Pieter Danhieux Co-Founder and CEO, Secure Code Warrior, discusses the need for leadership when it comes to cybersecurity and why the Cybersecurity and Infrastructure Security Agency (CISA) could be the answer.
Amid the digital chaos, we need skilled teams to prevent potential security crises from spiralling out of control.
Security professionals face an overwhelming workload, juggling more tasks than ever before.
But we need more than small teams working hard to keep everything secure.
We also need leadership. In this regard, the CISA has been a beacon of hope: It has made a remarkable impact, far exceeding the achievements of most government agencies despite its relatively short existence.
CISA’s achievements to date are vital to counter the exponential growth of cyber threats, with attackers increasingly adept at breaching and exploiting systems.
Under these circumstances, the agency takes a crucial leadership role in the fight against threat actors, tracking trends and advising on best practices for the cybersecurity industry at-large.
But CISA can’t afford to rest on its laurels. And it hasn’t.
Until now, CISA hadn’t released a comprehensive strategy, making the CISA 2024-2026 Cybersecurity Strategic Plan a pivotal moment.
The guidelines offer a well-defined direction for cybersecurity efforts over the coming years.
Many threat actors find success by exploiting older software vulnerabilities.
Jonathon Ellison, Director of Resilience and Future Technology for the National Cyber Security Centre, says that in order to bolster resilience, organisations must be encouraged to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design.
CISA’s plan doubles down on this and explicitly sets out the responsibility of software and technology creators to ensure the security of their own products.
This doesn’t imply that vulnerabilities will disappear entirely — human error will always be a factor.
However, by putting software security at the heart of every organisations’ strategy, these errors can be significantly reduced.
This is not a mere proposal; it’s a plan with far-reaching implications.
CISA is firmly committed to influencing all cybersecurity-related decisions an organisation makes.
An act of authority—or an opportunity
Organisations may feel apprehensive at the idea of additional regulations—there are, after all, multiple regulations in place already when it comes to cybersecurity.
Here in the UK, we have a comprehensive framework designed to protect the nation’s digital infrastructure and safeguard its citizens’ data, including NIS, GDPR and more.
That said, CISA’s plan shouldn’t be viewed with resentment—simply, a smarter approach is required.
Ultimately, CISA’s measures work with an organisation’s best interest by safeguarding their software.
When teams prioritise secure software development and ensure its resilience before deployment, businesses eliminate opportunities for attackers and enhance overall security, benefiting everyone.
Only the attackers are left empty-handed if the code that makes up the majority of software is designed as securely as possible – before heading over to a production environment.
Even outside the US, organisations should not only accept the CISA guidance, but place developers at the heart of their security operations.
The agency is creating an opportunity to do more than just the bare minimum to remain compliant, through internal restructuring that refocuses on secure development.
However, this is a marathon, not a sprint – developers can’t comply without the support of the entire organisation, especially their upper management and security leaders.
In order for developers to gain the confidence to be the front line of defence, they’ll need to receive essential security training to shift their mentality to become more security conscious.
Guiding developers to understand vulnerabilities, how to write secure code and how to recognise problems long before they get to a production environment will be the key to organisations ultimately taking responsibility for shipping code.
Fostering this culture of security is something that many businesses desire, but may need a nudge to fully adopt.
Many developers are ready for this change: Our survey of professional developers around the world found that the vast majority were very keen on developing more secure code and doing so as part of an improved security culture within their organisations.
There is pressure for change from above (and from within), meaning it is now in the hands of senior leaders to lead this change.
The CISA plan should be seen as a north star, guiding us on a path to a safer future.