A robust cyber security industry requires software vendors to pull their weight – so why are customers working so hard?

An abstract depiction of a silhouetted figure pushing a boulder up a steep hill
(Image credit: Getty Images)

The hacking industry isn’t slowing down, that’s for sure. But somewhere in the never-ending game of whack-a-hacker we’ve lost sight of how we got here.

The latest development on the security front is that, increasingly, attackers are abandoning malware as their main way of breaching networks. It’s quicker and more efficient for them to focus on either stealing account details, exploiting software vulnerabilities, or attacking through the software supply chain.

After all, why would a burglar bother with trying to pick a lock, when they can just walk through an unlocked door, or climb in through an open window.

It’s cheaper and easier than ever for attackers to obtain credentials with minimal effort. This is particularly true with cloud platforms; over the last few years an entire criminal industry has emerged in the form of access brokers who auction login details and other credentials to other attackers.

As cloud infrastructure becomes ever more complicated and vital to business, there’s a very real risk that the combination of poor security and cloud-smart attackers will create an incredibly hostile environment for most industries.

In cyber security, the customer is always wrong

The tedious job of patching security flaws isn’t something that organizations do as often, or as well, as they should. And, yes, as we have seen, software supply chains can be all too easily breached. But in all of this, one fundamental question remains unasked; who should really get the blame when something goes wrong?

Do we blame the unlucky, overstretched, worker who clicks on a plausible looking message asking them to update their password? Perhaps it’s the fault of the tech team that didn’t embrace the Sisyphean task of patching their systems, or training their users to be suspicious of everything. Maybe you can blame the CIO because they couldn’t afford to run a security audit, or the CEO who cut the security budget in the first place.

While it’s true that everyone involved could likely be attributed some level of blame, it’s usually the case that the IT team and the end users take the brunt of it. They are the ones trying the hardest to do the right thing, with very little agency.

The reality is, it’s very hard for customers to tell if a particular piece of software is secure or not. As the White House’s own tech advisors the Office of the National Cyber Director point out, it’s a problem that has been around for decades. This lack of metrics makes security much, much harder.

“Software manufacturers are not sufficiently incentivized to devote appropriate resources to secure development practices, and their customers do not demand higher quality software because they do not know how to measure it,” they said in a new report.

It might seem odd that the White House is getting involved – but that reflects the stakes we are playing for. Getting IT security right is now an issue of national significance.

Those with the broadest shoulders should bear the greatest burden

If we want to fix the systemic security problems in software, we need to take a fresh look at who really is responsible. I struggle to think of any other industry where the purchasers and the users of the product are forced to spend so much time fixing and patching it up on their own.

Tech companies, of course, are incentivized to sell their software as quickly as they can – the classic idea of shipping a minimum viable product is a fundamental tenet of the tech industry. However, the idea that software will always have flaws has become normalized, and that it’s the customers’ job to fix them. If every piece of software needs updates all the time, that makes it so much harder for the companies buying software to judge what is built well, and what is digital Swiss cheese.

It’s not just enough to blame the software companies, we also have to change the model to make security more important to their business model too. As the NCSC’s outgoing technical director said in his farewell blog in 2022, “we implicitly expect these companies to manage our national security risk by proxy, often without even telling them”.

Trying to manage cyber security completely while ignoring the suppliers commercial contexts “doesn’t seem sensible”, he said. That might mean more regulation, more standards, and better ways to measure just how secure software really is, so we can all make better choices about what to buy. Making security more relevant to the software companies’ bottom line is inevitably part of that.

However we do it, it’s time to shift more of that responsibility back onto those that actually make the software, and away from those trying to get on with their own work.

More on secure software development

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.