• United States



UK Editor

Should CISOs stop using Russian security and tech products?

Mar 10, 20225 mins
CSO and CISORisk Management

Using Russian-made security and tech products presents a moral dilemma and real risks for organizations.

shutterstock 2112953282 ukraine russian flags
Credit: Svetlana Turchenick / Shutterstock

The Ukraine-Russia conflict has raised the question of whether organizations should stop using Russian-made security and tech products and the risks of continuing to do so in the current situation. CSO spoke with security leaders, researchers, and analysts about this significant issue and the implications for CISOs, businesses, and the wider sector.

Ending use of Russian security and tech products

“From a moral standpoint, CISOs should absolutely stop using Russian-made security and technology products. However, from a security-related standpoint, it’s much murkier,” says Shawn Smith, researcher and director of infrastructure at nVisium. “There is always conflict in the world, and while you should always evaluate backups in situations like this, the products created by Russians aren’t any less secure now than they were a month ago.”

Dominic Grunden, CISO of UnionDigital Bank, strongly supports stopping use of Russian-made products and services. “From a moral and humanity perspective, imagine this: Your company would pay the Russian company providing the security and tech product who in return pays taxes in Russia, which directly supports the government and military that is invading the Ukraine and resulting in loss of lives,” he tells CSO. Grunden also cites the global economic sanctions being imposed against Russia as another issue, as CISOs need to be sure they are not breaking laws in the countries the company is operating in.

For Peter Lowe, principal security researcher at DNSFilter, the biggest reason why CISOs should switch away from Russian-made security products as soon as possible is because of the growing number of companies withdrawing from Russia right now – including major internet backbones cutting off access. “There is a very real risk that any tech product using servers based in Russia might simply disappear, which could be catastrophic depending on the type of service,” he says.

In contrast, Cyware threat intel specialist Neal Dennis says that businesses should not rush into removing Russian-made products as a blanket approach, but they should be highly skeptical of how far-reaching they are. “Russia has a sordid past of tech companies potentially being used for various efforts,” he tells CSO.

Risks of using Russian security and tech products

With regard to the risks of continuing to use Russian-made products, there are important factors to consider, Grunden says. “Using Russian made security and tech products can potentially allow Russia to access our companies, customers, and data, and potentially use it for malicious purpose. Under current Russian legislation, company and customer data is not protected and Russia has laws on national security and cybersecurity which provide the Russian government a legal basis to compel technology companies operating in Russia to cooperate with Russian security services.” The real threat is for Russia to exploit discovered vulnerabilities within organizations or access them through a backdoor, Grunden warns.

In Smith’s opinion, heightened scrutiny around “anything-and-everything” Russian is creating another problem for CISOs. “While the platforms developed by Russians aren’t any less secure now than they were a few months ago, many vulnerabilities are being found due to increased probing. The biggest security risk is if a vulnerability is found in your software, it may be very slow to get patched due to the current conflict. It may be safer in the long run to evaluate and switch now than wait and be forced into a situation where you need to switch with very little runway.”

Implications of stopping use of Russian-made products

While he believes businesses should halt their use of Russian-made products and services, Grunden concedes that doing so will not be without implications for CISOs and companies. “Forcing an organization to immediately discontinue a Russian-made product or service could impact the organization’s ability to identify, protect, detect, respond and recover from cyberthreats and security incidents,” he says. It will incur immediate cost and effort to replace the security or tech product/service for the entire organization, and this could be quite detrimental given the current security workforce shortage and burnout concerns, he adds.

Terminating a contract between two companies may result in legalities that would affect the organization’s credit rating while limiting an organization’s ability to obtain and use the best products or services available are also issues to take into account, Grunden says. “I believe the recent Russian invasion of the Ukraine has seen a widespread adoption of large companies such as Apple, Microsoft, Google, Amazon, SAP, etc. who are halting doing business to and from Russia which has immediately impacted the security product and service market,” he continues.

Lowe agrees: “There are lots of valuable tech services and products provided by Russian companies, so initially there is going to be a drop in available services covering the region, government interventions as well as peoples’ lessened desires to purchase Russian tech. Threat intelligence for Russia is also going to suffer.”

This could prompt more companies to take independent research more seriously and look to effectively include OSINT and open-source research into their capabilities for generating self-guided intel instead of solely relying on big data providers, says Dennis.

However, Smith doesn’t predict significant, long-term ripple effects on the wider industry. “Given how large the security space is, I don’t think there will be any large change in the security product marketplace. Some professionals will migrate off Russian products, others won’t, and some smaller businesses might close shop or migrate to other countries. In the end, it’s going to be pretty close to business as usual for the greater security market.”

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author