Secure by Design: Why You Shouldn’t Have to Be a Security Expert

For decades, the cybersecurity industry has framed digital safety as your problem to solve. Create stronger passwords. Enable multi-factor authentication. Monitor for threats. Patch everything. The industry places the burden on users because the threatscape is expansive, and constantly changing.

Secure by Design flips that paradigm. It shifts responsibility from consumers to the companies building new technology.

In a recent episode of What the Hack, Bob Lord and Lauren Zabierek, both formerly of CISA and architects of the Secure by Design movement, explained why this shift needs to happen. Automakers create crumple zones to protect against impact. Food companies are rigorously inspected for safety before their offerings can get in front of a consumer. The same goes for big pharma. 

No one expects consumers to be experts in those fields. So why does cybersecurity work differently?​​​​​​​​​​​​​​​​

The Ralph Naders of cybercrime

Bob and Lauren were the public faces of the Cybersecurity and Infrastructure Security Agency (CISA) “Secure by Design” initiative. Bob has now become the industry’s leading skeptic of “hacklore,” or fear-based, outdated cybersecurity advice, and Lauren has 22 years of national security experience.

So of course this episode began with a discussion of car safety and Ralph Nader’s Unsafe at Any Speed, which famously explores the safety of cars in the 1960s. The similarities between the safety problems that plagued cars in the 60s and how software functions today were Bob’s point. 

There was a time when the risk of serious bodily injury in a car accident was simply understood and expected. In the 1960s, if you bought a Chevrolet Corvair, it was known to flip over in tight turns. The solution was to buy an optional part in a magazine and bolt it onto the bottom of your car. By today’s standards: not a solution. 

Yet that’s how we treat cybersecurity. We buy software and then bolt on MFA, download security patches, and follow complex guidelines to keep our data safe. Meanwhile, most of those vulnerabilities are known and have been for the past two decades, but they still cause the vast majority of breaches. We’ve been living in the 1960s of the software industry, with no change in sight. 

Who is to blame?

The next logical question is, if these are mostly known vulnerabilities we’re talking about, why haven’t they been solved already? 

Follow the money. In almost every other sector, if a product has a design defect that causes harm, the manufacturer is liable. Software companies, however, enjoy unique liability protections. Their End User License Agreements (EULAs) essentially say there’s no warranty and you can’t sue them if it breaks. 

Manufacturers don’t shoulder the cost of a breach. It’s passed down to users and smaller businesses. Safety over speed-to-market is no contest: Speed wins every time. Meanwhile, security remains voluntary rather than an absolute requirement, and staying safe is the end user’s problem.

Bob pointed to the villains in the world of cybersecurity, who too often get glamorized in the cyber war. Vulnerabilities and attacks get clever names like “zero-day vulnerability,” meanwhile solutions like Secure by Design remain largely unknown and ignored. 

But there could be a comeback on the horizon. 

What needs to change

The Secure by Design movement isn’t policy yet—it’s a framework, a set of principles CISA has advocated for without enforcement power. But if it ever becomes the standard we hold technology companies to, here’s what would need to change:

• End Liability Protections for Known Vulnerabilities: Software companies currently hide behind license agreements that absolve them of responsibility when their products fail. If a car manufacturer sold vehicles with known brake defects, they’d face massive liability. The same standard needs to apply to software. Also: Companies should bear the cost of breaches caused by vulnerabilities they knew about and failed to fix.

• Require Security by Default: Products should be shipped secure out of the box, and not require users to configure settings or bolt on additional tools for security. If a feature creates risk, it shouldn’t be enabled by default. The goal is the elimination of known, preventable vulnerabilities that cause the majority of breaches.

• Establish Regulatory Standards: Automotive, food, and pharmaceutical industries all operate under mandatory safety standards. Software has largely avoided this level of scrutiny. Secure by Design would mean independent auditing, mandatory disclosure of security practices, and consequences for companies that consistently fail to meet basic standards.

• Shift Financial Consequences Upstream: Right now, the cost of poor security falls on users and small businesses. Secure by Design would reverse that—making manufacturers absorb the consequences of their design failures rather than passing them downstream to the least equipped to handle them.​​​​​​​​​​​​​​​​

This is about a mindset change more than anything else. We need to stop shaming victims for not patching fast enough and start shining a light on the vendors who make the software where these intrusions are currently “inevitable.” It’s time to stop letting the burden of an entire industry’s design failures rest on consumers’ shoulders.

For far too long, software companies have treated safety as an aftermarket problem, forcing the users to work on the company’s security detail because avoidable mistakes were made. The industry knows how to build safer software. The tools to eliminate entire classes of vulnerabilities exist. What’s missing is accountability.

The transition to a safer digital world requires holding the manufacturers to the same standards we expect from our cars, our food, and our medicine. It’s time to move the responsibility for staying safe upstream to the technology companies that are best positioned to eliminate risks at the source, instead of downstream to consumers who are not equipped to manage them.