Secure by Design is likely dead at CISA. Will the private sector make good on its pledge?

Posted on by

Ahead of their talk on Secure by Design at RSAC 2025, CSO caught up with Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs, and Chris Wysopal, co-founder and chief security evangelist at Veracode, to gauge their predictions for CISA’s program.

Both agreed that secure by design is a concept that predates CISA and will continue in the private sector even if CISA abandons its program. “There might not be a CISA office that’s doing amazing work on this anymore, but the idea that we have to do it is still going to be around, and hopefully we’ll continue some momentum even if we don’t have Bob and Lauren to cheer it on,” Healey told CSO.

Metrics point to slowly improving software security

Healey and Wysopal are big believers in secure-by-design principles, but they concede that few measurements can directly prove that extra effort at the outset of software creation results in more secure products. “How can we, amongst the indicators and metrics we have, across threats or vulnerabilities, across consequences or impacts, understand if we’re shifting” toward more security software? Healey asked.