By Sudhir Ethiraj, Global Head of Cybersecurity Office, TÜV SÜD and
Dr. Angelika Steinacker, CTO Identity & Access Management, IBM Security Services EMEA
Security right from the start
The principle of Security by Default is focused on considering security to be built in and up and running from the start. This means including security considerations into a design of a product and the underlying processes and even when formulating policies for an organization at large instead of security being an add-on feature at the end of the process before going to production.
The rapid increase in digitization today, especially accelerated by the pandemic situation, has led to a tremendous increase in the attack surface. Therefore, there is a need to consider the Security by Default principle as a fundamental need to ensure adequate levels of security in society.
The Charter of Trust aims to increase cybersecurity levels in society via collaboration between its member companies across industries and associated partners and has defined 10 Principles to achieve this goal. One of the 10 Principles is the principle of security by default. The Charter Taskforce on Security by Default has been working on this principle for the past three years , compiling baseline requirements and creating explanatory documents on what it means to adopt security by default.
Security by Design vs Security by Default
The concept of “Security by Design” is quite familiar. It means to include security features and capabilities into products and services when designing and producing those products and services. “Security by Design” is a basic requirement and has improved the security of products and services tremendously.
The concept “Security by Default” goes a step further: The security and capabilities of a product or service are active from the beginning. This means that no explicit activation is necessary since this can be forgotten or neglected in some cases. It is especially helpful and necessary in devices used by people not that familiar with security features, e.g. in IoT devices like smart bulbs or smart watches.
Furthermore, “Security by Default” aims at maintaining the security properties during operation and over the lifetime of a product or service. One of the basic requirements for achieving “Security by Default” is therefore that the security properties must be tested accordingly, i.e. under real operating conditions.
Design vs reality
“Security by Default” can really make a difference if security features are sufficient, enabled and productive for the lifetime of a product or service. The need for Security by Default as stated above can be seen in the incident that happened in 2019, where a feature was found in a series of connectivity chips used to connect billions of IoT devices like medical devices or smart meters. An attacker could use this feature in operation to gain control over the machine hosting it. Although these chips had several security features, they had not been sufficient to prevent attacks during operation. You can read about this here.
Charter of Trust drives Security by Default
CoT’s Principle 3 states: “Adopt the highest appropriate level of security and data protection and ensure that it is preconfigured into the design of products, functionalities, processes, technologies, operations, architectures, and business models.”
How do we work to achieve this?
To cover the broad spectrum of topics under security by default, we as a taskforce defined our scope of what we thought was essential to cover under Security by Default and would bring us nearer to the goal of increasing security levels. We therefore split the work into three phases and the taskforce members from companies collaborate to define baseline requirements for security by default. The three phases are:
- Phase 1: Products, Functionalities and Technologies
- Phase 2: Processes, Operations and Architectures (Ongoing)
- Phase 3: Sharing of best practices for adoption of Security by Default
We finalized Phase 1 last year and have nearly finished Phase 2, so we are about to start the final phase. Stakeholders from different industries helped us get different perspectives on Security by Default while defining the scope and the baseline requirements to ensure that these requirements can truly be baseline and can be adopted across industries.
Taskforce resources / results so far
- Baseline Requirements for phase 1 – Products, Functionalities and Technologies
- Explanatory document along with mapping to global standards to facilitate the adoption of the baseline requirements
- Charter of Trust Blogpost on Security by Default
- Podcast on Security by default
Outlook
With the Charter of Trust set out to increase cybersecurity in the society through collaboration between industry partners and exchange with political stakeholders, the taskforce is fully committed in executing this vision. The taskforce will soon publish the results for phase 2 on processes, operations and architectures with the baseline requirements and an explanatory document.
The next steps include moving to phase 3 focusing on best practices to adopt Security by Default requirements from the member companies and getting the message across to different stakeholders in society and supporting a dialogue with stakeholders on these crucial topics. This will include several ways of sharing best practices, e.g. a webinar series with a panel format including an external audience, and articles and case studies showcasing where the requirements have been successfully adopted.
PREVIOUS POST
36th Cyber Security Day: Working together for more resilience in the digital future
NEXT POST
Richards Skalt takes over the Advocacy Workstream
You may also like
External Engagement
Richards Skalt takes over the Advocacy Workstream
We are delighted to welcome Richard Skalt, Advocacy Manager at TÜV SÜD, as the new Leader of the Advocacy Workstream at the Charter of Trust. Richard steps into the role following María del Pino González-Junco, who recently assumed the position of Chair of the Global External Engagement Working Group.
With a strong background in advocacy and a forward-looking vision, Richard brings renewed energy to our mission of shaping a secure digital future. As he puts it:
“My motivation is to preserve and build upon the strong foundation of advocacy activities we’ve developed over the past years. At the same time, I’m committed to ensuring we’re in a position to shape the policies that will define how our business model and operations evolve in the future – including the cybersecurity of products and systems, the use, deployment, and distribution of robust AI solutions, as well as cloud security and secure datacenters.”
In a world defined by accelerating digital transformation and increasingly complex regulatory challenges, principled leadership and effective collaboration are more vital than ever. Under Richard’s leadership, the Advocacy Workstream will continue to engage policymakers, raise public awareness, and strengthen education around key issues such as cybersecurity, AI governance, and secure digital infrastructures.
With a strong background in advocacy and a forward-looking vision, Richard brings renewed energy to our mission of shaping a secure digital future. As he puts it:
“My motivation is to preserve and build upon the strong foundation of advocacy activities we’ve developed over the past years. At the same time, I’m committed to ensuring we’re in a position to shape the policies that will define how our business model and operations evolve in the future – including the cybersecurity of products and systems, the use, deployment, and distribution of robust AI solutions, as well as cloud security and secure datacenters.”
In a world defined by accelerating digital transformation and increasingly complex regulatory challenges, principled leadership and effective collaboration are more vital than ever. Under Richard’s leadership, the Advocacy Workstream will continue to engage policymakers, raise public awareness, and strengthen education around key issues such as cybersecurity, AI governance, and secure digital infrastructures.
Read more
April 29, 2025
•
External Engagement
New Chairwoman for the Global External Engagement Group
The Charter of Trust is proud to announce María del Pino González-Junco, Cybersecurity Alliances Manager at Siemens, as the new Chairwoman of the Global External Engagement Working Group. Her appointment marks a significant step forward in our shared mission to advance cybersecurity through strong international collaboration.
Pino’s election follows a dynamic Collaboration Week in Denmark, where Charter of Trust partners from around the world came together to align on strategy, strengthen partnerships, and reaffirm our commitment to a secure digital future. As a longstanding leader within the advocacy workstream, Pino has been instrumental in fostering open dialogue with key external stakeholders and promoting cybersecurity awareness across industries and institutions.
“A reliable digital world can only thrive if public and private institutions build trust and cyber-resilience together, share their expertise, and support society in this digital journey. Those are our goals at the Charter of Trust,” says Pino.
She takes over the role from Sumit Chanda, COO/CISO at Atos, who has guided the working group with vision and energy. We are pleased to share that Dr Chanda has since been elected Co-Chair of the Charter of Trust by the Board of Directors in February—ensuring his continued impact on the initiative’s strategic direction.
We extend our sincere thanks to Sumit for his outstanding leadership and warmly congratulate Pino on her new role.
Pino’s election follows a dynamic Collaboration Week in Denmark, where Charter of Trust partners from around the world came together to align on strategy, strengthen partnerships, and reaffirm our commitment to a secure digital future. As a longstanding leader within the advocacy workstream, Pino has been instrumental in fostering open dialogue with key external stakeholders and promoting cybersecurity awareness across industries and institutions.
“A reliable digital world can only thrive if public and private institutions build trust and cyber-resilience together, share their expertise, and support society in this digital journey. Those are our goals at the Charter of Trust,” says Pino.
She takes over the role from Sumit Chanda, COO/CISO at Atos, who has guided the working group with vision and energy. We are pleased to share that Dr Chanda has since been elected Co-Chair of the Charter of Trust by the Board of Directors in February—ensuring his continued impact on the initiative’s strategic direction.
We extend our sincere thanks to Sumit for his outstanding leadership and warmly congratulate Pino on her new role.
Read more
April 24, 2025
•
General announcements
Charter of Trust elects new co-chairs of the Board of Directors
We are honoured to announce that Dr. Ralf Schneider, Senior Fellow and Head of Cybersecurity and NextGenIT Think Tank at Allianz and Dr. Sumit Chanda, Chief Operating Officer at Atos Group Security have been elected as new co-chairs of the Charter of Trust during our last Board of Directors meeting in Munich.
The Partners and Associated Partners thanked Natalia Oropeza, Global Chief Cybersecurity Officer at Siemens, for her engagement and steady leadership during her term as Chairwoman. In her tenure, the Charter of Trust underwent important internal and external changes. What first stands out is the smooth integration of the four working groups, which made the Charter of Trust more agile, leaner and more efficient. It is also safe to say that the alliance has never had such a high level of exposure externally, due to the Charter of Trust partners continuous dedication to the mission of the alliance.
In the spirit of industry collaboration, Natalia Oropeza expressed her support to our new Co-Chairs and said how “incredibly proud of what we have achieved together, welcoming new partners, strengthening our structure, and elevating the Charter of Trust's impact on the global cybersecurity landscape. Collaboration has been at the heart of our success, and I am confident that Dr. Sumit Chanda and Dr. Ralf Schneider as Co-Chairs, the Charter will continue to drive meaningful progress towards a more secure digital world."
For the first time in its history, the Charter of Trust will be co-chaired. Dr. Ralf Schneider from Allianz and Dr. Sumit Chanda from Atos who have decades of experience in the world of cybersecurity and have been active within the alliance for several years now. Both unite an intrinsic motivation to foster inter- and intra-sector collaboration as well as the continuous sharing of knowledge between the Partners and Associated Partners of the Charter of Trust.
For the next year the co-chairs aim to amplify the number of Partners and Associated Partners. This growth, however, should still preserve the unique features of the Charter of Trust as a large practitioner organization with member from all over the world. Expanding into new sectors and new countries is a key target for the new leadership team, so that the Alliance can continue to engage with stakeholders at the highest level.
Dr. Sumit Chanda underlined that “The Charter of Trust’s role is to promote a safe and trusted digital work. Its unique partnership blend of large organisations, working across 190 countries, and across several sectors, has enabled it to make significant progress under the leadership of Mrs. Natalia Oropeza. I would like to thank her for these great achievements. Along with Dr. Ralf Schneider from Allianz, we welcome the opportunity to build on her work as the Co-Chairs of Charter of Trust.”
Ralf Schneider added that “In dynamic times with more risks, more uncertainty, and more unknowns, we as the Charter of Trust step up – to provide stability, promote reliability, and foster trust. This is our mission today and tomorrow.”.
The Partners and Associated Partners thanked Natalia Oropeza, Global Chief Cybersecurity Officer at Siemens, for her engagement and steady leadership during her term as Chairwoman. In her tenure, the Charter of Trust underwent important internal and external changes. What first stands out is the smooth integration of the four working groups, which made the Charter of Trust more agile, leaner and more efficient. It is also safe to say that the alliance has never had such a high level of exposure externally, due to the Charter of Trust partners continuous dedication to the mission of the alliance.
In the spirit of industry collaboration, Natalia Oropeza expressed her support to our new Co-Chairs and said how “incredibly proud of what we have achieved together, welcoming new partners, strengthening our structure, and elevating the Charter of Trust's impact on the global cybersecurity landscape. Collaboration has been at the heart of our success, and I am confident that Dr. Sumit Chanda and Dr. Ralf Schneider as Co-Chairs, the Charter will continue to drive meaningful progress towards a more secure digital world."
For the first time in its history, the Charter of Trust will be co-chaired. Dr. Ralf Schneider from Allianz and Dr. Sumit Chanda from Atos who have decades of experience in the world of cybersecurity and have been active within the alliance for several years now. Both unite an intrinsic motivation to foster inter- and intra-sector collaboration as well as the continuous sharing of knowledge between the Partners and Associated Partners of the Charter of Trust.
For the next year the co-chairs aim to amplify the number of Partners and Associated Partners. This growth, however, should still preserve the unique features of the Charter of Trust as a large practitioner organization with member from all over the world. Expanding into new sectors and new countries is a key target for the new leadership team, so that the Alliance can continue to engage with stakeholders at the highest level.
Dr. Sumit Chanda underlined that “The Charter of Trust’s role is to promote a safe and trusted digital work. Its unique partnership blend of large organisations, working across 190 countries, and across several sectors, has enabled it to make significant progress under the leadership of Mrs. Natalia Oropeza. I would like to thank her for these great achievements. Along with Dr. Ralf Schneider from Allianz, we welcome the opportunity to build on her work as the Co-Chairs of Charter of Trust.”
Ralf Schneider added that “In dynamic times with more risks, more uncertainty, and more unknowns, we as the Charter of Trust step up – to provide stability, promote reliability, and foster trust. This is our mission today and tomorrow.”.
Read more
February 12, 2025
•
