Skip to content

Chris Wysopal Says Awareness Won't Fix Cybersecurity

Cybersecurity pioneer Chris Wysopal argues that awareness campaigns have failed and that software liability and accountability are needed to improve security.

For more than three decades, cybersecurity professionals have warned about insecure software. They have published research, testified before lawmakers, launched awareness campaigns, and built an entire industry around identifying and mitigating risk. Yet ransomware continues to cripple organizations, botnets continue to grow, and software vulnerabilities continue to fuel breaches at scale.

According to legendary hacker, entrepreneur, and former Veracode CTO Chris Wysopal, the problem is no longer a lack of awareness. The problem is accountability.

“Raising awareness is what we've been doing – I've been doing for 30 years," Wysopal said. "A lot of people in cybersecurity have been doing for half of their career, right? And at the end of the day, it doesn't go anywhere. I'm convinced it doesn't go anywhere.”

Check out the full episode and related article:

30 Years of Raising Awareness with Chris Wysopal
Chris Wysopal joins CYBR.SEC.CAST to discuss software security, vendor accountability, liability, and the future of secure tech.
Why Security Tools Fail to Reduce Risk: The Cybersecurity Shelfware Problem
Chris Wysopal warns that buying security tools without fixing vulnerabilities creates activity, not risk reduction.

Awareness Won. The Problem Remains.

Wysopal helped shape modern cybersecurity as a member of the L0pht hacker collective, which famously testified before the U.S. Senate in 1998. Looking back, he believes one of the group's most important contributions was expanding the cybersecurity conversation beyond hackers and government specialists and into mainstream public discourse.

That effort largely succeeded.

Today, cybersecurity is no longer a niche concern. Boards discuss it. Regulators discuss it. Consumers hear about breaches almost daily. Organizations invest billions of dollars annually in security products and services.

Yet despite all that attention, the underlying incentives that drive insecure software development remain largely unchanged.

Software vendors continue to operate in an environment where speed to market often matters more than security. The industry's long-standing "ship now, patch later" mentality persists because the financial consequences of insecure software rarely fall on the companies producing it. Instead, the burden is transferred to customers, operators, municipalities, schools, hospitals, and critical infrastructure organizations that must deal with the fallout when vulnerabilities are exploited.

For Wysopal, awareness was always a necessary first step. But after 30 years of education and advocacy, it has become clear that awareness alone does not change behavior.

The Software Liability Debate Returns

To explain the problem, Wysopal draws a comparison to environmental regulation.

When companies create pollution or other forms of societal harm, they are often held accountable through fines, cleanup obligations, or regulatory oversight. Society recognizes that businesses benefiting financially from a product should bear some responsibility for the consequences of that product.

Cybersecurity has largely avoided that framework.

Software vendors frequently disclaim liability, even when vulnerabilities contribute to major incidents. As a result, customers bear the cost of recovery, business interruption, incident response, and reputational damage while producers often face limited consequences.

This has fueled growing discussions around software liability, Secure by Design initiatives, and regulatory intervention. Critics argue that software can never be perfectly secure and that excessive liability could stifle innovation. Wysopal agrees that perfection is impossible, but he rejects the idea that the absence of perfection means the absence of accountability.

Instead, he points to the concept of a Safe Harbor framework.

Under such a model, vendors would not be expected to deliver flawless software. Rather, they would need to demonstrate verifiable secure development practices, meaningful vulnerability management programs, and measurable security outcomes. Organizations that meet those standards could receive liability protections, while those that ignore security best practices would face greater scrutiny and accountability.

The concept creates incentives for improvement without demanding impossible outcomes.

From Voluntary Security to Enforceable Standards

Wysopal's argument becomes even more pointed when discussing connected devices and infrastructure.

He points to end-of-life cable modems that continue operating in homes long after they stop receiving security updates. Many customers assume their internet service providers are managing those risks. In reality, there is often no requirement for providers to replace unsupported equipment. Those devices can remain vulnerable for years and eventually become part of botnets used to attack critical infrastructure.

In response, Wysopal is involved with legislative efforts that would require providers to replace unsupported equipment rather than leaving consumers exposed.

For him, the lesson extends far beyond cable modems.

The cybersecurity industry has spent decades raising awareness. The next phase requires enforceable standards that change incentives and create consequences for organizations that profit from insecure technology while transferring risk to everyone else.

Whether through software liability frameworks, Safe Harbor programs, Secure by Design requirements, or targeted legislation, Wysopal believes meaningful progress will only occur when security becomes more than a voluntary exercise.

The industry has proven it can identify the problem. The question now is whether policymakers, vendors, and customers are willing to address the incentives that keep the problem alive.

HOU.SEC.CON CTA

Latest