After a rocky start to 2024, the IT and security company Ivanti made its New Year’s resolution in April.
Following a discovery in January of vulnerabilities in Ivanti’s Connect Secure virtual private network (VPN) and Ivanti Policy Secure network access control (NAC) products—weaknesses that ultimately led to CISA emergency directives telling customers to disconnect and patch before returning the devices to service—Jeff Abbott, CEO of Ivanti, wrote an open letter to customers declaring a “new era” emphasizing “secure by design” principles.
The secure by design methodology, in short, puts protection burdens and accountability on the manufacturer instead of the customer.
“We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices,” Abbott said in the letter.
Abbott spoke with IT Brew in April about immediate changes—and what they mean for the company’s product developers.
The conversation below has been edited for length and clarity.
Do you have a favorite example of an “immediate improvement” you’ve made to engineering and security practices?
A day-in-the-life example is penetration testing. We had been using a kind of nomadic model where pen testers would move from product to product…And what we’re moving to is additional security and pen-testing resources so that we can have dedicated teams that truly stay with each of the products long-term. It’s the difference between, “I’m a pen-tester that’s responsible for a portfolio of 70 products,” and “I’m a dedicated team of pen testers moving down to five products.”
Does that involve hiring more people?
Oh, yes. 100%.
Whose job changes the most when there’s a “Secure by Design” emphasis?
I think the organization whose motion changes the most is engineering. As an industry, we’ve been all consumed by trying to maintain strategic competitive advantages, in terms of features and functions, and the value that the product delivers, and the business outcomes it creates. And secure by design says, ‘Look, you need to change the balance of focus, and shift it more towards security earlier and earlier in the process’…Here’s the bottom line: Every time we learn new techniques from these threat actors in these nation-state attacks, we’re going to make sure that part of the immediate engineering commitment to the customer and roadmap is to fix that. And to get ahead of that, or to stay in front of that, so that it is a continuous loop of security hardening.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
How do you encourage engineering teams that might suddenly have to change their day-to-day responsibilities?
Traditionally, software companies have gamified and celebrated on-time features, functions, low bug counts…So, what I mean by gamify is, now we’re going to do the same thing for security. We’re going to celebrate the engineers and the teams that have eliminated X number of weaknesses, that have overcome X number of persistent security threats. So that they know that this is on my radar, on the board’s radar, it is as much to be celebrated as the commercial side of software development.
How much does this effort involve slowing down?
Well, I wouldn’t say we’re necessarily slowing down a tremendous amount. We just released a big new product today at our annual event.
How can you be fast and secure by design? It feels like the two goals are almost at odds.
The product roadmaps are going to shift—not slow down, but shift. There won’t be as much a feature/function [balance] in certain products for the foreseeable future as there will be a balance of feature, function, and security hardening.