Cybersecurity To Protect From Malicious AI: Lenovo’s Doug Fisher On How To Develop An Effective Product Security Strategy

An Interview With David Leichner

Leverage Linguistic Diversity in AI-Driven Threat Modeling: Extend AI’s utility as a threat-modeling tool by executing the same input queries across multiple iterations, each in distinct spoken or written languages corresponding to the product’s target regions (or regions where the product is developed). This methodology extracts the potential loss of salient points during translation, enabling the identification of vulnerabilities caused by inconsistencies introduced through language variations.

Cyber threats are evolving, with malicious AI posing a significant risk to the digital infrastructure of organizations. How can Chief Product Security Officers (CPSOs) effectively protect their products and their organizations against these AI-driven cyber threats? What should be their primary areas of focus when developing a product security strategy to ensure the security and integrity of their organization’s products? This series will delve into the role of CPSOs in crafting robust product security strategies to safeguard against malicious AI. We will explore their challenges, successes, and insights into how to maintain the integrity and security of their products in this rapidly changing cyber landscape. As a part of this series, I had the pleasure of interviewing Doug Fisher.

Doug Fisher is the Senior Vice President and Chief Security Officer of Lenovo, assuming the role in 2020. As Chief Security Officer, he has worldwide responsibility and oversight for the integrity of Lenovo’s enterprise infrastructure, supply chain, products, services and solutions, and data protection.

Fisher is a proven leader, recognized for his enterprise software expertise, with deep relationships across the technology industry. Before assuming his current role, he was Chief Operating Officer for Lenovo’s Data Center Group. He was responsible for all DCG business segments and driving greater alignment across product management, operations, solutions, and product marketing.

He is currently on the Board of Directors of SecureAuth, Chairman of the Board of the Joint Development Foundation and member of the Oregon State University Dean’s Leadership Council in the College of Engineering. Previously, he was the Chairman of the Linux Foundation and on the board of BlueData, and Wind River Systems.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I began my career at age 17 in the U.S. Navy. Across decades, I have led at top technology companies, steering strategies and leading complex, global organizations. Most recently, Lenovo’s CEO appointed me as Chief Security Officer, where I lead our global security organization and fortify our strong security culture.

The CEO also elevated the CSO role to our executive committee, with dotted-line reporting to the Board of Directors, underscoring our commitment to security. In this capacity, I receive a tremendous amount of support, allowing me to take decisive actions needed to ensure security is prioritized, driving change throughout the organization.

Can you share the most interesting story that happened to you since you began this fascinating career?

Fostering our robust security culture has been an intriguing voyage. Within our organization, the concept of security permeates our thoughts as effortlessly as considering the financial implications of a project or outlining strategies for an upcoming product launch. Just as meticulous attention is paid to quality at every operational juncture, a similar level of consideration must be directed towards security. From a product security perspective, this entails seamlessly integrating security measures into each new product’s foundation and carrying that throughout the lifecycle of that product. In essence, security maintains a constant presence in everyone’s consciousness, from development teams to the senior executives driving that development.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

• Embrace hands-on engagement. Actively participating in vital day-to-day tasks holds immense significance. For instance, I personally reach out via email to employees who haven’t completed their annual security and privacy training.
• Prioritize communication. To activate genuine transformation, the Chief Security Officer (CSO) must excel in communication and serve as a security advocate. With a direct reporting line to our CEO and a responsibility to the audit committee of the board, I’m empowered to lead. This prominent position allows me to engage in meaningful dialogues, educate the board, and drive positive transformation from the highest level.
• Shape through cultural influence. I firmly believe in the potency of shaping culture. Robust security should be an all-encompassing endeavor. Every facet of the organization should enthusiastically adopt the security culture and serve as security ambassadors for the entire company. By educating all employees about their role in bolstering security and illustrating the benefits of a fortified security stance, the company ensures that robust security becomes a shared objective.

Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect From AI-Powered Cyberattacks” and why?

1. Elevate AI-Infused Design Security: Employ third-party AI tools during product design and architectural phases, utilizing secure APIs or similar avenues. This strategy allows for the comprehension of patterns and markers these tools generate across diverse products and applications. In mirroring the approaches of potential threat actors, this method assists in uncovering vulnerabilities in commonly adopted dataflows and software structures. This approach should be likened to a nuanced security review similar to threat modeling.
2. Taking the analogy of ten high school students employing the same AI tool to craft papers on matriarch dynamics in Romeo and Juliet, variations in questions and linguistic differences may cause minor deviations in output. However, the underlying concept remains — discerning these commonalities empowers developers to architect products beyond the scope that threat actors are likely to explore. Simultaneously, it encourages heightened innovation and ingenuity in both code and design.
3. Integrate Ecosystem-Wide Insights into AI-Aided Development: In the realm of AI-assisted product development, many creations fall under the umbrella of connected products or the Internet of Things (IoT). These tools often model products in isolation, overlooking the entire workflow involving first- and third-party components. Developers must contribute insights based on the operations and architectures of established connected devices and software within the ecosystem. This collaborative approach enables behavioral threat modeling, allowing for the identification of potential vulnerabilities arising from the intricate interplay of multiple components within a system.
4. Uncover Open-Source Implications in AI-Generated Outputs: Investigate the usage of open-source software within the output of AI-generated architecture. This practice offers dual benefits — bolstering vulnerability management in the long run while also exposing any legal concerns such as copy-left manipulation of open-source code.
5. Leverage Linguistic Diversity in AI-Driven Threat Modeling: Extend AI’s utility as a threat-modeling tool by executing the same input queries across multiple iterations, each in distinct spoken or written languages corresponding to the product’s target regions (or regions where the product is developed). This methodology extracts the potential loss of salient points during translation, enabling the identification of vulnerabilities caused by inconsistencies introduced through language variations.
6. Instill Comprehensive Security Training Across the Board: Prioritize universal completion of comprehensive security training for all personnel. Recognize that a single employee falling prey to a phishing link can jeopardize security. To mitigate such risks, ensure that rigorous security training becomes an imperative and mandatory element for every participant in the process. As demonstrated, our approach entails training virtually 100% of our company’s workforce, including contractors.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.