At InfoSec World 2025, cybersecurity legend Dr. Ron Ross delivered a message both urgent and transformative: after half a century of progress, the industry has reached a crossroads.Full InfoSecWord 2025 coverage:
As a NIST Fellow and one of the principal architects behind the Risk Management Framework and Systems Security Engineering Guidelines, Ross has shaped much of the foundation upon which modern cybersecurity stands. Yet, as he explained in his session Igniting Change, that foundation itself is showing cracks.“We’ve spent decades doing great work above the waterline — building frameworks, controls, and organizational programs,” Ross said. “But the next generation of security must focus below the waterline — on the hardware, software, and firmware that make up the systems we depend on.”From pacemakers to power plants, the trustworthiness of these core components now defines not just cyber resilience, but the safety and stability of society itself.
Building trust where it begins
Ross described today’s cybersecurity posture as dangerously reliant on “black boxes” — complex technologies whose inner workings remain opaque to users and even to the CISOs responsible for securing them. “You don’t really know what’s happening inside your smartphone, tablet, or laptop,” he noted. “That’s where adversaries exploit complexity. The greater the innovation, the greater the attack surface.”To counter this, Ross urged a return to secure-by-design principles, rooted in trustworthy engineering. He emphasized practices such as memory-safe programming, least privilege, and reduced attack surfaces as nonnegotiable for technology vendors.“Every weakness that slips through development becomes a vulnerability customers must manage later,” he warned. “Industry has to do more on their end to help CISOs sleep better at night.”Ross pointed to the growing interest in Software Bills of Materials (SBOMs) as a positive step toward transparency — but one that barely scratches the surface. He envisions a future where technology products come with clear, standardized “cyber nutrition labels,” outlining how they were built and tested, similar to the safety evolution seen in automobiles.“We wouldn’t accept a car without brakes,” Ross said. “Yet we’re fielding software and systems every day without guardrails.”
The human imperative: Empowering people and diversity
For Ross, the technical challenge of trustworthiness is inseparable from the human one. He used his platform to champion diversity and inclusion as essential ingredients for progress.Reflecting on his time at NIST, he highlighted women leaders who played pivotal roles in advancing national security standards and celebrated his participation in the Women in Cyber summit at InfoSec World. “We need every kind of mind — from engineers to policymakers — to tackle this,” he said. “Diversity of perspective fuels innovation, and this field demands both.”Ross also paid tribute to the professionals who endure the daily pressures of defending critical systems. CISOs and analysts, he said, often bear the brunt of blame when breaches occur, despite working within complex, fast-changing ecosystems.“The dedication of these men and women is unmatched,” he said. “They’re doing incredibly difficult work in a profession that evolves faster than almost any other. They deserve more appreciation — and better tools.”
Engineering the future
Ross’s keynote was less a reflection on the past than a rallying cry for the future. The next era of cybersecurity, he believes, will hinge on visibility, accountability, and human-centered engineering. As AI, automation, and global interconnectivity expand the attack surface, the industry must shift its mindset from reaction to prevention — from patching vulnerabilities to engineering trust into every component that touches a network.“This is a journey,” Ross concluded. “Transparency and trustworthiness won’t happen overnight. But just as cars evolved from seat belts to full safety systems, cybersecurity will evolve too. The question is whether we’ll move fast enough — before the next failure proves we should have started sooner.”
InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.
ThreatLocker Chief Product Officer Rob Allen says misconfigurations are a more common and easily exploitable security vulnerability than sophisticated hacking.
Widespread adoption of artificial intelligence could substantially change U.S. law, several experts said at the InfoSec World 2024 security conference.