Ask Blackberry VP of Product Security Christine Gadsby a question and you’ll get a thorough answer. The 15-year Blackberry veteran has been in management at the company since 2011 and is an encyclopedic resource on all things cyber.
IT Brew caught up with Gadsby in San Francisco at the RSA Conference and got to pick her brain on a number of issues, including how saturation expands the threat surface.
We asked Gadsby how she sees the overall cyberthreat landscape going forward over the next year—specifically, the supply chain. Here’s what she said.
This interview has been edited for length and clarity.
In your expert opinion, where do you see the next six months or the next year going with respect to the overall threat surface?
It is sort of an interesting crystal ball moment. I am seeing the industry start to look at this more like a supply chain—all of it, not just software. But if you look at any company—whatever the company, if you are a software supply-chain company or you make donuts, it doesn’t matter—you have a supply chain of some sort. You make something, it goes to market, and you sell it and [if] you have customers, [then] you have their data.
The supply chain is going to become the target. If I am a hatmaker, what kind of data is valuable to me, and who do I ship it to, and who gets those hats? And then, if I am sending a receipt to somebody in their email, then there’s a person on the other side that becomes part of a supply chain.
Can you explain how the supply chain faces cybersecurity threats?
For Blackberry, it’s obvious from the software we sell to all kinds of customers, we are their supply chain. For software manufacturers, this is a huge different ballgame. Because when we make a product, it goes into someone else’s network that has access to all that stuff, and then they send it out to somebody else. It’s looking at the attack surface as a supply chain problem and not an IT problem.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Because for a very, very, very long time, it was looked at as a network problem. It’s not a network problem. It’s a supply chain problem. A network is built of thousands and thousands of widgets, and any of those widgets could have an attack surface on them and bring it to that network.
I see the trend is going back to the vendor who makes the thing and we see this in the industry and in the world…If we make a widget and we sell it and we profit off of it, we have to make sure that whatever we put into that supply chain is secure, and if we don’t then we need to figure out why, because other people are paying the price for that—you’re paying the price for it, I am, [and] companies are paying for it.
So, I see the shift in that. You can bring in all the fun terms, zero trust, we can look at 5G and smart cities and we can look at operating systems versus network segmentation. We can look at all that kind of stuff. But until we really compartmentalize it and look at it as a supply chain problem, we’re still only going to pick the one thing and then all the other things are gonna be left out.