showing that nearly a third of APT groups were active in 1H 2023 due to the continued growth of ransomware, every organization, regardless of size or industry, is now a target.

No single organization can combat cybercrime alone, even with the most effective technologies and skilled security professionals in place. Greater collaboration and transparency across public and private sector organizations are required to fight cybercrime effectively, and every business has a role to play.

During our recent Fortinet Security Summit, Hugh Carroll, Head of Government Affairs at Fortinet, sat down with Suzanne Spaulding, Fortinet Strategic Advisory Council (FSAC) member and former Undersecretary for the National Protection and Programs Directorate (NPPD) for the Department of Homeland Security, and Dr. Carl Windsor, Senior Vice President of Products and Solutions at Fortinet, to discuss the importance of transparency in protecting our networks and data. Below are highlights from their conversation.

Greater Transparency Drives Better Security

When an organization is under attack, there's a strong chance that other organizations in the same industry or geographic region are experiencing, or will experience, the same type of attack. This is why increasing our collective sharing of threat intelligence and vulnerabilities enables what Spaulding calls "fighting in the light," which is vital to protecting enterprises and thwarting potential breaches. As disparate organizations uncover new threat intelligence or vulnerability insights, they should consider how greater transparency will make everyone more secure. "There are so many adversaries [attempting to steal] information," she noted. "Whoever can figure out how to operate in a transparent world most effectively is going to have the advantage."

Windsor echoed Spaulding's thoughts, noting, "Sunlight is the greatest disinfectant." When organizations get in the habit of sharing critical insights as quickly as possible, security professionals have a better opportunity to effectively protect against a new threat or vulnerability. "That gets us one step ahead of the adversaries," Windsor concluded.

The Need to Normalize Transparency

Spaulding and Carroll agreed that the security community must normalize transparency and information sharing for organizations to collectively advance their fight against adversaries. "Everyone is getting attacked every day. We need to eliminate the stigma associated with that," Spaulding urged. "And the same thing has to happen now with respect to vulnerability disclosures."

A recent Forbes article about vulnerabilities and citing Fortinet's Global Threat Landscape report reinforced this point, emphasizing, "If a cybersecurity company claims to have zero vulnerabilities, that should be a red flag. If you see a vendor that claims no vulnerabilities, that's almost certainly because of a lack of disclosure, not a lack of issues." This ultimately can pose a significant cyber risk for customers.

U.S. government agencies like CISA, NSA, and the FBI collaborate to make critical information available to security practitioners. Spaulding stressed the importance of vendors being more forthcoming about vulnerabilities in their products. "All software is going to have vulnerabilities. So the real question is, how soon are you [as the customer] going to find out about those vulnerabilities so that you can take the appropriate mitigation measures?" she asked.

When asked about what considerations customers should weigh regarding best practice mitigation measures to incorporate into their review of cybersecurity solutions, Windsor recommended that security leaders look at an organization's website and review its published vulnerabilities to quickly ascertain whether transparency is in its DNA. "[If you look at our website, you'll see] advisories that we publish. We put them out regardless of whether we discover those vulnerabilities internally or not. Some vendors don't publish all their vulnerabilities, which is problematic because then users and customers don't know they need to upgrade or patch their devices."

Embracing "Shift-Left" Security

In addition to calling for greater transparency and information sharing, Spaulding and Windsor discussed the need for vendors to increasingly take a shift-left approach to security.

Windsor spoke about Fortinet's approach to enhancing its secure product development life cycle, making the organization's technologies secure by design and secure by default. "The goal of what we're trying to achieve is to shift security left to get to the point where we're not having vulnerabilities come out into production code." Windsor added, "We're also doing things like threat modeling to design vulnerabilities out of the product in the first step."

More Insights from the Third Annual Fortinet Security Summit

Fortinet recently hosted more than 500 executives, experts, and thought leaders at the Silverado Resort in Napa, California, for its third annual security summit to discuss the most pressing issues in cybersecurity. Learn more about the Fortinet Security Summit and read additional insights from the event.