COMMENTARY

Once a niche field fueled by the digital revolution, cyberattacks have become the single greatest threat to businesses today. Despite the significant consequences of a security breach, including increased liability and increased government regulation, Organizations Still Fail to Stop Attackers. From the outside, it seems logical to conclude that every effort is being made to secure our digital infrastructure. Yet, the opposite appears to be true. Many organizations continue to delay the adoption of modern processes, best practices, and critical tools. But why?

The simple truth is that there is a motivation deficit when it comes to implementing effective measures. This shouldn’t come as much of a surprise, however. Humans are genetically predisposed to procrastination — a tendency that is well-documented in both psychological and behavioral studies. economic research.

This tendency, often called temporal discounting, explains why people put off important tasks that offer long-term benefits in favor of immediate gratification. We see this behavior in many aspects of life. We all know someone who rarely does regular maintenance on their car, puts off their annual health checkup, or doesn’t actively think about how they’re going to support themselves in retirement. Even if you don’t put off those important life tasks, we all have a story about not taking necessary action until it’s almost too late or we have no other choice.

When our procrastination becomes so great and so damaging, governments will counteract this natural tendency. For example, recent regulations have made enrolling workers in defined benefit programs automatic — policies like this combat procrastination by prioritizing opt-out over opt-in. This relatively small shift created a process that has dramatically increased participation rates and helped ensure that everyone has enough savings for retirement.

We need similar mechanisms to overcome the inertia that leads to poor security practices in today’s software organizations. While the challenge of overcoming temporary discounting may seem insurmountable, there is hope in combating our nature to procrastinate.

Improved government action: the role of legislation

Addressing aggressive procrastination requires a “bigger stick” approach through strict enforcement mechanisms. Regulatory agencies such as the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) can play a critical role by imposing significant fines for failure to adhere to secure software development standards. By implementing non-trivial financial penalties and enforcing criminal consequences for failure to adopt secure development practices, organizations will be more motivated to take cybersecurity seriously.

Fines are a declaration of liability and blame that is not about the importance of implementing new regulations, but rather about holding organizations accountable for the safety and security of their software. No other manufacturing industry should be allowed to use procedures or standards that are known to cause harm without accountability. Software manufacturers should be held to the same expectations. Given the critical role of modern software in our daily lives, a software manufacturer should not be allowed to avoid accountability for the security and safety of their products.

Lessons from automotive and food safety

The concept of imposing liability and mandatory safety standards is not new. The auto industry saw significant improvements in safety after the public outcry sparked by Ralph Nader’s book Unsafe at any speed. This shift was not voluntary, but was driven by strict regulations and the creation of the National Highway Traffic Safety Administration (NHTSA). Similarly, food safety regulations enforced by agencies like the Food and Drug Administration (FDA) ensure that products meet specific safety standards before they reach consumers.

The software industry needs an equivalent of the NHTSA — an entity that enforces safety standards and holds manufacturers accountable for noncompliance. One potential organization is the Federal Trade Commission. With its mandate to prevent unfair or deceptive trade practices, the FTC could play a critical role in holding software manufacturers accountable by increasing the frequency and severity of enforcement actions against companies that fail to protect consumer data.

More guidance versus temporary discounting

Some of the best practices for securing software development focus on implementing automatic updates and patches. This approach helps ensure that software remains secure without requiring user intervention. Recently, the Cybersecurity Infrastructure and Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have mandated that software organizations produce and maintain a software bill of materials (SBOM) so that procurement and consumers understand the quality and risks associated with components in the software they have purchased.

The gap in adoption of guidelines and best practices is not a lack of education. It is procrastination that is causing many software manufacturers to ignore the importance of secure software, just as many people ignore the importance of saving for retirement. When it comes to software security, our collective responsibility transcends discussion. Industry leaders, policymakers, and consumers must unite to foster a culture of security within the software ecosystem.

Combating procrastination with policy and enforcement

Looking back at the Executive order to improve the country’s cybersecurityThe message is clear: Software must be secure by design. To achieve that outcome, policymakers like CISA, NIST, and others must hold software manufacturers to secure-by-design principles. Enhanced government policies, such as liability reform and more active enforcement of existing regulations like the FTC’s fair trade mandates, can help counter natural procrastination and address market failures that lead to poor security outcomes.

Organizations poised for the greatest success will understand that choosing between prioritizing immediate business needs and investing in long-term security is a false dichotomy. Economic incentives such as tax breaks for investing in robust cybersecurity measures or certifications for meeting high security standards can further motivate organizations to prioritize security. Conversely, imposing fines and penalties for non-compliance creates a financial disincentive for procrastination, forcing companies to act quickly.