Information Safety

Improving technology through lessons from safety.

SIRAcon 2025

· @jabenninghoff

Last week I made my annual trip to SIRAcon 2025, which was once again held at the Boston Federal Reserve! I had a great time both attending the talks and making time to speak with the other attendees; both old friends and new members. If you registered for the conference, either in-person or virtual, you can watch all of the talks on cvent for a few weeks, and after that in the SIRA members area (the agenda is publicly available).

The highlights for me included Graeme Keith’s keynote session on a simple approach to quantitative enterprise risk management at scale, a drop-in replacement for heat maps, Tony Martin-Vegue’s talk on LLMs, the Marsh McLennan talks on quantifying cyber risk and security control effectiveness, and the student competition winners, Isaac Teuscher and Philip Akekudaga.

I was quite happy with how my own talk, Insecure at any speed: why Secure by Design is not enough, generated good questions from the audience as well as thoughtful and insightful follow-up conversations.

I left with some key insights from both writing and giving the talk as well as from the attendees:

  • The Payment Card Industry Data Security Standard (PCI-DSS) has been effective at reducing credit-card related security incidents
  • The insurance industry is doing good work that is starting to identify what works in cybersecurity
  • The IEEE includes security in the Software Engineering Body of Knowledge (SWEBOK v4)

But my biggest insight was that we can improve third party risk management (TPRM) by replacing long questionnaires that don’t work with asking about insurance coverage - does the partner have cyber insurance commensurate with their risk? This would shift TPRM to a trusted intermediary that is in a much better position to evaluate and assess security posture in a standardized way. If you’re already trying this, please reach out - I’d love to hear from you on how it’s working!

Slides

You can download handouts with full speaker’s notes and references, and find additional links at the QR Code I shared at the end of my talk.

Description

As a society, should we mandate secure software? CISA’s Secure by Design program calls for voluntary implementation of critical security controls, but safety research, analysis of manager incentives, and the history of auto safety tells us this will not be enough.

In May 2024, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Secure by Design pledge, inspired in part by the 1965 book “Unsafe at any speed”. There are remarkable parallels between automotive safety in the early 1960s and cybersecurity today, including lack of systematic data collection, and customers who are forced to take responsibility for security going right and blame when things go wrong.

While Secure by Design is a good start, the book and market incentives show that the pledge does not go far enough. Software companies are unlikely to make sufficient investments in security, much like the auto manufacturers and safety in the 1960s. Like pollution, security failures impose costs on society that are not paid by the producer. I present a call to action to address the investment gap, as well as a list of additional practices needed to improve the security of software.

Research shows that safety is not good for business, and my own analysis explains why executives under-invest in cybersecurity. The auto safety movement of the 1960s shows what’s needed to secure our software-based systems.