In 1965, Ralph Nader shook things up with his book, Unsafe at Any Speed. He revealed how car manufacturers put style and profit ahead of safety, igniting public outrage and prompting changes like the widespread use of seatbelts. This year, Jen Easterly, the former director of CISA, pointed out that we’re at a similar crossroads in software development.
Right now, speed and features often come first, while secure software design takes a backseat. Cyber threats are getting smarter. If organizations don’t demand better, they could face serious fallout.
Many businesses now rely heavily on Software as a Service (SaaS). It’s cheaper and efficient, but it comes with risks. With the rise of artificial intelligence, traditional security boundaries are fading. The volume of data being shared is massive, and any cyber incident from software flaws can have far-reaching effects.
Verizon’s 2024 Data Breach Investigations Report shows that 15% of breaches involved third parties, such as software suppliers and data custodians. This figure has been climbing steadily, making it clear that organizations need to rethink how they manage third-party risks.
A common mistake is only looking at vendor compliance and not the security of the product itself. Companies often send long questionnaires about vendors’ information security systems but forget to examine application security. Just because a vendor has certifications like ISO 27001 or SOC 2 doesn’t mean all their products meet robust security standards. Some might be outside the scope of those frameworks, exposing potential vulnerabilities. Businesses can mistakenly assume a certified vendor’s product is secure, only to find it lacks essential protections.
Organizations need to push their suppliers to make security a priority in software development. This means demanding not just compliance but real commitment to secure practices. Here’s how companies can strengthen their third-party assessment programs:
-
Assess vendor security beyond simple questionnaires. Dig deeper into their application and product security measures. Tailor your questions to fit your organization’s specific needs and consider adding inquiries about emerging technologies like AI.
-
Ensure that vendors adopt secure software development lifecycle (SDLC) practices. Ask for evidence that security is integrated at every step, from design to deployment.
-
Treat third-party risk management as a broader business issue, not just a security one. Involve data owners and stakeholders and communicate risks in business terms.
-
Demand transparency regarding the security measures in place for software products, rather than just accepting compliance certificates.
-
Continuously evaluate third-party risks. Security landscapes change, and regular monitoring is essential.
- Embrace a zero-trust approach. Assume that every connection poses a potential risk and implement strict access controls where possible.
As we look toward 2025, we need to change how we view software security. Just as safety standards transformed the auto industry, strong security practices must become standard in software development. Organizations can’t just rely on vendor assurances or tick off compliance checkboxes. They must take the lead by demanding transparency, enforcing standards, and prioritizing secure development from the outset. If we don’t push suppliers to enhance security, the ripple effects could impact not just individual companies, but the entire digital ecosystem.
Ejona Preçi, a global CISO at Lindal Group, is an active member of ISACA and a cyber leader, dedicated to diversity and inclusion in the field. She aims to ensure that future AI and cybersecurity solutions focus on fairness and accountability, bridging innovation with ethical considerations. This is her first piece for the Computer Weekly Security Think Tank.