Sign up to save your podcasts
Or
Share Secure by Design, Secure by Default, Secure by Demand
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Secure by Design, Secure by Default, Secure by Demand
Welcome to Data Security Decoded. Join host Caleb Tolin in conversation with Lauren Zabierek, Senior Vice President for the Future of Digital Security at the Institute for Security and Technology. A former CISA leader and long-time national security professional, Lauren unpacks the principles of Secure by Design, Secure by Default, and Secure by Demand and how these frameworks are reshaping the software supply chain.
What You'll Learn:
Why security must be a business decision led by executives rather than a technical afterthought
How Secure by Design principles inspired more than 300 companies to eliminate entire classes of vulnerabilities
The economic incentives that drive insecure software and what must change to realign the market
How customers can evaluate vendors and ask the right questions to ensure secure authentication and transparent practices
The role of Secure by Demand in helping buyers assess software safety before and after adoption
Why initiatives like #ShareTheMicInCyber are essential for expanding diversity and innovation across cybersecurity policy
The conversation offers a practical roadmap for executives, CISOs, and technology leaders to integrate secure development practices into business strategy, turning software security from a compliance checkbox into a competitive advantage.
Episode Highlights:
[08:46] Inside CISA’s Secure by Design Pledge
[09:41] The Three Pillars: Secure by Design, Default, and Demand
[11:59] Why Security Is an Economic Issue, Not Just Technical
[15:41] How Customers Can Drive Change Through Secure by Demand
[18:23] The Story and Impact of #ShareTheMicInCyber
Quotes:
"Security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of try to convince the rest of the company that they should do this. It's the company leadership that should say, this is a priority and therefore orient the different resources and priorities around that particular topic."
"Having more secure software is not a technical impossibility. The companies right now are acting rationally in a misaligned market. Secure by Design, at its core, is about shifting those incentives in order to drive a change in behavior."
"Software is what economists would refer to as a credence good. It's very hard to assess the quality of a product or a service both before you consume it and after you consume it. We don't have the criteria or benchmarks to fully assess that, and that’s a problem."
"We looked at really how to provide guidance, and then we also created the Secure by Design pledge. And at the time when we launched it in 2024 at RSA, we had 68 software companies sign on… And then by the time we left, we had over 300 companies sign on. Now this pledge, you know, it addressed certain things like eliminating entire classes of vulnerability. It talked about enabling multifactor authentication by default across product lines. It talked about a vulnerability disclosure policy. Those are just a few things, but you can see that they're very concrete, measurable actions that lead to better outcomes."
Episode Resources
Caleb Tolin on LinkedIn
Lauren Zabierek on LinkedIn
Institute for Security and Technology (IST)
Secure by Demand Guide from CISA
View all episodes
By Rubrik
5
1414 ratings
Welcome to Data Security Decoded. Join host Caleb Tolin in conversation with Lauren Zabierek, Senior Vice President for the Future of Digital Security at the Institute for Security and Technology. A former CISA leader and long-time national security professional, Lauren unpacks the principles of Secure by Design, Secure by Default, and Secure by Demand and how these frameworks are reshaping the software supply chain.
What You'll Learn:
Why security must be a business decision led by executives rather than a technical afterthought
How Secure by Design principles inspired more than 300 companies to eliminate entire classes of vulnerabilities
The economic incentives that drive insecure software and what must change to realign the market
How customers can evaluate vendors and ask the right questions to ensure secure authentication and transparent practices
The role of Secure by Demand in helping buyers assess software safety before and after adoption
Why initiatives like #ShareTheMicInCyber are essential for expanding diversity and innovation across cybersecurity policy
The conversation offers a practical roadmap for executives, CISOs, and technology leaders to integrate secure development practices into business strategy, turning software security from a compliance checkbox into a competitive advantage.
Episode Highlights:
[08:46] Inside CISA’s Secure by Design Pledge
[09:41] The Three Pillars: Secure by Design, Default, and Demand
[11:59] Why Security Is an Economic Issue, Not Just Technical
[15:41] How Customers Can Drive Change Through Secure by Demand
[18:23] The Story and Impact of #ShareTheMicInCyber
Quotes:
"Security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of try to convince the rest of the company that they should do this. It's the company leadership that should say, this is a priority and therefore orient the different resources and priorities around that particular topic."
"Having more secure software is not a technical impossibility. The companies right now are acting rationally in a misaligned market. Secure by Design, at its core, is about shifting those incentives in order to drive a change in behavior."
"Software is what economists would refer to as a credence good. It's very hard to assess the quality of a product or a service both before you consume it and after you consume it. We don't have the criteria or benchmarks to fully assess that, and that’s a problem."
"We looked at really how to provide guidance, and then we also created the Secure by Design pledge. And at the time when we launched it in 2024 at RSA, we had 68 software companies sign on… And then by the time we left, we had over 300 companies sign on. Now this pledge, you know, it addressed certain things like eliminating entire classes of vulnerability. It talked about enabling multifactor authentication by default across product lines. It talked about a vulnerability disclosure policy. Those are just a few things, but you can see that they're very concrete, measurable actions that lead to better outcomes."
Episode Resources
Caleb Tolin on LinkedIn
Lauren Zabierek on LinkedIn
Institute for Security and Technology (IST)
Secure by Demand Guide from CISA
More shows like Data Security Decoded
View all
Security Now (Audio)
2,009 Listeners
Risky Business
375 Listeners
CyberWire Daily
1,021 Listeners
Click Here
414 Listeners
Darknet Diaries
8,055 Listeners
Cybersecurity Today
178 Listeners
Caveat
93 Listeners
Risky Bulletin
45 Listeners
Microsoft Threat Intelligence Podcast
22 Listeners