Tyler Farrar wrote a resonating open letter in the CSO mag to the cybersecurity industry. It made me think about why we’re in this place. Tongue in cheek due to reality. But we can dream, can’t we?

You keep selling us features. We need you to ship safety by default.

Every breach follows the same pattern: unpatched systems, flat networks, stolen credentials, lateral movement, game over. We know how attacks work. We’ve known for decades. Yet you keep shipping platforms that assume trusted networks, assume tech-savvy end users, require administrators to manually harden everything, and treat security as an opt-in feature.

The CISO community is pushing back on the security vendor noise machine. Now it’s your turn. You—the platform vendors, the OS makers, the cloud providers, the SaaS companies—are the foundation on which everything sits. When you ship insecure defaults, you’re not giving customers flexibility. You’re setting them up to fail.

The defaults are broken

Let’s be clear about what “secure by default” actually means:

Auto-updates should be mandatory and real-time. Not “check weekly.” Not “notify user.” Not “download and wait for reboot window.” Push security patches as soon as they’re available. Make them difficult to disable. If something breaks, fix it in the next update. The current model, where overworked admins must manually prioritize patching, is a gift to attackers. Every patch Tuesday that turns into “patch eventually” is another month of known vulnerabilities sitting in production.

Every service should be default deny. No application binds to 0.0.0.0 out of the box. No service should accept connections from anywhere unless explicitly configured. Ship with host firewalls on and restrictive. Make developers and admins explicitly open holes to make things work. Yes, this generates support tickets. Good. That’s better than generating breaches when dealing with sensitive data.

Network segmentation should be built into the platforms, not bolted on later. Every workload should be isolated by default. Container networking got this right—why do we accept flat networks everywhere else? Operating systems should create network namespaces per application. Cloud platforms should segment by default and make customers work to create flat networks, not the other way around.

Phishing-resistant authentication should be mandatory. No more passwords. No more SMS codes. No more “just use MFA” when we all know TOTP and push notifications get phished daily. WebAuthn, passkeys, hardware tokens—pick one and make it required. Make legacy authentication methods require explicit exceptions that expire. If privileged access to your platform still accepts passwords without hardware-backed authentication in 2025, you’re complicit in credential theft.

Least privilege should be enforced, not recommended. Stop shipping admin accounts for everything. Stop letting regular users install software system-wide. Stop assuming the first account created needs root. Make privilege escalation explicit, audited, and temporary. Windows started to figure this out with UAC, then broke it by training users to click “yes” reflexively. Do better.

Why this doesn’t exist today

You’ll say customers demand flexibility. That enterprises need control. That compatibility matters. That changing defaults will break existing deployments.

All true. None of it matters.

The current model isn’t working. The breach headlines prove it. Every CISO, red teamer, and pentester knows that most successful attacks exploit fundamentals—unpatched systems, excessive permissions, flat networks, stolen credentials. These aren’t sophisticated nation-state techniques. They’re the basics. And they work because platforms ship insecure by default.

You’re optimizing for ease of setup rather than security of operation. You’re choosing compatibility with 1990s assumptions over protection against 2025 threats. You’re putting the burden on customers to manually configure security so you don’t have to handle support calls. That’s a business decision masquerading as a technical constraint.

The real reason secure defaults don’t exist is that they’re hard to build and harder to sell. Auto-updates that can’t be disabled require engineering updates that never break production. Default deny requires rethinking how applications discover and connect to services. Network isolation adds complexity to platform architecture. Phishing-resistant auth requires hardware integration and killing legacy protocols that customers still use.

But here’s the thing: if you’re shipping platforms that run the internet, run enterprises, run critical infrastructure, then hard is your job. You’re the foundation. When you ship insecure defaults, every company that uses your platform inherits that insecurity. They don’t all have security teams large enough to properly harden your product. They don’t all have the expertise to configure isolation correctly. They’re taking your defaults and hoping for the best.

The licensing racket needs to end

Yes, there’s good reason to charge extra for enterprise services. But when you know the burglar is pilfering the safe and you don’t tell the customer since they haven’t paid you for that SKU…

Microsoft charges extra to not get breached. Want to block suspicious sign-ins? 10x the price for P2. That shouldn’t be a premium feature. Users will get phished and "log in" from shady-VPS. It's table stakes for not having your cloud tenant compromised. Charging extra for them is like selling a car without seatbelts and treating airbags as a luxury option.

AWS makes security features paid add-ons. GuardDuty for threat detection? Extra cost. Security Hub for centralized findings? Extra cost. Single place to investigate incidents? Extra costs. You’re already paying for the infrastructure—why is visibility into attacks an upsell?

Slack Enterprise Grid makes security basic features enterprise-only. SAML SSO? Enterprise Grid only. Data loss prevention? Enterprise Grid. Session management? Enterprise Grid. Small companies get to use passwords and hope nobody clicks a phishing link.

The message is clear: security is optional, and opting in costs extra. This is backwards. Security should be the baseline. Insecurity should be what requires a deliberate choice to downgrade. The SSO Wall of Shame clearly shows the price differentials.

When you gate security behind premium SKUs, you’re creating a society where small companies, schools, nonprofits, and anyone without enterprise budgets deploy your platforms in inherently compromised states. Then, when they get breached, everyone acts surprised. We shouldn’t be surprised. We designed it this way.

What good looks like

Some of you are trying. ChromeOS auto-updates by default, and users can’t disable it. macOS is making strides with privacy and process hardening. Mobile platforms sandbox applications and require permission grants for sensitive operations. Memory exploits have become much more difficult since the early days. These aren’t perfect, but they’re progress.

Security improves when you make insecure configurations hard to use rather than making secure configurations optional. When you assume hostile environments instead of trusted networks. When you treat every credential as compromised and every network as untrusted.

We simply need to apply the lessons we’ve learned over decades of breaches. Defense in depth. Least privilege. Assume breach. These aren’t new concepts. They’re just really hard to implement as defaults without breaking the business model of “ship now, harden later.”

The path forward

Ship secure defaults in new platforms. If you’re building something new, do it right from the start. Don’t carry forward legacy assumptions about trusted networks and password authentication. Build isolation, auto-updates, and hardware-backed authentication into the foundation.

Create migration paths for existing platforms. We know you can’t flip a switch and break the installed base. Fine. Create new configuration profiles that enforce secure defaults. Give enterprises a path to “locked down mode” that they can adopt over time. Make the secure configuration the recommended one, not the footnote in the security guide nobody reads.

Make security features standard, not premium. If it prevents breaches, include it in the base license. Phishing-resistant authentication, risk-based access controls, threat detection, encryption at rest, basic audit logging, session management—these are not luxury features. Price your platforms honestly and include security as part of the baseline. If you want premium tiers, compete on performance, scalability, and support, not on whether customers can detect they’ve been compromised.

Take responsibility for your defaults. When the next breach happens because someone didn’t change your default configuration, ask yourself: why was that possible? Why did we ship it insecurely? Why did we make the customer opt in to security rather than opt out of convenience?

CISOs can’t fix this alone

The CISO community is learning to stop buying security theater. They’re focusing on fundamentals. They’re demanding less noise and more substance from security vendors.

But we can’t patch our way out of platforms that ship vulnerable. We can’t firewall our way around operating systems that assume flat networks. We can’t MFA our way past authentication systems that still accept passwords. And we can’t budget our way out of security being locked behind premium licenses.

You’re the foundation we’re building on. If the foundation is compromised, everything on top of it is compromised too. We need you to ship platforms that are secure by default, not secure if configured correctly by experts with enterprise budgets.

Stop shipping insecure defaults and calling it flexibility. Stop making security the customer’s problem to solve. Stop charging extra for basic protections. Build platforms that make breaches harder, not easier.

We’ll adapt to the friction. We’ll train users on new authentication methods. We’ll update our applications to work with restrictive defaults. But you have to ship it first.

The attacks truly aren’t getting more sophisticated. The fundamentals keep failing. And many of the fundamentals are your responsibility.

Ship secure defaults.

‍