BlackBerry VP: The software supply chain is becoming more transparent


25 Mar 2022

Christine Gadsby. Image: Blackberry

BlackBerry’s vice-president of product security discusses what the Biden administration’s executive order on cybersecurity means for the software industry.

Christine Gadsby is the vice-president of product security at Canadian multinational BlackBerry, which specialises in enterprise software and IoT technology.

This means she’s responsible for ensuring that the company’s software supply chain is protected. This includes a broad scope of responsibilities such as the security posture of software, how security is built in at the design phase, as well as advisory communications.

Future Human

She has been with BlackBerry for more than 13 years and before that she worked for Microsoft as a senior security organisational development consultant.

‘An attacker needs to be right once and the defenders need to be right every time’
– CHRISTINE GADSBY

What are some of the biggest challenges you’re facing in the current IT landscape?

One of the most obvious challenges that lots of companies are facing is the absolute explosion of endpoints as companies are forced to work remotely. What ends up happening is attackers have a much more convenient and available attack surface to work from, so it’s not only that people are working from their favourite coffee shop or the library or their home.

Attackers now have convenient times. People are working at dinner time, people are working on Saturday at 2pm and that really wasn’t the case before the pandemic, where companies could really count on their corporate security strategy to lock down a lot of workers who were behind lots of great security walls doing work on a premises. When you disperse that, all of those endpoints just become everywhere.

So, it’s kind of like looking at security through a locked front door, but now there’s no front door any more. It’s kind of just everywhere.

So I think that’s probably the biggest challenge that most companies are facing right now. How do we deal with that attack surface spread because it’s just a lot bigger than it was before.

I’ve heard a lot about the ‘security culture’, but how is that really built in? You have to get more down at the tactical level and think about, ‘What are the business plans for HR and finance and legal and how do you really create that prevention-first methodology?’

There’s really no more single pane of glass in a front door. An attacker needs to be right once and the defenders need to be right every time, and so how do you go into the business planning and really drive that as a business function and a mentality and a culture? And then how are you taking that data and using that intelligence to make smarter decisions?

What are your thoughts on digital transformation within your industry?

I’m probably biased here but I don’t see a more challenged industry than security, especially for companies that are creating security software. Digital transformation is extremely important because it’s kind of the new normal and there’s so much critical data to manage in security.

I think there’s some tactical things that we’ve focused on that have helped. Firstly, that’s just acknowledging that everything has to have a digital transformation when it relates to security because that AI model where we’re learning from our own intelligence is really going to force that digital transformation.

So that’s the first thing, but secondly we have to acknowledge there’s a skill gap there. And in the industry, there’s a skill gap with digital transformation. I know that’s a general concern that a lot of companies share.

We’re definitely promoting training programmes that are focusing on those top digital skills areas. On the non-technical side, that’s looking at collaboration tooling and project management, and then on the technical side, to ensure that there’s this one-, three-, five-year plan to make sure that we can adapt and thrive and that’s in every area.

I think the one place that I’ll highlight where it’s really critical is in vulnerability management. The goal with all of that vulnerability data is to make a signal actionable so that you’re not just getting 18 different dashboards of data.

In a digital transformation world, that data comes to you with things sorted out that need to be action as opposed to so much noise that you don’t even know where to start and therefore you’re missing a critical signal.

What big trends do you see coming down the line?

I’m very excited about some of the work that’s happening in the software supply chain itself. The cybersecurity executive order that US president Biden released, I’m very excited to see some of those controls go into place.

I’m really excited to see some of the things it’s forcing the hand on, for example, things like the software bill of materials in particular. There’s a lot of really great industry work happening in how do we pull together a software bill of materials for software in the supply chain? How do we attest to its components? How do we look at what’s in it? How do we make that available?

What I’m mostly excited about is seeing the industry come together to work on this. Typically security’s a tough nut because you have many companies off trying to do their own solutioning. But with a software bill of materials, we’ve had a lot of great working groups and a lot of great leaders step up and really pull together companies and their thoughts.

The outcome of that is it’s going to make the software supply chain more transparent. It’ll force vendors to patch their software vulnerabilities. It will allow consumers of software to have transparency, it will allow them to get a look under the hood at what contents are actually in the software they’re consuming and putting into their environment.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.