Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. 

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. 

The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there's no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.   

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.