In the ever-changing landscape of cybersecurity, experts are increasingly advocating for Secure-by-Design principles to address the accelerating challenges of today’s digital world.
The concept emphasises embedding security into software from the beginning of the development process in a shift that reflects a significant maturation of the cybersecurity industry.
Cybersecurity’s early days were dominated by the fight against viruses and worms, which were mostly targeting individual users. By the late 1990s, the antivirus industry had grown to be a $2 billion market aiming to protect against rapidly evolving threats.
Today, this once small industry has ballooned into a $2 trillion sector encompassing a range of disciplines, largely fuelled by the digital transformation of businesses and an ever-growing reliance on software-driven operations.
From banks to energy companies, almost every major sector now operates on software platforms. This shift has made cybersecurity crucial across industries, but many companies still rely on outdated security programs, which have not kept up with the volume of code produced and the increasing number of cyber threats.
A watershed moment
The US Cybersecurity and Infrastructure Security Agency’s (CISA) release of Secure-by-Design guidelines in 2023 marked a turning point. The guidelines aim to push companies to prioritise security early in the software development lifecycle (SDLC).
For years, efforts like the “shift left” movement—which encourages security practices to be integrated as early as possible in development—have faced cultural resistance. Developers and security teams have often clashed over methodologies and tools, slowing progress toward truly secure systems and software architecture.
The Biden Administration’s National Cybersecurity Strategy further underscored this shift, encouraging a rebalance of responsibility. The strategy emphasises placing more responsibility on larger corporations and software vendors, rather than small businesses and individual users, to reduce cybersecurity risks in their digital products before they ship.
This approach aligns with regulatory frameworks such as Europe’s General Data Protection Regulation (GDPR), which stresses accountability in data protection.
Challenges in implementation
Many security leaders persistently highlight the difficulty of scaling most elements of an enterprise security program, especially those involving continuous upskilling and assessment of individual personnel.
A major challenge in implementing Secure-by-Design principles is determining accountability across the SDLC. The sheer complexity of today’s security environments, the use of legacy code and software development cycles often require and involve multiple teams, with code passing through various phases of creation, updating, and testing.
This complexity complicates efforts to ensure consistent secure coding practices, leading to vulnerabilities, unvetted third-party code, and rushed releases with potential flaws. The pressure to rapidly release new products has led some companies to deprioritise security, releasing software with known weaknesses.
What’s required is the combination of a general uplift of security culture and upskilling among developers to ensure that developers and security professionals are on the same page.
Upskilling is the foundation of Secure-by-Design
For Secure-by-Design principles to take root, companies must invest in upskilling their developers in secure coding practices. This training is essential as most developers lack the training necessary to write secure code independently. Continuous education and a supportive organisational structure can build the competencies required for secure software creation.
An effective Secure-by-Design strategy involves a multi-pronged approach to developer training, covering direct education, tool optimisation, and oversight across the SDLC. Upskilling developers through tailored training programs not only enhances individual security performance but also builds a workforce capable of consistently delivering secure software.
The global embrace of Secure-by-Design
Secure-by-Design principles are gaining traction globally, with countries like Australia, New Zealand, Germany, and Japan adopting similar cybersecurity strategies. These international efforts encourage the adoption of memory-safe programming languages and secure defaults for developers, minimising vulnerabilities such as SQL injection flaws. Here In Australia, the Essential Eight framework by way of example covers a variety of items that security teams need to consider. These include application control (or who can run what and where), regular data backups, software patching, the deployment of multi-factor authentication capabilities, and the restriction of admin privileges.
Despite this momentum, many organisations are still in the early stages of implementing Secure-by-Design practices. Data from Secure Code Warrior, a platform specialising in cybersecurity education, reveals that 57% of companies in the financial and IT sectors have embraced Secure-by-Design initiatives, suggesting that regulated sectors with a history of cybersecurity compliance are leading the charge.
The future of cybersecurity maturity
To achieve a high level of cybersecurity maturity, organisations must move beyond reliance on security tools and AppSec experts, embracing a culture of security at all levels. Effective Secure-by-Design adoption depends on building a security-conscious workforce through structured, ongoing education and incentives that encourage developers to take ownership of their security practices.
In many companies, the journey to a mature security posture begins with identifying security gaps and implementing bug bounties to uncover high-risk vulnerabilities.
However, these efforts often fall short if they fail to address root causes. Without a strong foundation in secure coding practices, organisations may continue to experience breaches, highlighting the need for a proactive approach centred on Secure-by-Design.
Ultimately, the success of Secure-by-Design initiatives relies on the ability of companies to cultivate security skills within their development teams. As cybersecurity threats grow more complex, the Secure-by-Design movement represents a critical step toward more robust protection in an increasingly digital world.
By embedding security into the software creation process and fostering a security-first culture, organisations can better protect their assets, uphold regulatory requirements, and reduce the impact of cyberattacks.
The Secure-by-Design approach may not eliminate all cybersecurity risks, but it represents a strategic evolution for an industry that must keep pace with the modern digital ecosystem.
