Security is a Process, not a Product?

Security is a Process, not a Product

July 27, 2017
by guest blogger, Justin Montalbano, Delphi cybersecurity lab technical manager

It all started when I was six or seven years old. Little did I know, modifying a video game in DOS would turn into an exciting and rewarding career in cybersecurity. For me, the best part at the time was hacking the game to get it to do just what I wanted it to do… win!

From that point on I was hooked. And it only continued to grow.

In my teens, I surrounded myself digitally in forums and online chats with others who thought like me – security-oriented hackers and programmers – where we all became conscious of how security was truly impacting every aspect of our lives. And boy, did we want to be a part of it. But… even in our ecosystem, we hardly understood the size of the security family.

College would change all that.

In the fall of 2009, I was off to Davenport University where I majored in network security and minored in computer networking. It was here I realized the enormity of the security community. The encouragement provided by my professors to get involved, attend conferences, build clubs with classmates, and compete in hack-a-thons; gave me the opportunity to surround myself with an even larger group of like-minded people. We shared personality traits and high levels of curiosity. We were all curious about how things worked, how we could break them as well as how we could secure them.

And then I started my first internship with Delphi in 2011, which would seal my cybersecurity fate. I was working in Delphi’s IT group helping to secure infrastructure. It was an amazing summer, the company and team with whom I worked with were great, and most important… I learned a ton.

In every 100 lines of code there are four bugs.

Before graduating, I also had jobs in the medical and manufacturing industries on the tech side. I worked at a manufacturing plant on the IT help desk, making sure all systems were working properly. In the medical field, as a security operations analyst, I worked on application testing and helping ensure nothing would break. We also did security systems monitoring to help remediating any issues that arose.

But then Delphi called.

In 2014 I returned, but this time as an employee; an IT security analyst. I got to be the ‘bad guy’ on the team. We were called the Red Team and my job... think like a malicious person. Cue Mr. Burns, “Exxxxxcellent.” I was to be the guy to understand our organizations weaknesses and help our IT team secure the company’s infrastructure. After doing this for about a year and a half, I received an amazing opportunity. Delphi was assembling a cybersecurity task force, which would work with the engineering group to develop security guidelines, processes and tools, and cybersecurity testing procedures for their products. Not only would I have the opportunity to break it, but help secure it as well, and watch that technology enter the market. I would be helping secure programs and products that were designed to help save lives.

I had my a-ha moment right there. It was what had been missing in my career. I always was intentionally “breaking” things and then assisting people on the fix….how to secure it. But, I never had been able to “see” that solution put in place. Now I could secure with the knowledge that it was for an important purpose.

Security and safety are a critical part of everything we do; it’s always been a part of our DNA. Our role was to help scale the processes across platforms and beyond production. So, we dove in and starting integrating security guidelines, processes and tools, as well as the development of the cybersecurity testing lab to help support the engineering teams.

Looking back, our biggest challenge was getting the organization to appreciate what we do and understand that security processes, guidelines and testing needed to be engrained into the product development cycle from the very beginning and through post production. Education, getting management aligned and pushing a top down security approach to the organization was key.

We stood up our cybersecurity model based on three pillars:

  • Develop the right process to help secure products and use the right tools to lock down the system.
  • Work with the engineering team to build in this process from the beginning of the product development cycle, helping support them throughout the entire process from prototype to production.
  • Conduct Red Team penetration testing and validation on products to help mitigate vulnerabilities; all for the end goal of ensuring safety through a secure product.
Our team is advocating a security perspective in an industry that is still slowing evolving from traditional thought processes. No one is going to stop trying to break systems and insecurity in systems will only continue to grow. We realize it’s mission critical to build a security culture within our organization to help influence a secure environment – physically, digitally, and socially. This is particularly important with safety critical technologies, such as autonomous driving.

Collaboration and a proactive approach inside Delphi, and outside Delphi, is key. That’s why we are present at the DefCON Car Hacking Village. We are passionate about making security a success at Delphi and the DefCON Car Hacking Village helps give us the tools to stay relevant – from new approaches to new technologies to new talent. Security has been around forever, but from 1992 when the digital security movement really started moving to today, working together will only make us stronger for the next leg of our cybersecurity journey.

Thank you to the entire Delphi Cybersecurity Team for all the hard work, passion and drive you put towards making Delphi a leader in cybersecurity. Thank you to the associations and events for elevating the importance of security awareness to the world… DefCON, Car Hacking Village, GrrCON, BSides Events, SANS Events, Blackhat and the SAE Cyber Auto Challenge. And finally, thank you to the entire security community that is committed to securing the digital and physical worlds. Security is a process…not a product.