By Jim Richberg, Global Field CISO, Fortinet
Enhancing cyber resilience has long been a shared responsibility. Entities across public and private sector organizations, from government to academia to end-users, all play a critical role in protecting our collective digital infrastructure.
Yet, as the threat landscape grows more complex while organizations of all sizes adopt new technologies at an unprecedented rate, technology vendors are uniquely responsible for delivering secure products and systems.
A Crucial Tool for Advancing Cybersecurity for All
Secure by design is a foundational approach to product development that vendors must embrace, ensuring that security is a foundational component of the design and development process instead of being applied as an afterthought.
The Cybersecurity and Infrastructure Security Agency (CISA) introduced this concept as part of its work to implement the 2023 U.S. National Cybersecurity Strategy. The national strategy recognized the need for a fundamental shift in how the United States should allocate cyberspace roles, responsibilities, and resources. It highlighted the need to “rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, local governments, and infrastructure operators, and onto the organizations that are most capable and best positioned to reduce risks for all of us.” Technology vendors must take ownership of customer security outcomes and embrace radical transparency and accountability.
While some technology providers, including Fortinet, have applied these principles to their product development processes for decades, secure by design remains an important but underappreciated tool for improving cybersecurity.
Today, secure by design must remain a priority for our industry. Even as political landscapes shift, advancing our collective cyber resilience benefits everyone.
CISA’s Secure by Design Pledge Sparks Momentum Across the Industry
Since the inception of the secure-by-design philosophy, CISA has introduced several initiatives to encourage the adoption of these principles, one of which is the Secure by Design Pledge. This pledge is voluntary for organizations committed to upholding key secure-by-design development practices for enterprise software. I was pleased to be one of the leaders in the extensive collaboration with CISA to develop its secure-by-design principles and pledge. Last month, I was honored to join CISA and receive the Institute for Security and Technology’s 2025 Cyber Policy Award in the U.S. Domestic Policy Impact category for our efforts in creating the Secure by Design Pledge.
The pledge was introduced in May 2024, with 68 companies initially signing. By the end of last year, that number had jumped to more than 250 signatories. This positive reception to the pledge marked an important step forward in the dynamics of the cybersecurity marketplace. The pledge made the abstract concept of secure by design usable by offering software companies a roadmap to enhance product security and a guide for customers to use during the procurement process.
Secure by Design Is an “On Ramp” to Stronger Cyber Resilience
While developing the pledge, CISA and its industry collaborators agreed that this would be an “all or nothing” undertaking rather than one that allowed vendors to choose which goals to pursue. When desired outcomes are straightforward, the pledge could be designed to offer signatories the freedom to tackle the goals as they saw fit instead of prescribing a specific path. We also knew that the goals should generate measurable outcomes and readily understandable measures of progress that vendors could share with prospects and customers.
As a result, the pledge is envisioned as an “on-ramp” for technology vendors to use to enhance their customers’ security, offering a meaningful and flexible guide for implementing secure-by-design practices. The pledge and its goals also give purchasers a much-needed resource to examine vendor and product cybersecurity during procurement. Technology buyers can use the pledge as a starting point by asking vendors whose products they are considering whether they’ve taken the pledge and, if so, what they can share about implementing its principles.
What’s Next for Secure by Design
Secure by design is a valuable tool for enhancing our collective cybersecurity by using market forces. While it’s encouraging that many vendors have embraced these principles, more work is required. Technology buyers must also demand that their vendors embrace secure by design and that they share their progress in meeting pledge goals.
As a company, we look forward to continuing to work with our partners in both the public and private sectors to advance the secure-by-design philosophy. Together, we will build a safer and more resilient digital future for all.