This year at RSA, CISA launched their “Secure By Design” program – a voluntary program where participants pledge to improve security measures in their products (and use their influence to improve security across our industry).
Though criticized by some as 'toothless,'(1) – I find it hard to be critical of any endeavor which highlights the needs for good cybersecurity efforts, if it saves one person from being hacked, saves one company from a devastating ransomware attack, it’s a worthwhile effort. I am proud that Reveald was one of the first companies to sign up.
The introduction by CISA contains the following text which I think is worth repeating:
As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives. Americans need a new model to address the gaps in cybersecurity—a model where consumers can trust the safety and integrity of the technology that they use every day.
CISA, May 2024
It's true that software providers rely on end users to apply patches, to set strong passwords, to configure our systems properly, and I think it’s only right that all software vendors are encouraged to help our customers where we can.
I started my career very early on designing software solutions, and even then customers considered 'upgrades' a dirty word. It took me a couple of cycles to understand that updating an estate of devices was hard, risky, to be avoided, and I tried from then on to build seamless upgrades into every product I lead.
Today, we are in a completely different world – many of the products we rely on upgrade themselves invisibly – even my digital notebook occasionally delights me with a message “Update available, please restart”. Consumer devices like wifi routers now have unique admin passwords, and two-factor authentication is ubiquitous.
All these features help raise the barrier to commodity cyberattacks, and make it just that little bit harder for a cybercriminal to extort us.
I long for the day when criminals have to work hard to win, and this pledge, 'toothless'(1) though it might be, it helps move us one small step in that direction.
The 7 pledge goals to be achieved within 12 months:
Cybersecurity leader with vast contributions to the industry including multiple patents, leadership within startups and Fortune 500 companies, and over a dozen successful M&A transactions. Excelling in product, innovation, user experience, and development leadership while fostering collaborative teams. Simon's mission: Stop cybercriminals from getting rich.