Cybersecurity agencies publish new guidance on safe software design: Here's why it matters

Need for cybersecurity protection: Technology breaches can impact critical systems that affect all of us.

Need for cybersecurity protection: Technology breaches can impact critical systems that affect all of us. Image: Pexels/Mikhail Nilov

Akshay Joshi
Head of Industry and Partnerships, Centre for Cybersecurity, World Economic Forum
Victoria Masterson
Senior Writer, Forum Agenda
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


This article is part of: Centre for Cybersecurity

Listen to the article

  • Cyberattacks can impact critical systems, like hospitals cancelling surgeries.
  • Software manufacturers are now urged to build in cyber safety to their products at the design stage.
  • New principles for software that is “secure-by-design and -default” have been published by the CISA, FBI and NSA in the US and cybersecurity agencies in six partner countries.

Software should have cybersecurity protection built-in before it goes on sale.

This is the core message of new guidance from cybersecurity authorities in the United States, Australia, Canada, the United Kingdom, Germany, the Netherlands and New Zealand.

For the first time, these countries have produced joint guidance urging software manufacturers to ensure as a priority that the products they ship are designed to be secure and have cybersecurity built in as standard. The guidance is outlined in the following report: Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.

Which cybersecurity authorities are behind this guidance?

There are three federal government agencies in the US and eight international partners behind the joint software cybersecurity guidance.

The US agencies are the Cybersecurity and Infrastructure Security Agency (CISA) – America’s cyber defense agency; the Federal Bureau of Investigation (FBI) – the national security and law enforcement agency for the US; and the National Security Agency (NSA) – a national intelligence agency focused on protecting national communications systems.


How is the Forum tackling global cybersecurity challenges?

Their international partners include Canada’s Centre for Cyber Security (CCCS); Germany’s Federal Office for Information Security (BSI); New Zealand’s Computer Emergency Response Team (CERT NZ); and the UK’s National Cyber Security Centre (NCSC-UK).


Why is secure-by-design guidance needed?

Cyberattacks have led to hospitals cancelling surgeries globally. This is just one example of how technology breaches can impact critical systems that affect all of us, the cybersecurity authorities say.

Insecure technology products can “pose risks to individual users and our national security,” explained NSA Cybersecurity Director Rob Joyce. He added: “If manufacturers consistently prioritize security during design and development, we can reduce the number of malicious cyber intrusions we see.”

A graphic showing the global cybersecurity outlook 2023 key findings.
Key findings of the global cybersecurity outlook 2023. Image: World Economic Forum.

In its Global Cybersecurity Outlook 2023, the World Economic Forum finds that 93% of cyber leaders and 86% of business leaders think a “far-reaching, catastrophic cyber event” is moderately or very likely in the next two years because of global geopolitical instability.

“The threat landscape has become increasingly volatile,” the Forum says. “Professionalized cybercriminal groups have continued to grow and create a higher volume of new attack types.”


In its State of the Connected World 2023 report, the Forum identified that growing reliance on connected devices and related technologies has made organizations, governments and individual users increasingly susceptible to cyber threats. The ability of connected devices and related technologies to protect individuals from cyberattacks is, therefore, a leading concern.

The Centre for Cybersecurity’s community – part of the Incentivizing Secure and Responsible Innovation initiative – established that if entrepreneurs and innovators were encouraged and incentivized to prioritize security features in their product development from the very beginning, a much safer cyberspace would be incrementally possible.

What are software manufacturers being asked to do?

The Shifting the Balance in Cybersecurity Risk report’s guidance for software secure-by-design includes specific technical recommendations, such as using programming languages that eliminate vulnerabilities.

There are also a number of core principles for software manufacturers. These include that software is already configured with the most important security controls when it comes out of the box, so it is not left for the customer to fix.

Software manufacturers are also asked to “embrace radical transparency and accountability”. This might include sharing information, for example, about customer take-up of default cybersecurity controls.

Companies must also build the right organizational structure and leadership to ensure security is prioritized as a critical part of software development.

The principles published by CISA, and endorsed by several national cybersecurity agencies globally, provide software manufacturers with the much-needed incentive to boost product security and can play a key role in strengthening cybersecurity and resilience across the ecosystem.

Have you read?
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

US-led operation takes down global botnet, and other cybersecurity news to know this month

Akshay Joshi

June 14, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum