As the threat landscape intensifies, organizations are poised to increase their investments in security solutions. Cybersecurity spending is on track to reach $215B by the end of this year, a 14% increase from 2023. When procuring cybersecurity solutions, businesses have more vendors to choose from than ever, with the Cyber Research Databank estimating that there are more than 3,000 cybersecurity vendors worldwide.
The 2023 US National Cyber Strategy emphasized that cybersecurity should be a shared responsibility between IT manufacturers and consumers, both enterprises and individual end users. The US has led the creation of an international emphasis on a secure by design approach to software development. The US and key international partners see the successful implementation of this approach as a crucial competitive differentiator that can help vendors stand out in an increasingly crowded market.
IT manufacturers who prioritize building security into the DNA of their products and services from day one benefit in a variety of ways, ranging from producing more secure offerings that will require less security patching after delivery to building a solid foundation of trust with prospects, customers and partners. Additionally, a secure by design approach should influence an organization's software development processes and how it communicates with customers. Embracing secure by design principles means being transparent about potential risks, proactively disclosing vulnerabilities and sharing actionable steps to help customers improve their cyber resilience.
A call to our industry: The secure by design pledgeSome technology manufacturers make security a core part of their development processes, while others take a more reactive stance. By adopting a secure by design strategy, vendors can minimize the number and severity of vulnerabilities through sound and secure design practices.
The Cybersecurity and Infrastructure Security Agency (CISA) recently outlined the core principles of adopting a secure by design approach within a vendor's organization. The white paper articulates three goals for vendors: Owning customer security outcomes, embracing radical transparency and accountability and adopting priorities at the highest level of the organization related to advancing secure by design principles.
To further encourage technology manufacturers to adopt stronger security practices, CISA recently released its Secure By Design pledge, a voluntary commitment for organizations committed to upholding key secure by design development practices for enterprise software. The pledge states seven goals, articulating why each is important in CISA’s view and providing some exemplars of how each goal could be implemented and how success could be measured. Pledge items include encouraging the use of multifactor authentication (MFA) by customers, reducing the use of default passwords, focusing on mitigating the impact of entire vulnerability classes and promoting greater transparency in vulnerability reporting. To date, more than 70 technology manufacturers have taken the pledge.
Demonstrating progress toward this commitmentLike most successful organizational change, enhancing cybersecurity practices and embracing greater transparency will take time and a commitment driven from the top within each implementing company. However, the pledge was designed to enable technology manufacturers working toward making these changes to readily share the progress they're making along their journey. CISA's Secure By Design pledge offers numerous examples of how vendors can demonstrate progress toward these goals. Here are just a few examples:
- Demonstrating measurable progress toward increased MFA adoption by showcasing a change in customers’ use of MFA across their products, or by making changes to the product itself (enabling MFA by default)
- Publishing a memory-safe roadmap for different classes of vulnerabilities
- Sharing aggregate statistics of patch adoption across product lines
- Publishing or updating a vulnerability disclosure policy
- Documenting or updating policies relating to log retention
The purpose of the pledge is to complement and build on existing software security best practices — including those developed by CISA, other federal agencies and international and industry best practices. There are many steps technology vendors can take today to work toward adopting or enhancing their secure by design posture.
Increasing customer demand for secure by design productsEvery vendor should be responsible for security at all stages of the product development lifecycle. Bug-free software is unlikely to be achieved — at least in the short term — and every vendor should practice what CISA calls radical transparency, proactively disclosing security vulnerabilities in their products. As the threat landscape grows more challenging, looking for products from a vendor that has embraced secure by design and can show their progress will be more than a “nice to have” feature when customers are procuring software.
CISA and its US and international partners intend to do their part to ensure that IT increasingly is based on products and services that are secure by design. Implementing the secure by design philosophy within IT products needs to start at the design phase. For individual customers, it needs to drive vendor selection and procurement. Improving our performance as an industry on secure by design and ensuring transparency in the marketplace will enable more security-informed purchases and should drive improvement in our security as a nation.
Read about Fortinet’s long-standing commitment to proactive responsible radical transparency, most recently being an early signer of the CISA Secure by Design pledge.
Learn more about Fortinet's commitment to product security and integrity, and read this recent blog post on the company’s longstanding commitment to responsible product development and vulnerability disclosure approach and policies.