Various technology companies including Microsoft, Amazon Web Services, IBM, Fortinet, and others have committed to enhancing cybersecurity practices by agreeing to a set of seven objectives outlined by the US Cybersecurity and Infrastructure Security Agency (CISA) at the 2024 RSA Conference.
The initiative, known as the Secure by Design pledge, is not legally binding but aims to encourage companies to prioritize security measures in their products and services. While some may question the enforceability of the pledge, industry experts believe that it sets a standard for cybersecurity practices and may lead to positive changes across various sectors.
Grant Geyer, Chief Product Officer at Claroty, one of the signatories, emphasized the importance of collective agreement on operating at a certain security standard. He stated that the pledge signifies a shift towards a culture of accountability and transparency in cybersecurity.
The Secure by Design pledge focuses on seven key areas of improvement, including multi-factor authentication, default passwords, vulnerability reduction, security patches, vulnerability disclosure policy, CVEs, and evidence of intrusions. Despite lacking regulatory teeth, supporters believe that the pledge sets expectations for cybersecurity practices and encourages companies to make security a priority.
Chris Henderson, Senior Director of Threat Operations at Huntress, highlighted the indirect influence of the pledge in defining industry standards. He pointed out that the pledge could deter companies from profiting solely off security features and instead promote a culture of security-conscious product development.
Furthermore, industry experts like Jonathan Trull, CISO of Qualys, believe that the pledge’s impact will be more economically driven. Trull emphasized that the pledge could influence consumer behavior and incentivize companies to prioritize security features in their products to remain competitive in the market.
Beyond vulnerabilities, the Secure by Design pledge brings attention to broader security issues such as vulnerability management. Organizations often focus on patching individual bugs, but fail to address fundamental security flaws that can be exploited at scale. A recent analysis by Claroty’s Team82 revealed that a significant portion of industrial OT and connected medical devices have critical vulnerabilities that are often overlooked.
Grant Geyer of Claroty emphasized the importance of a comprehensive approach to cybersecurity, which goes beyond traditional vulnerability-focused strategies. By broadening the definition of risk to include factors like default passwords and insecure communications, companies can focus their efforts on addressing the most critical security issues effectively.
Overall, the Secure by Design pledge represents a collaborative effort among industry leaders to elevate cybersecurity standards and promote a culture of security-first practices. While the pledge may not have immediate regulatory consequences, its influence on industry norms and consumer expectations could drive positive changes in the cybersecurity landscape.