By Editorial Team
Cybersecurity is a topic that continues to grow in importance for both the general population and those who work in the tech industry. While news headlines about security breaches affecting various companies are now almost a daily occurrence, many still don’t understand the responsibility that every one of us has to keep our own personal and workplace networks secure. This October, Synopsys will celebrate the 17th annual Cybersecurity Awareness Month by continuing to educate our own workforce about security best practices.
Although cybersecurity can be a scary topic for some, it doesn’t have to be when organizations and employees are prepared. This month, we will be driving a company-wide, best practices initiative to discuss security topics such as multi-factor authentication, endpoint protection management, securing devices at home, identifying and reporting suspicious activities, and much more. Beyond the importance of individual accountability, we recognize that cybersecurity has become an influential business driver and differentiator in an industry that relies on microelectronics and software.
We caught up with Synopsys Chief Security Officer (CSO) Deirdre Hanford to discuss how we’re driving home the need for standardized cybersecurity practices for both individual employees and the teams directly working with customers on leading technologies.
Q: You’ve had a wide variety of positions and experience at Synopsys. Please tell us about your latest opportunity as CSO?
A: When Synopsys co-CEO Dr. Chi-Foon Chan decided to establish a Chief Security Officer position, he understood the critical aspect of information security, but also realized that security was very much a business topic. For that reason, he wanted a stakeholder who understood technology and also appreciated the impact that security has on the business. A CSO is a champion for Synopsys’ assets and opportunities in the market as well as a champion for the customer. Fast forward to today, I’m responsible for not only protecting our assets, but also looking for ways that we can strengthen the industry overall with security capabilities and solutions from Synopsys.
Q: What are the biggest security threats that have come up this year as many continue to work remotely in response to COVID-19?
A: One key concern is employees falling victim to phishing content that can be delivered either via email or potentially through social media platforms. Any time an employee clicks on a phishing link, it provides an entry point for malicious actors to get into our network and cause harm. Educating our workforce about being smart, not clicking on links that look suspicious, and reporting what they think might be a phishing campaign is very important.
Q: One of the key messages this year at Synopsys is “Be a Human Firewall.” What does this concept mean to you personally?
A: Many think it’s only the security and information technology teams’ role to protect our company and customer data. In reality, each and every one of us have a role in ensuring security. As this month goes on, I challenge each person working for Synopsys to be proactive in their personal and collective cybersecurity practices as they work remotely, whether they have just started or been a part of our team for years.
For example, one proactive employee in our accounting department fended off a bad actor. Someone contacted our accounting department claiming to be an employee who was looking to change his contact information. Our accounting employee prevented what could have been an identity theft incident by taking proper measures to double-check the request with the actual employee. That’s the kind of diligence and critical thinking skills that we encourage everyone in our organization to develop and practice to be “a human firewall.”
Another actionable way that development teams are exhibiting this concept is by employing Security Champions, or software developers that provide the first level of defense when it comes to providing application security guidance to their teams.
Q: How important are Security Champions for Synopsys across the organization?
A: Synopsys isn’t just comprised of one R&D team. There are multiple teams at the cutting edge of emerging technologies and concepts around the globe, and our Software Integrity Group (SIG) has particularly advanced security practices. In fact, SIG has been recognized as a Leader in the Gartner Magic Quadrant for Application Security Testing for four consecutive years. That’s why we’re always looking to them to provide learning opportunities to teach other groups in the organization. The SIG team is made up of best in class experts who support our strategy and industry leading products. SIG is dedicated to building tools and services to help developers around the world. These tools can be integrated into development teams’ existing processes that enable them to code securely from the beginning of the software development life cycle. We also employ Security Champions throughout our technical teams who advocate for security practices as the first level of defense. This is a concept we encourage our customers to employ and certainly a practice that we live by as well.
That’s especially true any time we acquire a company. The SIG team provides rigorous support when onboarding companies to make sure their software development practices address security and meet our standards.
Q: The latest version of the Building Security In Maturity Model (BSIMM) recently came out in September. How has the BSIMM evolved over the years?
A: The BSIMM is a tool that helps organizations plan, execute, measure and improve their own software security initiatives (SSIs) based on software security practices observed across 130 firms in diverse industries such as healthcare and insurance. As you mentioned, Synopsys recently released the 11th annual BSIMM study, and it’s extraordinary that every year they find some new element about developing software to move the security goal post forward. We know that just like Synopsys, organizations in every industry are challenging themselves to better their security practices and policies. Not only does the BSIMM provide valuable information for security professionals, it also brings together the great minds in this area on an annual basis at multiple regional conferences.
This year, the study showed a number of new findings. One of the most popular topics of conversation was that the “shift left” concept has evolved from simply performing security testing earlier in the development cycle to performing security activities as soon as the artifacts to be reviewed are available. Additionally, the study included the FinTech vertical for the first time this year due to the number of firms in the data pool. Download the full-length report for more details.
Q: How is Synopsys helping other organizations enhance their security practices?
A: There is a lot of discussion now around implementing a more rigorous software pipeline that has security baked into the development operations (DevSecOps). Our SIG consulting organization does a great job helping people chart that journey. You can’t adopt an agile, security-first model by snapping your fingers. The consulting arm of SIG helps companies figure out how to get on that path based on their specific needs.
In addition, we’re seeing the industry shift to value secure hardware in addition to secure software. Back in June, the Defense Advanced Research Projects Agency (DARPA) selected Synopsys as a Prime Contractor for the Automatic Implementation of Secure Silicon (AISS) program. That’s just one example of how Synopsys is bringing security to the forefront of the chipset design process that has been previously hyper-focused on performance and cost objectives.
Q: What is the first place you would recommend that someone go who wants to educate themselves on the best cybersecurity practices?
A: I’ve personally been doing a lot of industry networking, trying to get to know other CSOs who have similar roles to understand how they’re approaching their job. For instance, Synopsys is looking more and more to the cloud. We want to benchmark our peers and understand how they’re attacking the problem of securing the cloud. Security is a team sport; it shouldn’t feel like a competition. I’d be more than happy to talk about security with our industry peers because I feel like we can rise up to that challenge and help each other. At the end of the day, we’re fighting against the same bad actors and have the same shared purpose.