The software security landscape is evolving, and we can learn a lot from the automotive industry of the 1960s. Back then, manufacturers improved car safety with innovations like seatbelts and crumple zones. These design changes saved lives much more effectively than just reacting to accidents after they happened.
Software providers need to adopt a similar mindset. They should prioritize building secure solutions from the start, shifting from a reactive approach to proactively addressing growing cyber threats. To do this, they must navigate the complex web of industry standards, embrace tools like Cyber Protection Level Agreements (CPLAs), and manage services throughout the software’s life.
There are currently many security frameworks around the globe, including ISO 27001, NIST, and OWASP. Organizations often try to adhere to these, but those operating across different regions find overlapping and sometimes conflicting standards. This complexity complicates compliance, especially for Chief Information Security Officers (CISOs) evaluating suppliers. They worry about the gaps in security that could arise from such a chaotic landscape.
Supply chain attacks—like the SolarWinds breach—highlight the serious risks involved. These incidents can lead to significant operational disruptions, legal consequences, and a loss of trust with stakeholders. Establishing more consistent standards would not only help mitigate these dangers but also make compliance easier.
CPLAs serve as a practical solution by detailing security commitments from suppliers in procurement contracts. They outline clear, measurable standards around things like vulnerability assessments and incident reporting. This clarity helps prevent suppliers from skimping on security and ensures a consistent level of protection.
Here are some key components to include in CPLAs:
– Time-to-patch guarantees: Vulnerabilities should be patched within 72 hours.
– Software Bill of Materials (SBOM) transparency: Suppliers should fully disclose software components, including third-party libraries.
– Incident response KPIs: Define recovery time objectives and reporting requirements for breaches.
– Lifecycle commitments: These include assurances about ongoing updates and transition plans for software reaching its end-of-life.
By including these targets, organizations can expect fewer downtimes, reduced attack surfaces, and a decrease in incidents.
Managing security doesn’t stop at procurement. Through-life service management is essential and includes regular audits, vulnerability monitoring, and end-of-life transition planning. Without this management, companies may end up with outdated or unsupported software, which can lead to vulnerabilities and increased costs.
Embedding security in the procurement process needs to be continuous, not just a one-time checklist. Procurement professionals should align their efforts with long-term security goals and require vendors to adhere to secure design principles. CPLAs should be an integral part of contracts, and vendors’ secure development practices should be assessed during the selection process.
Once software is in place, rigorous testing—like penetration tests—is crucial. After going live, organizations must monitor performance against CPLA metrics and focus on continuous service improvement, using insights from incident reviews to refine future contracts. This proactive approach strengthens negotiating positions with suppliers.
Artificial intelligence (AI) can significantly streamline navigating fragmented standards. Current procedures for evaluating compliance are often manual and prone to error. AI tools with natural language processing can help map out overlaps between standards, making it easier for procurement teams to create unified requirements. Real-time compliance monitoring tools can enforce security obligations automatically, boosting efficiency and minimizing human error.
While CPLAs and AI provide internal solutions, industry-wide change calls for collaboration. Forming buyer consortia and achieving regulatory alignment, such as with the EU Cyber Resilience Act, can establish common security baselines. This collaboration reduces redundancy, simplifies compliance, and lowers costs for all involved. Universal standards level the playing field, making it easier for organizations to find secure, reliable vendors.
For CISOs and procurement leaders, securing software procurement by 2025 is essential. Unifying standards, holding suppliers accountable through CPLAs, and implementing through-life service management can mitigate risks and enhance resilience. With the stakes so high, it’s crucial to act now to protect organizations against cyber threats while pushing the software industry toward a stronger focus on security.