Fortinet is committed to collaborating with esteemed cybersecurity authorities to advance critical industry discussions. One of those vital conversations occurred at our RSA Conference (RSAC) 2024 panel, "No More Secrets in Cybersecurity: Implementing 'Radical Transparency.'" The discussion focused on the importance of embracing responsible radical transparency, which promotes proactive and robust security standards in product development. Aligned with that discussion, Fortinet also showed up as one of the first cybersecurity companies to sign the Secure by Design pledge at RSAC, developed by the Cybersecurity and Infrastructure Security Agency (CISA), which encourages technology manufacturers to design products with greater built-in security. Below is a recap  of the panel at RSAC about why organizations should be demanding responsible radical transparency from all their vendors.

Increased Transparency Benefits the Entire Industry

During the event, Fortinet hosted an in-depth discussion about the need for responsible radical transparency across the cybersecurity industry. The panel session featured several leading industry voices, including:

• Dr. Carl Windsor, Senior Vice President of Product Technology and Solutions, Fortinet
• Michael Daniel, President and Chief Executive Officer, Cyber Threat Alliance
• Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA
• Suzanne Spaulding, Former Undersecretary, U.S. Department of Homeland Security

From making more informed purchasing decisions to putting out a call to the industry for stronger transparency best practices, the panelists discussed how responsible radical transparency helps everyone, including each organization that relies on security technology to safeguard their business.

Transparency powers purchasing decisions

Responsible radical transparency benefits customers in numerous ways, beginning with evaluating and purchasing security technologies.

"Customers of technology products are largely unable to discriminate based on security because they lack the data to do so," explained Goldstein. "The idea behind radical transparency is for every technology provider to be extremely open with their customers about the safety and security of their products [...] so that customers can make an educated and informed risk decision." Enabling customers to make buying decisions based on security, he contended, creates a virtuous cycle and a "market incentive for better security."

Regular disclosure of vulnerabilities fosters trust

In a recent blog post published by the Cyber Threat Alliance, RSAC session panelist Daniel discussed the importance of vendors creating and implementing a robust internal vulnerability discovery process. "We want vendors to have [a robust process] so that vulnerabilities are found and fixed as soon as possible, preferably before anyone exploits them. Since an honest analysis will inevitably reveal vulnerabilities, a company looking for vulnerabilities will find more vulnerabilities than a company that isn't looking. We do not want to penalize companies that conduct such robust searches; in fact, we ought to reward them because it will make the entire ecosystem safer in the long run," he wrote.

Spaulding advised caution when evaluating vendors that don't regularly disclose vulnerabilities. "It's not because they're not finding vulnerabilities," she said. "We see a lot of companies bury fixes in their next round of updates and combine those with new features," Spaulding continued. "So you get this update, and you'd never know that what's in there is a patch for a vulnerability that was found weeks ago."

"We understand that there are vulnerabilities in all software products and all hardware products," said Daniel. "No one has discovered a way to write bug-free software yet." He urged cybersecurity vendors to embrace humility and work together toward implementing secure-by-design principles and embracing responsible radical transparency.

A call for transparency and accountability

While cybersecurity vendors must implement clear and robust secure-by-design practices, any organization that relies on security technology has a leading role to play when it comes to furthering a culture of responsible radical transparency.

"If you are a technology consumer, [you need to] create that demand signal for every single provider and vendor," urged Goldstein. "Ask them questions: Have you signed the Secure by Design pledge? How do you communicate transparently about what you're doing? Create the expectation that security is a right, not a privilege."

Furthering Our Commitment through CISA's Secure by Design Pledge

As the cyberthreat landscape intensifies and adversaries exploit vulnerabilities at an unprecedented pace, it is more vital than ever that technology vendors embrace responsible radical transparency proactively.

Fortinet has long prioritized the safety of our customers. We are committed to promoting secure product development processes and proactive, responsible vulnerability disclosure policies. We have proactively aligned our standards to international and industry best practices and believe that proactive responsible radical transparency in cybersecurity improves outcomes for our customers and society.

Building on this long-standing commitment, Fortinet was proud to voluntarily sign the Secure by Design pledge. The pledge outlines seven goals, including responsible vulnerability disclosure policies, which are already a critical and long-standing part of Fortinet's product security development practices.

As Daniel recently shared in a CTA blog, "Over and over, across multiple sectors, we have learned that transparency improves outcomes for consumers and society. The cybersecurity industry is no different. In our sector, transparency includes searching for, mitigating, and disclosing vulnerabilities in an open, responsible manner. Fortinet has already taken steps to embrace such responsible transparency, creating a clear set of principles for handling vulnerability communication and analysis. The company's leadership in this area is a strong example of how cybersecurity vendors should be communicating with customers and the broader public."

Learn more about Fortinet's commitment to product security and integrity, and read this recent blog post on the company's long-standing commitment to responsible product development and vulnerability disclosure approach and policies.