Proactive Cybersecurity: Embracing CISA’s Guidance to Build a More Secure Future

As a security practitioner, it is highly encouraging (and sobering) to see the Cybersecurity and Infrastructure Security Agency (CISA) release its guidance on product security bad practices. The report shines a light on the persistent challenges that continue to plague organizations of all sizes and shapes, despite years of investment and innovation. However, this guidance should serve as an encouraging opportunity, because it’s a call to arms for our industry to do better, to innovate smarter, and raise the “security bar” as a foundational element of every product we create.

At its core, this guidance highlights one indisputable truth: security must be built in development, not as an afterthought. If we are to safeguard critical infrastructure, national interests, and global safety, the onus is on device and software manufacturers to be at the forefront of change.

The Case for Security by Design

CISA’s framework reiterates what many of us in the field already know, but bears repeating: “secure by design” is not a catchphrase—it’s a mandate. Embedding security from the outset of development ensures we mitigate vulnerabilities, risky practices, and other security issues before they reach customers, reducing the attack surface and enabling a safer digital ecosystem.

For too long, the cybersecurity industry has relied on reactive measures: patching vulnerabilities after they’ve been exploited, mitigating damage after the fact, or leaning too heavily on end-users to bear the burden of security every time a new threat or attack vector hits the wild. The message is clear: the old approach is unsustainable. Manufacturers must build resilient systems that protect users by default and are forward compatible, so they are secured even with the upcoming attacks that are “just over the horizon.”

A Call to Action for Organizations

This guidance isn’t just for manufacturers—it’s applicable to anyone invested in a secured future. After reading the CISA report, there are some practical steps organizations can take TODAY to align with CISA’s recommendations and implement them in their own ecosystems:

1. Demand Transparency and Accountability

Insist on a software bill of materials (SBOM) for all products in your environment. Knowing your supply chain dependencies and interconnections—and the vulnerabilities within them—enables you to gain deeper situational awareness to act swiftly and decisively from a position of knowledge.

2. Prioritized Vulnerability Management

Adopt a robust vulnerability management program. Have a complete, deduplicated, prioritized and contextualized view of all vulns. Early warning of threats ahead of CISA KEV is the gold standard, and the real magic is having a closed-loop and robust mitigation program that reduces the cyber exposure threats that can put your organization at risk.

3. Elevate Authentication Standards

Move beyond single-factor authentication for all critical systems. Multi-factor authentication (MFA) should be the baseline—and where possible, opt for phishing-resistant or passwordless MFA which is FIDO certified.

4. Combat Default Credentials

Default credentials are an open invitation to attackers and are an often overlooked attack vector. Push for unique, instance-specific credentials across your organization’s ecosystem, and adopt systems that enforce strong passwords or more secure alternatives like passkeys or certificate-based authentication.

5. Integrate Security Testing Into Development

Shift security left by embedding static and dynamic analysis into CI/CD pipelines. This reduces the likelihood of issues like SQL injection, command injection, and hardcoded secrets making it into production environments.

6. Invest in Cyber Exposure Management

Adopt solutions that provide real-time visibility into your asset landscape and its associated risks. This goes beyond traditional IT security to include sometimes forgotten or overlooked assets like OT, medical devices, or IoT assets. Cyber exposure management and security platforms like Armis Centrix™ can help organizations proactively identify, prioritize, and mitigate vulnerabilities and threats before they can be exploited.

Building a Culture of Security

Ultimately, this guidance should remind us that security isn’t just a technical challenge—it’s a cultural one. Organizations must foster a mindset where security is everyone’s responsibility, from developers writing the first line of code to the executives approving strategic initiatives.

The road ahead won’t be easy. Implementing these changes will require significant investment, both in terms of resources and a shift in mindset. But the stakes—national security, public safety, and the trust of the people we serve—demand nothing less.

Let’s seize this opportunity to raise the bar for security across the board. By doing so, we won’t just meet the challenges of today—but also have a sustainable approach to the threats that lie ahead.