CISA Encourages Organizations to Adopt a ‘Secure by Demand’ Strategy

One of the US Cybersecurity and Infrastructure Security Agency’s (CISA) flagship initiatives is Secure by Design, launched in 2023. Now, the agency is imploring software customers to take the approach of Secure by Demand.

This was the message given by CISA director Jen Easterly during the primary stage talk at Black Hat USA.

“You have to have both the supply side and demand inside. The truth is that organizations that procure and deploy software, which is virtually all organizations, can play a leading role in advancing secure by demand,” Easterly said.

“Companies and leaders should be using their purchasing power and voting with their procurement dollars,” she said.

CISA recently launched its Secure by Demand Guide, which lays out questions and resources that organizations buying software can use to better understand a software manufacturer’s approach to cybersecurity and ensure that the manufacturer makes secure by design a core consideration.

The guidance highlights how organizations can integrate product security into various stages of the procurement lifecycle.

“We need to demand more. We need to demand more of technology vendors. To ensure we’re advancing the secure by design revolution,” she said.

In May, a Secure by Design pledge was announced, encouraging software manufacturers to commit to making progress across a range of secure by design principles.

Easterly said that company leaders should be asking if their software suppliers have signed the pledge.

She commented that the commitment is growing, with almost 200 signatories now making the commitment.

The secure by design movement is gaining momentum, she commented, with the increasing use of multifactor authentication (MFA), decreasing use of default passwords and reducing or eliminating entirely whole classes of vulnerabilities among those who are committed.

CISA is working with those committed to the pledge to track progress and report transparently in order to demonstrate how the agency is driving down risk in the technology ecosystem.