Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

UK Cyber Agency and Industry Disagree on Software Security

3:58 PM   |   13 May 2025

UK Cyber Agency and Industry Disagree on Software Security

UK Cyber Agency and Industry Disagree on Software Security

The Debate Over Vendor Accountability and Market-Driven Improvements

The UK's National Cyber Security Centre (NCSC), the cyber arm of GCHQ, has been advocating for intervention in the software security market to hold vendors accountable for shipping insecure products. This stance, reiterated at the recent CYBERUK conference, has sparked debate among industry leaders who argue that market forces and customer prioritization of security will ultimately drive improvements.

NCSC's Call for Intervention

Ollie Whitehouse, CTO of the NCSC, argues that the current market doesn't adequately reward companies that invest in building secure products. He believes the risks associated with insecure software are disproportionately shouldered by customers rather than the vendors themselves, leading to a "non-functional market."

Whitehouse emphasizes the need to incentivize vendors to prioritize security, suggesting that those who build secure technologies should be celebrated and become more prosperous. He warns that without intervention, the industry risks repeating the security failures of the past 40 years.

Industry Pushback: Market Forces as the Driver of Change

However, industry leaders from companies like Vodafone, Mandiant, Sage, and the Canadian Center for Cybersecurity contested the NCSC's view during a panel discussion. They disagreed with the notion that vendors maximize profits by ignoring security guidance.

Stuart McKenzie, EMEA managing director at Mandiant Consulting, believes that customers will ultimately drive vendor change. If customers prioritize security, vendors will be compelled to provide it. He argues that vendors who don't offer value will quickly be exposed, forcing them to improve to survive.

Emma Smith, cybersecurity director at Vodafone, echoed this sentiment, stating that it's hard to agree with the idea that vendors intentionally ignore security guidance for profit. Bridget Walsh, associate head at the Canadian Center for Cybersecurity, also added her disagreement.

Ben Aung, EVP chief risk officer at Sage, took a more nuanced stance, suggesting that while some organizations may knowingly cut corners, the vast majority are grappling with external factors and an ongoing "arms race" against cyber threats.

The Role of Incentives and Punishments

Whitehouse has proposed both incentivizing vendors to improve security and punishing those who fall short of expectations. He points to the increasing number of software vulnerabilities and the persistence of decades-old bugs in widely used software as evidence that intervention is necessary.

McKenzie, however, is not in favor of punishing vendors. He believes that the market itself will drive change as customers abandon vendors who provide subpar security. He highlights the shift from antivirus to Endpoint Detection and Response (EDR) as an example of how vendors offering the best features and functionalities thrive.

Walsh offered a more sympathetic view, acknowledging the complexity of the situation. She emphasized the need for a clearly codified set of expectations for vendors and the importance of providing system operators with the right information to make informed procurement decisions.

Establishing Clear Expectations and Standards

The NCSC's Cyber Essentials certification scheme is an example of an external authority setting expectations for both vendors and customers. However, some argue that these standards need to be raised to further incentivize vendors to compete on security.

Drawing parallels with the automotive industry, the introduction of the European NCAP program provided customers with a clear understanding of manufacturers' safety performance. Similarly, security vendors could strive for market-shifting trustworthiness, with purchasers dictating which vendors succeed.

Aung noted that CISA's secure by design pledge, which aimed to place the burden of security on vendors, is currently in flux. He emphasized the importance of clarity and specificity on the controls and standards expected of vendors.

The Potential Role of Cyber Insurance

Cyber insurance firms, despite often being criticized for facilitating ransom payments, hold a significant stake in the security space. Their insights into the root causes of attacks can help set standards for vendors.

Smith notes that the questions insurers ask policyholders each year are often influenced by threat intelligence gleaned from recent real-world incidents. This drives a baseline of security for organizations that consider cyber insurance important.

Walsh agrees that the insurance industry's expertise in calculating costs and assessing risk can play a significant role in informing defenders where to allocate budget to protect against the most damaging attacks.

Whitehouse suggests that cyber insurers could offer policies against those who ship insecure software, potentially incentivizing vendors to improve their security practices.

NCSC's Commitment to Standardization

Whitehouse has committed to standardizing vendor expectations on an international level. The NCSC is working with international partners to define standards and ensure their adoption by relevant bodies.

One of the agency's main launches from the CYBERUK event was its Software Security Code of Practice, a voluntary initiative aimed at addressing the lack of market incentives. This code follows in the footsteps of the NCSC's AI Cyber Security Code of Practice, which sets standards for secure AI development and deployment.

The NCSC's secure software code aims to provide vendors with tangible evidence of their commitment to security by adhering to the code's minimum standards. The goal is to have these standards adopted by international bodies such as NIST and ENISA, allowing governments and other organizations to incorporate them into procurement contracts.

Ultimately, the aim is to provide clarity on what's expected of vendors, creating an "NCAP of secure software" that encourages competition and raises cyber resilience across the world.

Whitehouse concluded by stating that the goal is to reach a point where we know more about what's in our software than what's in our sausages, suggesting that food labeling standards are coming to software soon.