Secure by Design, Secure by Default, Secure by Demand

Welcome to Data Security Decoded. Join host Caleb Tolin in conversation with Lauren Zabierek, Senior Vice President for the Future of Digital Security at the Institute for Security and Technology. A former CISA leader and long-time national security professional, Lauren unpacks the principles of Secure by Design, Secure by Default, and Secure by Demand and how these frameworks are reshaping the software supply chain.

What You'll Learn:

• Why security must be a business decision led by executives rather than a technical afterthought

• How Secure by Design principles inspired more than 300 companies to eliminate entire classes of vulnerabilities

• The economic incentives that drive insecure software and what must change to realign the market

• How customers can evaluate vendors and ask the right questions to ensure secure authentication and transparent practices

• The role of Secure by Demand in helping buyers assess software safety before and after adoption

• Why initiatives like #ShareTheMicInCyber are essential for expanding diversity and innovation across cybersecurity policy

The conversation offers a practical roadmap for executives, CISOs, and technology leaders to integrate secure development practices into business strategy, turning software security from a compliance checkbox into a competitive advantage.

Episode Highlights:

[08:46] Inside CISA’s Secure by Design Pledge

[09:41] The Three Pillars: Secure by Design, Default, and Demand

[11:59] Why Security Is an Economic Issue, Not Just Technical

[15:41] How Customers Can Drive Change Through Secure by Demand

[18:23] The Story and Impact of #ShareTheMicInCyber

Quotes:

• "Security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of try to convince the rest of the company that they should do this. It's the company leadership that should say, this is a priority and therefore orient the different resources and priorities around that particular topic."

• "Having more secure software is not a technical impossibility. The companies right now are acting rationally in a misaligned market. Secure by Design, at its core, is about shifting those incentives in order to drive a change in behavior."

• "Software is what economists would refer to as a credence good. It's very hard to assess the quality of a product or a service both before you consume it and after you consume it. We don't have the criteria or benchmarks to fully assess that, and that’s a problem."
  

• "We looked at really how to provide guidance, and then we also created the Secure by Design pledge. And at the time when we launched it in 2024 at RSA, we had 68 software companies sign on… And then by the time we left, we had over 300 companies sign on. Now this pledge, you know, it addressed certain things like eliminating entire classes of vulnerability. It talked about enabling multifactor authentication by default across product lines. It talked about a vulnerability disclosure policy. Those are just a few things, but you can see that they're very concrete, measurable actions that lead to better outcomes."

  
  

  Episode Resources

• Caleb Tolin on LinkedIn

• Lauren Zabierek on LinkedIn

• Institute for Security and Technology (IST)

• Secure by Demand Guide from CISA