Data Security Decoded – "Secure by Design, Secure by Default, Secure by Demand"
Date: November 4, 2025
Host: Caleb Tolan (Rubrik)
Guest: Lauren Zabrack (SVP, Institute for Security and Technology; former CISA Secure by Design lead)
Episode Overview
This episode of Data Security Decoded explores the foundational cybersecurity concepts of Secure by Design, Secure by Default, and Secure by Demand. Caleb Tolan welcomes Lauren Zabrack—renowned national security and cybersecurity leader—to discuss how organizations and software suppliers can proactively build and demand security throughout the supply chain. The conversation highlights practical strategies, success stories, and actionable advice for vendors and customers alike, along with the importance of leadership and diversity in shaping the future of cybersecurity policy and practice.
Key Discussion Points & Insights
1. Personal Introductions & Human Side (02:14–03:45)
- Caleb shares his Broadway/theatre enthusiasm before pivoting to cybersecurity.
- Lauren reveals her joy in drumming, hip hop dance, and creative writing:
"I'm a drummer. I'm not a great drummer, but I love doing it." (02:14 - Lauren)
- Both agree on the importance of finding joy outside cybersecurity.
2. Origin & Goals of CISA’s Secure by Design Initiative (04:13–08:55)
- Lauren explains the Secure by Design concept through an aviation safety analogy:
"Flying used to be extremely unsafe, but now it's one of the safest ways to travel. But we didn't get there by accident..." (04:13 - Lauren)
- Drawing from the systematic safety advances in aviation and automotive industries, Lauren emphasizes the need for similar movement in software protocols.
- Secure by Design is rooted in shifting industry incentives—treating security as a business and economic imperative, not a technical afterthought.
- The Secure by Design pledge: Launched at RSA 2024 with 68 initial signatories, reaching over 300 companies committing to specific, measurable actions (e.g., eliminating vulnerability classes, default MFA, vulnerability disclosure policies).
"We worked with the community ... it wasn't just a pledge that said, yay, I'm going to make more secure software. It was seven concrete actions that these companies committed to work on through the course of the year." (08:13 - Lauren)
3. Success Factors for Secure by Design & Lessons Learned (09:50–11:47)
- Three core principles:
- Take responsibility for customer security outcomes.
- Embrace radical transparency and accountability.
- Lead from the top—security as an executive-level priority.
"Security has to be a business decision led by business leaders in the company... It shouldn't just be left to the security team to sort of try to convince the rest of the company that they should do this." (10:17 - Lauren)
- Shifting from technical fixes to economic and organizational realignment is vital for sustained security culture change.
"Having more secure software is not a technical impossibility, but the companies right now are acting rational in a misaligned market..." (11:12 - Lauren)
4. Customer Role: Secure by Demand and Supply Chain Security (12:08–15:51)
- Customers often lack the tools and vocabulary to demand robust security from vendors.
- Software is a "credence good"—it's hard to evaluate software's security before and even after purchase.
"Software is what economists would refer to as a credence good... you can't assess the quality of a product or service both before you consume it and after you consume it." (12:38 - Lauren)
- The Secure by Demand Guide: Provides practical questions for organizations to ask vendors. Examples:
- Does the product support secure authentication by default?
- How does the vendor eliminate entire classes of vulnerabilities (e.g., use of memory-safe languages, cross-site scripting prevention)?
- Are security audit logs provided for free?
"Those are the things that customers can ask that show outcomes and, I think, progress toward increased security and safety." (15:42 - Lauren)
5. Cybersecurity Awareness, Culture, and Real-World Engagement (16:05–17:49)
- Lighthearted detour: Lauren shares about her family’s Halloween (Star Wars theme, with her kids as Darth Vader and Princess Leia, and her as potentially C3PO or Dot Matrix).
"I have to find a way. I'll also say, too, for the record, I'm not necessarily a Star Wars girl. I'm more of a Spaceballs girl." (16:50 - Lauren)
6. Share the Mic in Cyber Fellowship – Diversity and Policy Impact (17:49–23:03)
- Lauren describes the genesis and evolution of #ShareTheMicInCyber: Created in 2020 to amplify Black cybersecurity professionals’ voices via social media and policy fellowships.
"The need was visibility and amplification of the voices of black cyber professionals who were working in this industry, doing really important work, but often weren't getting recognized for that." (18:45 - Lauren)
- Impact:
- Five large-scale social media campaigns (over 100 million Twitter impressions at its peak).
- Diversified the cyber policy conversation, especially in underexplored areas (economic, technical, psychological, social harms).
- Supported over 21 Fellows—examples include research on the gendered impact of cyber attacks, legal frameworks for civilian cyber corps, and "AI bills of materials."
- The initiative’s thesis: Diversity is essential to robust cybersecurity.
"Innovation and safety should go hand in hand." (21:53 - Lauren)
- Teaser: New evolution of the program is upcoming.
7. Where to Find Lauren & Project Resources (23:44–24:37)
- Lauren shares resources and platforms:
- LinkedIn: Lauren Z. 1010
- Institute for Security and Technology: securityandtechnology.org
- New America’s Fellowship research
- Sharethemicincyber.com (merchandise still available!)
"We just put a paper out this past week on a blueprint for the next 25 years of the CVE program and how it should be reformed." (23:52 - Lauren) "Quick shout out to Bridget Chan who literally took this idea that we had and made it come to life." (24:20 - Lauren)
Notable Quotes & Memorable Moments
- On executive leadership:
"Security has to be a business decision led by business leaders in the company. It should not be an afterthought." (00:02–Lauren, echoed at 10:17)
- On the Secure by Design pledge:
"It wasn't just a pledge that said, yay, I'm going to make more secure software. It was seven concrete actions..." (08:13–Lauren)
- On software as a credence good:
"You don't know the quality of that service... even after we start using it is a problem." (12:38–Lauren)
- On diversity and inclusion:
"Diversity is essential to cybersecurity." (21:53–Lauren)
- On balancing work and life:
"Just being a human right now, a parent of two young kids, et cetera... drumming, hip hop dance, creative writing—those bring me joy." (02:14–Lauren)
Timestamps Overview
- 02:14 — Guest intro, Lauren's personal interests
- 04:13 — Secure by Design program—aviation analogy and economic model
- 08:13 — Secure by Design pledge, concrete commitments
- 09:50 — Key principles for Secure by Design
- 12:08 — Secure by Demand, customer guidance, supply chain security
- 16:05 — Halloween family anecdotes, cybersecurity awareness
- 17:49 — Share the Mic in Cyber: origins, purpose, and impact
- 23:44 — Resources, shoutouts, and where to find more from Lauren
Overall Tone & Style
The conversation was deeply practical yet approachable, combining industry insight with real-world anecdotes and a strong focus on actionable strategies. Lauren’s experience in government and her advocacy for diversity added a forward-thinking and inclusive dimension to the dialogue. The episode offers not only a crash course on Secure by Design for both vendors and customers, but also a look at the cultural underpinnings necessary to advance resilience and equity in cybersecurity.
For more practical advice, strategies, and voices driving the future of data security, listen to the full episode or explore the referenced initiatives and research.