Thought Leadership: “Secure by Demand” Model Calls for Incentive Shift to Close Software Risk Gap
What Happened – At RSAC 2026, Lauren Zabierek (CAS Strategies, Institute for Security and Technology) argued that current market incentives reward speed and feature‑rich releases over security, creating a widening “risk gap” for critical software. She proposed a “secure‑by‑demand” approach where buyers explicitly require security guarantees, and policymakers create incentives for vendors to adopt secure‑by‑design practices.
Why It Matters for TPRM –
- Vendors that prioritize rapid feature delivery may ship insecure components, exposing third‑party ecosystems to supply‑chain risk.
- Lack of market pressure for security can lead to hidden vulnerabilities that later surface as data breaches or service disruptions.
- TPRM programs must incorporate security‑by‑design criteria into vendor assessments and contract clauses to mitigate these systemic risks.
Who Is Affected – All industries that rely on third‑party software, especially technology/SaaS, financial services, healthcare, and critical infrastructure providers.
Recommended Actions –
- Update vendor questionnaires to include secure‑by‑design certifications and evidence of security‑by‑demand commitments.
- Require contractual security requirements (e.g., minimum CVSS scores, regular code‑review processes).
- Monitor regulatory developments that may mandate security incentives for software suppliers.
Technical Notes – The discussion focuses on policy and incentive structures rather than a specific vulnerability or exploit. No CVEs, malware, or attack vectors are cited. The core risk is the systemic exposure caused by insecure software defaults and insufficient buyer demand for security. Source: DataBreachToday – How “Secure by Demand” Can Reset Cybersecurity