In some very exciting news today, CISA announced their Secure by Design Pledge. The Secure by Design Pledge is a voluntary commitment that was signed by 68 software companies, committing to design their products from the ground up in a more secure way. I’ve linked the full pledge information above, but in a nutshell, the pledge aims to meet seven goals:
- Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturers’ products.
- Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
- Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturers’ products.
- Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.
- Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).
- Within one year of signing the pledge, demonstrate transparency in vulnerability reporting.
- Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturers’ products.
These seven goals represent a massive growth in overall product design maturity and are all desperately needed and missing in many product designs today.
My Thoughts
I was extremely excited to see this news drop. Each of these seven goals, if achieved, would represent an impactful step towards improving the health of the overall software marketplace. Simple steps like increasing adoption of MFA, eliminating default passwords, reducing and being transparent about vulnerabilities, and launching a VDP can go a long way in protecting the masses.
This pledge perfectly represents the goals of Jen Easterly and her agency, secure by default has long been a conversation coming out of them. While this pledge is voluntary in nature, it’s amazing to see so many companies jumping on board and committing to these crucial steps towards better cybersecurity for everyone.
What this Means for MSPs
A question I’ve long asked myself is, once things are “secure by design,” what is the impact on the MSP? Honestly, I think the impact is positive. In today’s landscape, we have to convince our customers to adopt additional security controls. For example, the process of rolling out MFA can be pretty painstaking purely from the standpoint of convincing the humans to embrace it.
A secure by default environment means that MFA is already turned on. The conversation of are you sure you want to remove default security measures is a very different one. You no longer have to start from the standpoint of we need to increase security. It puts a very different lens on the conversation. In fact, I think MSP’s need to leverage this news to drive that transformation ahead of time!
So, long story short. This is something to celebrate. Something that is woefully long overdue and that – in my opinion – sets the stage for more secure by default initiatives to come. Embrace it, show it to your customers, and talk to them about the increasing standards for cybersecurity!
