At the RSA Conference 2024 held in San Francisco, the concept of “secure by design” took center stage, echoing throughout the corridors of the cybersecurity world. The idea that software should be developed with security at the forefront has been embraced by industry leaders and organizations alike, emphasizing the importance of incorporating security measures from the very beginning of the development process.
One of the most notable examples of a company embracing the “secure by design” principle is Microsoft, with its expansion of the Secure Future Initiative (SFI). Following a series of high-profile breaches, Microsoft announced an enhanced focus on security, prioritizing it above all other considerations. This commitment was articulated in a blog post by Microsoft Security executive vice president Charlie Bell, outlining three key principles: secure by design, secure by default, and secure operations.
The expansion of generative AI technology has also played a significant role in driving the conversation around secure design. With the rapid adoption of AI, organizations are increasingly at risk of data breaches, model poisoning, and misconfigurations that could lead to cyber attacks. As a result, both public and private sector entities are emphasizing the need to integrate security measures into AI projects from the ground up.
A study conducted by IBM and Amazon Web Services revealed that while C-suite executives recognize the importance of secure AI, only a fraction have implemented security measures in their AI projects. IBM has responded by publishing a framework dedicated to securing generative AI development, underscoring the necessity of integrating security practices from the outset.
Ryan Dougherty, program director for emerging security technology at IBM Security, stressed the importance of embedding security into AI projects from the start. He highlighted the need to learn from past experiences in cloud security and ensure that security is a top priority throughout the development process.
Dr. Sarah Bird, chief product officer of responsible AI at Microsoft, echoed the sentiment that implementing security gradually and focusing on specific, targeted AI models is key to ensuring secure design. By integrating security into AI projects at a measured pace, organizations can mitigate risks and enhance overall cybersecurity measures.
The Cybersecurity and Infrastructure Security Agency (CISA) has also joined the chorus of voices advocating for secure by design principles. By launching the Secure by Design pledge, CISA has called on software makers to prioritize security in their development processes and publicly document their progress. Companies like Ivanti have embraced the pledge, recognizing the importance of integrating security into every stage of product development.
CISA Executive Director Brandon Wales emphasized the need to shift away from reactionary approaches to cybersecurity and towards a proactive, secure by design mindset. By changing the industry culture and making security a foundational element of technology development, Wales believes that long-term security outcomes can be achieved.
As the cybersecurity industry continues to evolve and face new challenges, the emphasis on secure by design principles has never been more crucial. By integrating security practices from the outset, organizations can build a strong foundation for cybersecurity and mitigate risks in an increasingly complex digital landscape.