CISA’s Secure By Design: A Year Later

In April this year, the CISA Secure By Design initiative turned one. The initiative calls for the public and private sectors to work together to challenge and encourage software manufacturing companies to adopt principles to ensure their software is developed and produced as securely as possible. The initiative tracks seven goals that software manufacturers can pledge to develop and transparently track progress towards those goals.

A recent review of the Pledge Signers reveals 199 companies have committed to the pledge. When SecurityScorecard signed the pledge earlier this year, there were far fewer commitments to the pledge than there are currently. While this is a positive sign of progress, considering the vast number of software manufacturers, having only 199 companies agreed to participate in the initiative is disheartening.

Regardless, we applaud the dedication and intentional focus that CISA has displayed in launching this initiative and getting some of the largest companies in the world to sign their pledge. We all believe that improving one’s cybersecurity program is an ongoing process and can’t occur in a vacuum. We especially appreciate the opportunity to collaborate with other vendors facing the same challenges and to be held accountable by industry peers to do everything possible to produce safe and secure products for our customers.

In addition to the seven goals in the pledge, SecurityScorecard also considers supply chain risk management and privilege access management as two areas where organizations should have considerable focus. SecurityScorecard data shows that:

• 99% of Global 2000 companies are directly connected to a supply chain breach.
• Supply chain incidents cost 17x more to remediate and manage than first-party breaches. 
• The estimated total losses from Global 2000 breaches ranged between $20 billion and $80 billion over 15 months.

Those in the software manufacturing industry are too familiar with these statistics as many of those breaches affected our peers. Additionally, while those breaches may have been born out of a supply chain risk, more probable than not, the attacker abused some credentials to escalate privileges to laterally move across an environment or establish a foothold. These areas must be addressed by software manufacturers as equally as the other seven goals presented by CISA.

In the coming months, we will publish more blogs that address our approach to each of the seven goals that make up the CISA Secure By Design pledge and two others that we consider critical. We look forward to our colleagues challenging us on our approach and the opportunity to help others. At SecurityScorecard, we want to get better and are fully aware that doing that as a community can offer benefits to the industry that are difficult to achieve in isolation.

In closing, SecurityScorecard celebrates the first anniversary of CISA’s Secure By Design initiative, and we encourage more of our industry peers to sign the pledge and join us in providing safer and more secure offerings to our customers.