Jen Easterly, the outgoing CISA chief, recently drew parallels between secure software development and automotive safety, likening our current moment to 1965 when Ralph Nader released “Unsafe At Any Speed.” This book sparked outrage over road safety, leading to significant advancements in vehicle safety features.
Easterly’s insights raise an important question: can public outrage over insecure software lead to real change? As we look ahead to 2025, it’s crucial for CISOs and IT software buyers to go beyond simply demanding secure software and the implementation of security by design principles from vendors. What else should they focus on to drive progress?
Incentives shape outcomes, and the link between automotive risks in the 1960s and today’s software vulnerabilities is clear. Technology moves fast, often compromising safety. Developers rush to release products, putting features ahead of security. Security feels like a hindrance rather than an integral part of the process.
As Charlie Munger famously said, “Show me the incentive, and I’ll show you the outcome.” Developers lack motivation to write secure code, and their companies often prioritize speed and functionality over security. Buyers have been accepting insecure code for ages, much like how car buyers in the 60s chose style and speed over safety features, rarely asking about safety ratings.
Until buyers demand security, there’s little incentive for change. The automobile industry needed consumer outcry to start prioritizing safety features. The situation for software is complicated by differing perceptions of risk. Car accidents can be fatal, making their consequences immediate and tangible. In contrast, most software flaws only affect companies, and individual users feel insulated from risks—often believing “it won’t happen to me.”
This complacency allows the software industry to ignore security risks as mere costs of doing business. Compared to the simpler landscape of the 1960s automotive industry, today’s software complexity complicates the push for change. Software is everywhere, from IoT devices to home appliances, making it much harder to implement sweeping safety measures across the board.
Recently, over 250 companies committed to a “Secure by Design” pledge, aiming to integrate high-security standards into their development processes. Yet, that’s a fraction of the thousands of cybersecurity firms out there, not to mention the millions of businesses in the U.S. alone. The challenge lies in reaching a tipping point where everyone acknowledges the risks and pushes for change. Research suggests that about 25% of a population is needed for significant social change; we’re nowhere near that level of awareness regarding software security.
To spark that change, we need to rethink how we approach this issue. It’s not just about fixing code issues faster but creating the demand for secure software that can reshape the incentive landscape. Buyer pressure and government regulations will play crucial roles in driving transformations in software security.
Looking ahead to 2025, we must not lose sight of the potential for change. Companies creating software will likely continue to deflect responsibility for security issues until external pressures force them to take ownership. As software becomes embedded in critical areas, like healthcare and automotive systems, the demand for secure products will grow.
If we raise enough awareness, the responsibility for software security might shift back to the creators. Businesses will then have strong incentives to prioritize security—if they view it as essential to their survival and success. A concerted effort from buyers and the public, along with heavy advocacy for government intervention and regulation, could drive the necessary changes.
What can you do as a CISO or IT software buyer? First, educate yourself about software risks and communicate these concerns to the developers behind the products you’re purchasing. Users must understand the stakes involved. Second, advocate for stronger regulations to ensure safety standards in software development. The auto industry made strides only thanks to governmental involvement—this is necessary for software, too.
Our collective voice can demand secure software practices just as consumers demanded safety in cars. If we stay loud, focused, and unified, we can influence change and gradually move toward a healthier software ecosystem. The call for secure software is growing, and while 2025 might not see a complete transformation, it can be a pivotal year in the journey toward more secure software development.