I help DevSecOps teams with software supply chain provenance. 𝗙𝗼𝗿𝗺𝗲𝗿 𝗗𝗢𝗗 𝗖𝗵𝗶𝗲𝗳 𝗦𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗢𝗳𝗳𝗶𝗰𝗲𝗿. 𝗩𝗲𝘁𝗲𝗿𝗮𝗻. 𝗘𝗻𝘁𝗿𝗲𝗽𝗿𝗲𝗻𝗲𝘂𝗿. 𝗔𝘂𝘁𝗵𝗼𝗿.
Secure by Design/Default must start with the shareholder in today's biz climate, a climate driven by Friedman's capitalistic views from the 1970s. I would contend that this is the most salient conversation missing from the revised CISA document released. It's why geeks and techies alone cannot affect change here no matter how many CISA stars give high-profile keynote addresses at global tech conferences. Let's dig deeper. The C-Suite and the Board have fiduciary obligations to the shareholders, not non-binding guidance from the Cybersecurity and Infrastructure Security Agency and its global partners. All of this government material can continue to "urge" and "strongly encourage" industry to offer software security "out of the box without added charge" all it wants, but in the end, the shareholders of the companies still have the louder voice and the only vote that matters. Today, shareholders will choose profits over secure by design, especially institutional investors from Wall Street. CISA's own words: "The authoring organizations acknowledge that taking ownership of the security outcomes for customers and ensuring this level of customer security may increase development costs." Now, look at the layoffs in the cybersecurity sector driven by... cost cutting!! In just Q3/2023 Rapid7 laid off ~18% of its workforce HackerOne cut ~12% Secureworks cut 15%, with an SEC filing stating the cuts were needed to "deliver profitable growth." TechCrunch calls it a "tech wide reckoning" tracking over 240k tech jobs lost in just 2023, and it follows what they call a common script: macroeconomic env, cost-cutting plans, and restructuring. Consider the poor recruiter over at Taskrabbit who has had over 3,375 applicants for a VP of Product position - that is an astounding number of applications (hope they have a strong ATS in place!). Too many staff, not enough profit, people worrying about jobs, not secure by design. For the government to acknowledge their recommendation m̴a̴y̴ will raise the costs of creating software while ignoring the state of tech companies makes CISA appear tone deaf to economic realities. Either the Federal government should "simply" fix the economy so that the cost of secure by design becomes OBE, or recognize that "urging" executives to spend more money on secure software practices is going to fall flat at a time when all tech C-suites are tightening their belt and cutting costs. A few suggestions: Ensuring Security Framework guidance exists for Suppliers, Customers, and Developers. What about one for Wall Street and Investors? Could Jen Easterly better leverage her Wall Street background and walk Sand Hill Road to convince VCs/PEs/Institutional Investors to demand a security experience as part of an investment? CISA must stop pitching Secure by Design to big tech and sell shareholders, and that's a far different narrative than that found in this document. What are your ideas? #cybersecurity #compliance #software #ciso
Security is where safety was in the process industries 50 years ago. It took incidents like the Texas City refinery explosion to make safety an issue in the Boardroom, the regulators, and industry. Now safety is an integral part of control system design and operation. Hopefully, it doesn't take another 50 years for cyber security to be an accepted part of design and operation.
Nick Miller
7mo
Encouraged to see all the alignment. Agree market economics will drive the path forward on adoption. If CISA can get all the authorizing orgs to agree to a common security standard and international reciprocity — including getting DoD to adopt FedRAMP and scrap CC SRG — CISA will have done what is needed to push “secure by design.” Absent standardization across the international gov accrediting orgs, the commercial market represents a much larger and lower cost customers to acquire for industry. While the gov looks like a large market, because it lacks standardized approach to security, it’s purchasing power is greatly diminished. Maybe this latest draft is the non-linear thinking we need to do both increase security and decrease cost of sales into govs? 🤔
Alexander Stein
7mo
A product executive understands relatable product concerns and hopefully business financials, in top of their individual conversation. How will secure by design, divorced from their income and employer success, going to be incentivized focus for them? If they don't need to focus on it how can we expect them to understand a discipline far afield from their longstanding focuses?
Sarah Fluchs
6mo
Vendors won't integrate features no one pays for. They won't feel "urged" by anyone to include features but by their customers (or mandatory government regulation). The problem I see is that the conversation is too black and white. Either security "has been built in" or not. I know companies who have "secure versions" of e.g. programming devices and "normal" ones. Difference? The price tag. Most customers go for the normal one. But there is a huge grey area. Customers will never be willing to pay for "all the features". They pay for the ones that really matter to them. To find out which these are, there is no way around sitting together, vendor and client, finding out how the product will be used, what the most important security goals for the customer are and how they can be achieved with the least amount of security by design features possible. For that to work, both parties have a responsibility. Vendors need to stop saying "no one will pay for this anyway" and start being transparent about security feature options and their price tag. And customers need to stop throwing around unrealistic security wishlists ("give me SL 4!") and start being transparent about what security goald matter to them.
Clint Huffaker
7mo
We will continue to see a lack of investment in Secure By Design principles until accountability is forced upon manufacturers or OEMs to “stop passing the buck” as Jen Easterly says. If organizations can’t depend on manufacturers and vendors to produce secure code, why should they invest in secure coding themselves? Similarly, if we can’t hold manufacturers accountable for selling insecure products will we ever be able to govern secure coding practices? I believe publicly traded companies and federal agencies should have to disclose all of the security solutions in place during a breach. Not publicly, but reported into a database so consumers can pull reports and see who’s who in the zoo of security vendors in the market today. This could help organizations make more informed investments and put the pressure on vendors to develop safer hardware and software.
Matt T
6mo
I think this is why the Cybersecurity Strategy called for Congress to make changes increasing liability exposure for software that's insecure by design. I know that's contentious in and of itself, and I'm not weighing in on the merits there, but it was a recognition that there need to be aligned incentives beyond just pressure to 'do the right thing.'
Ben Tolen
7mo
I think many are seeing an issue: https://www.linkedin.com/feed/update/urn:li:activity:7119348659640569856
John Scott
7mo
when liability, lawyers and money get involved this will get fixed or when folks actually hold folks accountable - this is what is missing, there is no market dynamic right now
I help DevSecOps teams with software supply chain provenance. 𝗙𝗼𝗿𝗺𝗲𝗿 𝗗𝗢𝗗 𝗖𝗵𝗶𝗲𝗳 𝗦𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗢𝗳𝗳𝗶𝗰𝗲𝗿. 𝗩𝗲𝘁𝗲𝗿𝗮𝗻. 𝗘𝗻𝘁𝗿𝗲𝗽𝗿𝗲𝗻𝗲𝘂𝗿. 𝗔𝘂𝘁𝗵𝗼𝗿.
7moChris H.💭🔐 Joel Krooswyk Dan Lorenc Renee Stock