In today's rapidly evolving world of cybersecurity, given the growing number of threats and adversaries and the cybersecurity skills shortage, organizations need to work with vendors who are taking ownership of security management by removing the burden of operating a secure infrastructure. This starts with developing and deploying solutions built on secure-by-design, secure-by-default principles.

This month, the Cybersecurity & Infrastructure Security Agency (CISA) and 17 U.S. and international partners published an update to the joint Secure by Design product, "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software." According to CISA, this updated guidance "expands on three core principles: Take Ownership of Customer Security Outcomes, Embrace Radical Transparency and Accountability, and Lead From the Top."

To make this happen, the foundation of any Secure Product Development Lifecycle (SDLC) must include secure-by-design and secure-by-default principles. At Fortinet, this concept is baked into our SDLC policy at the earliest stages of development and is part of our Fortinet SDLC policy and associated 10 Fortinet principles. We believe this should be the case for all security vendors.

Secure by Design

Secure by design is a fundamental approach to cybersecurity that ensures security is not applied as an afterthought but instead is an integral part of the development process. Security must be embedded in the very DNA of every product, application, and service. When something is secure by design, it's constructed with the awareness that security should be a natural function of the solution, not something that needs to be added later.

Why Is Secure by Design so Critical for Cybersecurity Vendors?

By adopting a secure-by-design strategy, cybersecurity vendors ensure that their solutions are inherently robust, minimizing vulnerabilities from the outset and reducing the need for patches and updates. When security is inherent in the design process and techniques such as threat modeling are employed before a line of code is written, the risks of breaches, vulnerabilities, and costly security incidents are significantly reduced.

Such secure design practices can help vendors build and, importantly, maintain trust with their customers-something essential in an industry where trust can be lost faster than it can be built.

Secure by Default

Secure by default takes the idea of secure by design a step further. When a customer deploys a cybersecurity solution, it should already be configured with the most secure settings set as the default. IT teams can then consciously choose to relax specific security settings rather than having to enable them. This is the opposite approach of most traditional solutions, which have been based on making systems easy to deploy and then requiring the customer to work out how to harden the solution, often leaving critical systems unprotected.

The Benefits of Secure by Default for Cybersecurity Vendors

Secure by default flips the table, making it so the user doesn't need to be a cybersecurity expert to ensure their protection. Instead, making security the default configuration means organizations are protected from the get-go, without configuring complex settings. This minimizes the potential for human error while enhancing or improving protection and speeding up deployment.

By implementing security best practices at the start, secure by default delivers more user-friendly security, ensuring that organizations are well-protected out of the box, thereby improving customer satisfaction.

A New Approach Is Required When Implementing Secure by Design and Secure by Default

With this new paradigm in place, configuring a cybersecurity solution may require starting with a default secure implementation and then making adjustments for individual users needing to operate within the expanding attack surface.

Overall, these investments are worthwhile for vendors and customers as they prevent configuration issues that can lead to breaches while helping maintain ongoing customer trust and secure-by-design and secure-by-default protections.

Conclusion

Fortinet has been on a journey toward implementing these objectives for several years. It is timely and reassuring that CISA, NSA, the UK NCSC, Canada's CCCS, Australia's ASD/ACSC, and several other organizations have taken the crucial step of proactively recommending that all vendors adopt a secure-by-design, secure-by-default methodology as an integral part of their product and services development life cycle. These new standards will guide vendors in contributing to a safer digital environment for all.

If you or your organization want to buy secure products, ask your vendors how their products meet these new secure-by-design, secure-by-default principles. A vendor adopting these crucial standards will help ensure your investments remain secure despite today's rapidly changing threat landscape.