Lenovo’s SVP and Chief Security and AI Officer, Doug Fisher, walks us through the key points of one of CISA’s key initiatives.
What is the Secure by Design pledge, and why did Lenovo get involved?
Last year, Lenovo signed the Secure by Design pledge, an initiative by the US Cybersecurity and Infrastructure Security Agency (CISA). This landmark project aims to bring the industry together to ensure customers have access to the most secure technology possible.
This voluntary initiative aligns with Lenovo’s longstanding commitment to security. As Chief Security Officer, my mission is to ensure Lenovo remains our customers’ most secure and trusted technology partner. We are committed to continuously improving our security practices, meeting or exceeding industry best practices, as demonstrated by being one of the first leading global technology powerhouses to sign the pledge. The Secure by Design initiative complements our existing security programs, and collaborating with such an important organization like CISA demonstrates the importance of security.
We’re committed to continually improving our security practices to meet or exceed industry best practices, so it was important for us to be one of the initial signatories of this initiative and foster greater advocacy within the technology ecosystem.
What are the goals of the Secure by Design pledge?
At its core, the pledge asks vendors to commit to seven key goals within a year of signing the pledge:
- Increase the use of multi-factor authentication across products.
- Reduce the use of default passwords.
- Increase access to security patches across the product lifespan.
- Reduce the number of security problems known to be exploited by threat actors.
- Publish a vulnerability disclosure policy that authorizes testing by members of the public in good faith without risk of legal action.
- Commit to reporting vulnerabilities within industry registration sites.
- Demonstrate improvement in how customers can detect and collect proof of cybersecurity attacks on a company’s products.
Can you speak more about your current security programs?
At Lenovo, our security pillars cover our entire security ecosystem: our internal infrastructure, products and services, supply chain, and physical security. Our strong security culture underpins all of this.
Our products and services have security integrated into them from the design phase onward. They are manufactured and shipped with the highest levels of security to eliminate the potential risk of tampering, and security support is provided throughout the product’s lifecycle. Our customers include Fortune 500 companies, governments, and public sector organizations, and we take our role in keeping them secure incredibly seriously.
Our existing security program and practices are very robust, and many meet or exceed CISA’s goals. Lenovo’s culture of continuous improvement compels us to stay ahead of malicious threat actors, and participating in the Secure by Design pledge will support these efforts.
How does this initiative benefit Lenovo’s customers?
While CISA’s Secure by Design pledge focuses on enterprise software and service products, its principles prioritize security as a core business requirement rather than merely technical features. Alongside Lenovo, companies like Cisco, Google, IBM, and Microsoft were among the original signatories. While this is a US government-led initiative, outputs will benefit all of Lenovo’s customers worldwide.
Today’s technology industry is an ecosystem of many players; CISA’s pledge brings us all together to share best practices and learn from each other. It allows us to implement changes in the development of our products and reaffirms Lenovo’s commitment to being our customers’ most trusted technology supplier.
Evolving threat landscapes, including emerging technologies like AI, make it easier and quicker for malicious actors to deploy attacks across enterprises. By uniting the industry, we can proactively thwart these efforts and enhance overall security.
What actions are you taking as part of the Secure by Design pledge
We have identified Secure by Design champions across all of our businesses to determine what products across our entire portfolio are in scope and which already meets the pledge commitments.
What progress has Lenovo made so far?
We are already meeting CISA’s Secure by Design pledge intent in many areas but strive for continuous improvement.
We have already exceeded the pledge commitments within our Vulnerability Disclosure Policy. We regularly publish security advisories to communicate vulnerabilities in Lenovo products transparently and appropriate mitigation steps to our customers. We work closely with security researchers who identify potential threats in good faith and have introduced Bug Bounty programs across some of our product brands, for example, Motorola.
What’s next?
As one of the first signatories to the CISA pledge, Lenovo is dedicated to a successful partnership with CISA to improve product security and better serve and protect our customers. Over the coming months, we will share more about our progress.
We remain committed to the work of CISA, its mission to protect critical infrastructure and cybersecurity in the US, and have deepened our relationships with the agency by participating in its Joint Cyber Defense Collaboration Initiative to help combat cyber threats. Collaboration between government and industry is essential and we are eager to contribute to this initiative and build additional relationships across CISA and the federal government to bolster the collective defense of cyberspace.