Here’s why it’s important to take CISA’s ‘Secure by Design Pledge’ seriously

ANALYSIS: The Cybersecurity and Infrastructure Agency’s (CISA) Secure by Design Pledge shows a lot of promise. CISA’s recommendations for the future are a reflection of the current state of affairs – one in which vulnerabilities run rampant, and organizations struggle to gain visibility into their risk and exposures.

Legacy devices and systems are particularly vulnerable. These older technologies often lack modern security features, making them a prime target for cyberattacks. For example, research reveals that older Windows server OS versions (2012 and earlier) are 77% more likely to experience attack attempts compared to newer Windows Server versions.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Amid such a vulnerable threat landscape – global attack attempts more than doubled in 2023 – there’s an urgent need for organizations to focus on the "boring basics" of cybersecurity to effectively mitigate risks.

A heavy weight on vulnerabilities

The CISA Secure by Design Pledge has seven goals that enterprise software vendors are voluntarily working toward. These include implementing multi-factor authentication (MFA), reducing default passwords, reducing entire classes of vulnerabilities, increasing the installation of security patches, improving vulnerability disclosure policies, publishing CVEs, and offering evidence of intrusions.

More than half of the goals in CISA’s Secure by Design Pledge are focused on mitigating and remediating vulnerabilities. More than 29,000 vulnerabilities were published in 2023. However, more than 80% of exploits are published before CVEs are released, and organizations are only patching 61% of weaponized vulnerabilities.  

Vulnerability disclosure and patch management are a shared responsibility. Vendors can certainly improve their vulnerability disclosure and patch management processes, but ultimately it’s incumbent on security operations to deploy them promptly. Teams need to focus on the fundamentals: the ability to prioritize and operationalize remediation.

Take a holistic approach to prioritization and remediation

Managing risk and exposure presents a multifaceted challenge and visibility stands as an important part of this process. It’s a foundation upon which organizations can identify and mitigate their cyber asset risks, remediate security findings and vulnerabilities, and protect the entire attack surface. That’s why so many common security frameworks like ISO 27001 and CMMC begin with a complete asset inventory. However, visibility alone does not solve the problem.

Organizations must manage the entire lifecycle of threats, prioritizing the vulnerabilities that are most likely to get exploited and negatively impact their business. Unfortunately, organizations relying on the Common Vulnerability Scoring System (CVSS) to remediate their vulnerabilities may waste their time considering that CVSS does not function as a measure of risk.

Instead, organizations need to leverage advanced technologies including AI threat intelligence to find and consolidate security findings, prioritize response, establish ownership, and collaborate with developers and operations stakeholders to remediate and reduce risk.

By implementing these comprehensive measures, organizations can streamline their risk assessment and remediation efforts, reduce the volume of security alerts, and improve their mean-time-to-remediation (MTTR).

Back to the basics

Organizations should deploy tools and technologies that offer a complete view of their network infrastructure that let them detect and respond to threats in real-time. This includes the following:

CISA’s Secure by Design Pledge offers a visionary roadmap for the future of cybersecurity, reinforcing the importance of security operations teams addressing the pervasive vulnerabilities that matter most. By leveraging the principles of the pledge—such as proactive vulnerability management—organizations can fortify their defenses against escalating cyber threats. Ultimately, the success of the Secure by Design Pledge initiative hinges on a fundamental commitment to the "boring basics" of cybersecurity so that all systems, old and new, are resilient against potential attacks.

Nadir Izrael, co-founder and CTO, Armis

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.