
Secure Your Products
Protect your customers by making your products “Secure by Design.”
Improve Security Outcomes for Your Customers
As a technology provider, you know that individual and business consumers use the products you create every day. They use them to store their sensitive data on critical internet-facing systems that directly impact economic prosperity, livelihoods and even health. Your products and the systems they connect to are under constant attack by threat actors seeking to disrupt our way of life and steal data.
Yet, the burden of such threats often falls most heavily on those who are the least prepared to deflect them—individuals and small and medium businesses. CISA urges technology providers to change this paradigm and make products Secure by Design.
Secure by Design is a set of core principles for technology providers to build product safety into their processes to design, implement, configure, ship and maintain their products. The goal is to help us achieve a safe and secure future. You can take ownership of improving the security outcomes of your customers by designing and developing products that are safer out of the box...helping all of us to Secure Our World.
Consumer safety must be front and center in all phases of the technology product lifecycle—with security designed in from the beginning.

What is “Secure by Design”?
“Secure by Design” changes the focal points of product design and development processes. The aim should be to prevent your customers from having to constantly monitor, update and perform damage control on their systems to mitigate cyber intrusions. So, design your products to minimize security flaws and sell them with default settings that make them safe “out of the box.”
Secure-by-design products are those where customer security is a core business goal, not just a technical feature. Secure-by-design products start with that goal before development begins. Providers should:
- Build technology products that reasonably protect against malicious cyber actors successfully gaining access to devices, data and connected infrastructure
- Perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems, and then include protections in product blueprints that account for the evolving cyber threat landscape
By implementing secure-by-design principles during the design phase of your product’s development lifecycle, you can dramatically reduce the number of exploitable flaws before the product goes to market.
When products are secure-by-design, they are secure to use out of the box with little to no configuration changes. They include security features at no additional cost to the consumer. Such features may include:
- Enabling multifactor authentication (MFA)
- Gathering and logging evidence of potential intrusions
- Controlling access to sensitive information
Secure-by-design products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.
“Secure by Design” moves much of the security burden to technology providers and reduces the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching or many other common issues.
Related Content

Secure Our World
Simple ways to protect yourself, your family and your business from online threats.

October is Cybersecurity Awareness Month
Learn how to get involved and become a Cybersecurity Awareness Month partner!

Secure by Design
It’s time to build cybersecurity into the design and manufacture of technology products. Find out here what it means to be secure by design.

CISA Director Easterly Remarks at Carnegie Mellon University
Unsafe at Any CPU Speed: The Designed-in Dangers of Technology and What We Can Do About It

Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design
Learn more about Secure by Design, including the three core principles in this guide published jointly by CISA, FBI, NSA, and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands and New Zealand.