The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, National Security Agency, and international allies, has announced its long-awaited guidelines for software companies to include “Secure by Design” principles in their products. As “America’s Cyber Defense Agency,” the CISA is tasked with protecting the nation from an ever-evolving array of cyber threats, as well as identifying, managing, and reducing risks to U.S. infrastructures, both digital and physical. But some industry experts question whether CISA’s lofty goals can be adequately implemented.
The CISA guidelines appear straightforward; they include taking ownership of security outcomes, embracing radical transparency and accountability, and building organizational structure and leadership to ensure success. The agency implores corporate leaders to take a top-down approach to ensure proper risk management is undertaken and sustained.
Although there is overall industry support for Secure by Design, there are no means of compelling companies from backing up their promises. Google claims that secure-by-design principles are at the heart of its overall security approach, but others are skeptical of the practicality and affordability of widespread implementation. Tom McNamara, CEO of Hopr, an automated moving target defense (AMTD) company, thinks that threat exposure is inevitable because of interconnected systems of software code.
