As Cybersecurity Awareness Month 2021 draws to a close, it’s important to note that the theme for our final week — “Cybersecurity First: Make Security a Priority” — starts with the companies you partner with for products and solutions for your agency. When you make a purchase, you’re trusting that the company you are buying from takes cybersecurity just as seriously as you do.
However, you may have noticed that every vendor claims that cybersecurity is a top priority for their company. Determining who really walks the walk when it comes to vendor security can be difficult. Here are a few questions you can ask vendors to get an idea of how seriously they really take cybersecurity.
How is your cybersecurity strategy established, implemented and verified?
All three phases of this question are critical. Every company should have a strategy for their approach to cybersecurity, a way to deploy that strategy within their products and services and independent oversight as to whether the strategy is successful.
At Motorola Solutions, our cybersecurity front line is the product managers and development teams that create our solutions, and the deployment, support and service teams in the field. This on-the-ground group builds cybersecurity into the product from the beginning and gets constant feedback about possible improvements or risk mitigations that get incorporated into the next release of the solution. They have a very tactical approach to cybersecurity through the lens of their particular product.
The larger cybersecurity strategy for our products and services, as well as cybersecurity training and development for our employees, comes from our Products and Services Cybersecurity team. (Full disclosure: I have the honor of leading this organization.) Left to their own devices (pun intended) individual product teams might begin to diverge in their approaches to cybersecurity. My team ensures that there is a consistent cybersecurity direction, information is shared across all impacted teams, and that there’s an escalation path for issues to be addressed and improvements to be adopted.
The verification of our cybersecurity strategy resides with our Chief Financial Officer and the Board of Directors. Independent auditing firms assess our cybersecurity strategy, implementation and results, and then provide those reports to the Board. This ensures objective reporting of our successes and failures, and an accurate view of the progress made and risks to the company. If we are falling short or not following best practices, course corrections quickly follow.
If a vendor tells you that cybersecurity is everyone’s job, that could mean it’s nobody’s job. Make sure there is someone with responsibility to chart the course, and someone else to confirm that the course is being followed. Of the three elements, verification is the easiest to overlook, and arguably the most important.
How is cybersecurity part of your corporate culture?
Again, every vendor — if they want to stay in business — will tell you that cybersecurity is part of their corporate culture. It’s important to push on that basic statement to understand how, exactly, that is being accomplished.
Any company using technology should be training their employees on the basics of cybersecurity for the protection of their own organization. (Motorola Solutions has mandatory annual training courses on cybersecurity, as well as ongoing vigilance training through white hat phishing efforts from our own IT organization.) While that is a starting point for good cyber hygiene, the individuals actually developing products should have a higher level of understanding.
At Motorola Solutions, we’ve had our Cybersecurity Champions program in place since 2018. Now 700 members strong, these are product and field services personnel who take on additional training and then drive cybersecurity into every phase of our product development. For us, this is a key to a greater understanding of the importance of cybersecurity, and critical to adopting it as a must-have, foundational focus for development teams in the same way that quality has been treated for decades.
Building — really building — cybersecurity into your culture takes a tremendous amount of time and effort. When it works, it fundamentally changes the way a company thinks about cybersecurity. The next time your vendor makes this claim, ask some probing questions to see just how deep that commitment goes.
What are the biggest cybersecurity risks to my industry?
The cybersecurity threat landscape is massive, and growing every day. While it’s important to cover all risks at a base level, the most effective way to develop secure products and services is to know where and how a threat actor is likely to target your solution, and then develop it to be particularly prepared for those attacks.
Consequently, vendors need to understand the threat landscape, the likely threat actors, and their preferred methods and strategies. Deep domain expertise is a plus here — a single solution sold to companies across all industries is less likely to be optimized for the specific risks your industry faces.
The Cybersecurity Products and Services organization at Motorola Solutions includes our Threat Intelligence team, a dedicated group that monitors cybercriminal activity against public safety agencies across the globe. By understanding the typical attack types used, knowing the telltale indicators of particular cybercrime organizations, and tracking trends among cyber criminals and nation-state actors on the dark web, our Threat Intelligence team can better anticipate cybercrime trends and alert our product and service developers of how these groups are exploiting public safety software. We are constantly researching what is happening to better protect your mission. We also publish our annual Threat Intelligence Report that outlines our learnings from this team and provide the public safety industry with valuable insights into cybercrime so you will know what to prioritize that will make the most difference.
If your vendor doesn’t understand the most prevalent threats against your industry, the odds of them successfully mitigating those threats is greatly diminished. We are supposed to be bringing expertise to your organization, not just collecting a check.
Summary
Making security a priority is a shared responsibility between you and the companies who provide your products and solutions. Vendor security is critical to putting cybersecurity first, and can endanger your organization if someone is taking shortcuts while saying all the right buzzwords. While no manufacturer is perfect, one that can successfully answer the questions above will put you on the path to greater security overall, and speedier recoveries when bad things happen.