In this engaging conversation, Lauren Zabierek, Senior Vice President for the Future of Digital Security at the Institute for Security and Technology and former CISA leader, explores the transformative frameworks of Secure by Design and Secure by Demand. She emphasizes the need for security to be a top business priority, not just a tech issue. Lauren reveals how over 300 companies opted for enhanced security measures and shares crucial questions customers should ask vendors. Plus, she discusses her initiative, #ShareTheMicInCyber, aimed at diversifying the cybersecurity landscape.
26:22
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
question_answer ANECDOTE
Museum Visit Framed The Approach
Lauren describes visiting a flight museum and seeing a safety-by-design exhibit that contrasted past dangerous flight with modern safety.
That experience framed her view that repeatable safety improvements can translate to software.
insights INSIGHT
Software Safety Has Historical Models
Software safety improved in aviation and autos shows a repeatable path for software security through industry, government, and customers aligning.
Lauren Zabierek argues software can be made safer by shifting market incentives, not just technical fixes.
volunteer_activism ADVICE
Commit To Concrete Security Actions
Commit to concrete, measurable security actions like removing whole vulnerability classes and enabling MFA by default.
Use pledges and multi-month roadmaps to make progress visible and accountable.
Get the Snipd Podcast app to discover more snips from this episode
Welcome to Data Security Decoded. Join host Caleb Tolin in conversation with Lauren Zabierek, Senior Vice President for the Future of Digital Security at the Institute for Security and Technology. A former CISA leader and long-time national security professional, Lauren unpacks the principles of Secure by Design, Secure by Default, and Secure by Demand and how these frameworks are reshaping the software supply chain.
What You'll Learn:
Why security must be a business decision led by executives rather than a technical afterthought
How Secure by Design principles inspired more than 300 companies to eliminate entire classes of vulnerabilities
The economic incentives that drive insecure software and what must change to realign the market
How customers can evaluate vendors and ask the right questions to ensure secure authentication and transparent practices
The role of Secure by Demand in helping buyers assess software safety before and after adoption
Why initiatives like #ShareTheMicInCyber are essential for expanding diversity and innovation across cybersecurity policy
The conversation offers a practical roadmap for executives, CISOs, and technology leaders to integrate secure development practices into business strategy, turning software security from a compliance checkbox into a competitive advantage.
Episode Highlights:
[08:46] Inside CISA’s Secure by Design Pledge
[09:41] The Three Pillars: Secure by Design, Default, and Demand
[11:59] Why Security Is an Economic Issue, Not Just Technical
[15:41] How Customers Can Drive Change Through Secure by Demand
[18:23] The Story and Impact of #ShareTheMicInCyber
Quotes:
"Security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of try to convince the rest of the company that they should do this. It's the company leadership that should say, this is a priority and therefore orient the different resources and priorities around that particular topic."
"Having more secure software is not a technical impossibility. The companies right now are acting rationally in a misaligned market. Secure by Design, at its core, is about shifting those incentives in order to drive a change in behavior."
"Software is what economists would refer to as a credence good. It's very hard to assess the quality of a product or a service both before you consume it and after you consume it. We don't have the criteria or benchmarks to fully assess that, and that’s a problem."
"We looked at really how to provide guidance, and then we also created the Secure by Design pledge. And at the time when we launched it in 2024 at RSA, we had 68 software companies sign on… And then by the time we left, we had over 300 companies sign on. Now this pledge, you know, it addressed certain things like eliminating entire classes of vulnerability. It talked about enabling multifactor authentication by default across product lines. It talked about a vulnerability disclosure policy. Those are just a few things, but you can see that they're very concrete, measurable actions that lead to better outcomes."
Data Security Decoded