Incorporating a Secure by Design framework is just the start to engineering a threat-resilient digital environment, per officials helming the initiative at the Cybersecurity and Infrastructure Security Agency.
Speaking during the Critical Effect cybersecurity conference in Washington, D.C., Kirk Lawrence, CISA’s program manager for its Secure by Design initiative, said that implementing its principles is akin to “locking the front door” when securing a house: a first step.
“It doesn’t mean that your place can’t get broken into, that someone can’t come steal your stuff, but they [have] to work a little harder now to have a different set of skills,” Lawrence said. “Secure by Design is not the end of risk. It’s the start of resilience.”
He specified that threat detection and national coordination efforts are weak spots in the Secure by Design architecture, but it remains “a good first step” in creating a cybersafe ecosystem.
Lawrence also previewed CISA’s ongoing effort to articulate the business benefits for Secure by Design. The core mission in this effort is to create talking points on Secure by Design for a technology project owner to communicate its value to C-level executives in a given organization to garner their support.
“One of the key principles that we’ve advocated since the beginning is that it’s not going to happen unless you have executive buy-in, which is one of the very first steps to having effective Secure by Design,” Lawrence said.
Regarding a deliverable timeline, he estimated that a business case for Secure by Design will be ready within the coming six months.
Lawrence’s comments follow the departure of two former leaders of the Secure by Design initiative, Bob Lord and Lauren Zabierek, in mid-April. President Donald Trump has also issued a new executive order that changes cybersecurity policies outlined in two previous executive orders issued under the Biden administration.
Updated cyber provisions notably include an August 1 2025 deadline for the director of the National Institute of Standards and Technology to implement a consortium within the National Cybersecurity Center of Excellence to develop secure software development guidance based on the Secure Software Development Framework.
That framework, published by NIST in 2022, notably calls for organizations to adopt Secure by Design principles.
“Addressing security requirements and risks during software design (secure by design) is key for improving software security and also helps improve development efficiency,” the document reads.
