This interview was originally published in Authority Magazine in September 2023.
Just like Product Management, Security needs to understand what makes each organization tick and leverage that to make its case. How will each new security feature allow Sales to close more deals, Marketing to get higher click-through numbers on ads, reduce long-term development burden on Engineering, and allow the CEO to leave the boardroom with their head? This is how we get security-by-design incorporated into organizations and it’s how I’ve run every team I’ve been a part of in my entire career.
Inthe face of escalating threats from malicious AI, incorporating cybersecurity best practices into the design and development of products is more crucial than ever, especially for manufacturing companies. How do product security managers incorporate these principles from the ground up? What steps do they take to ensure security is a core facet of their products? As a part of this series, we had the pleasure of interviewing Mike Starr.
Mike Starr, CEO and Founder of trackd, is a cross-functional leader and former NSA engineer with experience building and launching products in new and disruptive markets. He’s built and led teams at Fortinet, OPAQ Networks, IronNet, and the NSA. Mike received his Bachelor’s degree from SUNY Alfred and enjoys nerding out on wine and reading fantasy novels in his free time.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Igrew up in Buffalo, NY, with two younger brothers and my parents. I spent a lot of time playing video games and doing Taekwondo.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In undergrad, I had the opportunity to participate in the Northeast Collegiate Cyber Defense Competition (NECCDC) with a bunch of classmates. We prepped for weeks, given the material shared with us by the conference staff, and were feeling confident. Then, when the multi-day conference started and we got bombarded with attacks, our plan went out the window, but we learned a ton, and I became obsessed with trying to solve for malicious cyber activity — The complexity, difficulty, and art of carefully designing systems that serve customers but are resilient to bad actors continue to fuel me.
Can you share the most interesting story that happened to you since you began this fascinating career?
Well, the ones that happened during my time at the NSA that I’m not at liberty to discuss, of course, are the most interesting. That said, the most interesting one that I can talk about is probably how I transitioned from government employee to a startup. Early in my NSA career, I was running late for a meeting that didn’t matter at all, but being a new hire I wanted to lay low and literally bumped, like slightly crashed, into GEN Keith Alexander, the Director of the NSA at the time, as he was walking through the hallways of one of the OPS buildings. I apologized and expected him to walk away, but instead, he walked with me (and slowly I might add) until I got to the elevator while asking me about my job and time so far at the agency — In the elevator I thought “surprisingly nice guy, would be interesting to get a drink with” — Not because it wasn’t his reputation, but simply that the Director of the NSA is a busy person and to completely change the course of his day (even if for less than 2 minutes) made a big impression on me.
Fast forward a few years, GEN Alexander founded Ironnet Cybersecurity and I thought “That’d be an interesting place to work” and went about my day. Not much long after that, a friend of mine introduced me to someone who has since become a great personal friend (and Director on trackd’s board), Jasson Casey, who was interviewing for a position at IronNet asking about the NSA and GEN Alexander. I told this same story and we exchanged contact information. When I followed up with him asking how he convinces people to adopt Software Defined Networking solutions a few months later he said “Why don’t you come do that with me at IronNet?” –
So that holiday season, I was working at IronNet and had met GEN Alexander a few times and during our holiday party got to share that drink with him, pretty cool.
Are you working on any exciting new projects now? How do you think that will help people?
As a matter of fact, I am! In 2022 I founded, trackd, a venture-backed cybersecurity startup, revolutionizing vulnerability and patch management by focusing on the fundamental bottleneck for slow patching: fear of the unknown. We’re taking the guesswork out of vulnerability remediation by providing insight into how patches will break systems before they go into production.
We’re the only solution that provides data on how disruptive patches have been on other networks so patching teams have insight into how likely the patch is to break something.
And We’re free, meaning users can find and patch their vulnerabilities with our platform at no charge now and forever.
How do emerging technologies like AI and machine learning influence the risk to the cybersecurity landscape?
ML and AI are enhancing the efficiency of existing cyber criminals and making it easier for the wanna-be or less-technical hackers to get into the business, but sensationalist predictions of an AI-driven cyber apocalypse are more the figment of the imagination of Hollywood writers than they are objective reality, for now.
Ok, thank you. Let’s now move on to our main topic of Embedding Security in Product Design and Development. Can you share a few reasons why this is so critical in today’s cybersecurity threat environment?
The short answer is it’s the Holy Grail for bad actors.
As the Solar Winds hack illustrated, if cyber criminals can compromise software at its core, then the users of that software distribute it to the bad actors, offering a force multiplication that hackers dream about.
In our trackd solution, for example, our users download an agent to each device on which they’d like to automate vulnerability identification and patching. If our agent were to be compromised, the bad guys would have access to thousands of devices, potentially, and they wouldn’t have to do the hard work of compromising those thousands of devices individually. So, when we designed our agent, security concerns literally pre-empted every other design consideration. If that mentality doesn’t permeate the software design/development process, then software companies are risking catastrophic breaches like the one that Solar Winds suffered.
“Security by Design” is a philosophy often mentioned in product development. Can you elaborate on this concept and explain its critical role in today’s manufacturing landscape?
Essentially, this is a philosophy that emphasizes integrating security considerations into every stage of product development, from initial design to ongoing maintenance. The goal is to make security an integral part of the development process rather than an afterthought. As the Industry 4.0 movement (the digitization of manufacturing, if you will) continues to gain steam, the opportunities for exposure to increased cyber risk will only increase. The potential for physical or kinetic damage upon a successful cyber attack makes adopting Security by Design principles all the more important as manufacturing outfits become increasingly connected.
With the rise of IoT and connected devices, what challenges and opportunities do you foresee in ensuring security remains integral throughout the product development lifecycle?
The sheer number of devices operators will need to maintain is already an issue and with the explosion of IoT, it’s only going to get more difficult. More devices, more firmware versions, more connectivity, etc. The most obvious opportunity I can think of is for the manufacturers of IoT devices to differentiate their products and themselves by adhering to security-by-design principles and highlighting them to purchasers.
Rapid prototyping is becoming the norm in product development. How do you maintain robust security standards during these accelerated design and testing phases?
Thankfully there are many automated software testing and build tools that if set up can check for secure coding practices. I don’t know of a modern source code repository that doesn’t have some form of CI/CD pipelining workflow to assist in enforcing this.
Given the complexities of the manufacturing supply chain, how do you ensure that security isn’t compromised, especially when integrating components from third-party vendors?
This is really difficult, but discipline in enforcing security controls regardless of timelines and choosing only to work with vendors that are similarly dedicated to security-by-design principles is how the industry will move forward.
As Industry 4.0 and smart factories gain traction, how are strategies and approaches evolving to embed security in products that align with these futuristic manufacturing trends?
Good question. Most security professionals will tell you that operational technology security represents their gravest concern and triggers more sleepless nights than just about any other area. We at trackd do a number of security conferences as sponsors/exhibitors, and we get the OT security questions constantly. One of the reasons it’s such a challenge is that the concept of security in product design and development is either new or non-existent in many OT manufacturers. If you manufacture injection molding machines and have done so for many decades, only recently have you had to be concerned with internet connectivity and its security ramifications. Not only is the security ethos absent, but the expertise is unlikely to be abundant in those organizations as well. Software companies employ software engineers. Manufacturing equipment companies employ mechanical and electrical engineers. Their training and sensibilities differ. For example, the concept of patching software in the OT space is just emerging. Most OT devices are patched manually (not remotely), if they’re patched at all. This kind of security gap is at once ubiquitous — there are likely billions of such unpatched devices being used today — and terrifying. Encrypting GM’s data for ransom is troubling, but commandeering a factory line with dangerous equipment could immediately and directly jeopardize lives. There is a similar and even more terrifying concern about this in healthcare, an industry replete with connected, unpatched, vulnerable equipment responsible for preserving human life.
Here is the main question of our interview. What are your “5 Best Practices For Embedding Security in Product Design and Development”?
I think this question assumes too much. The only thing that matters is whether the person responsible for product security is able to convince all stakeholders to care about the risks associated with the absence of secure software development practices or not. If they’re unable to do this then building security components into software will always be driven reactively as a result of an incident.
So rather than talk about the things we do once we have stakeholder buy-in, which is easily Google-able or in this day and age ChatGPT-able, I want to talk about how we convince Marketing, Sales, Engineering, and the CEO to actually care about integrating security into software as it’s being built.
Security is not free — There is operational risk in implementing security controls and practices across the organization and software development is no exception. In this case, it’s time-to-market. Sales needs a new feature to close a deal, Marketing wants to announce the new version of the software before the quarter kicks off so they can begin a new ad campaign and update the corporate website, Engineering needs to focus on tech-debt otherwise the product won’t scale, and the CEO has a board meeting in two weeks that they need to report on the summarized version of this with a slew of KPIs — So what’s your justification to migrate to a new authentication system, for example?
Just like Product Management, Security needs to understand what makes each organization tick and leverage that to make its case. How will each new security feature allow Sales to close more deals, Marketing to get higher click-through numbers on ads, reduce long-term development burden on Engineering, and allow the CEO to leave the boardroom with their head? This is how we get security-by-design incorporated into organizations and it’s how I’ve run every team I’ve been a part of in my entire career.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂
Keep your devices up-to-date with the latest software. It makes the job of hackers significantly harder and less than 2% of updates are ever rolled back.
How can our readers further follow your work online?
LinkedIn: https://www.linkedin.com/in/starrmc/
Trackd website: https://trackd.com/
Trackd LinkedIn: https://www.linkedin.com/company/trackdsecurity/
This was very inspiring and informative. Thank you so much for the time you spent on this interview!
About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.
