Home>Articles>‘Patch and Pray’ Security Culture a Dangerous Game for American IT

Cybersecurity and Infrastructure Security Agency (CISA). (Photo: cisa.gov)

‘Patch and Pray’ Security Culture a Dangerous Game for American IT

Congress should establish legal standards that hold software manufacturers accountable for preventable security failures

By Julio Rivera, July 11, 2026 9:00 am

Cybersecurity has become one of the few areas where failure is not only expected—it has been normalized. 

Every month, software vendors dutifully release another round of security patches. IT departments scramble to test and deploy them. Businesses cross their fingers that nothing breaks in production. And somewhere, cybercriminals are already exploiting the vulnerabilities that prompted the patches in the first place.

We’ve accepted this ritual as if it’s an immutable law of technology. It isn’t. It’s the predictable consequence of an industry that has spent decades placing the burden of cybersecurity on customers instead of software manufacturers.

Imagine buying a new car only to receive an email every few weeks warning that your brakes, steering column, or airbags contain newly discovered defects. You’re instructed to install fixes immediately because criminals have already figured out how to exploit them. If you fail to act quickly enough, your insurance company may refuse coverage, regulators may investigate, and your business could suffer catastrophic losses.

Consumers would never tolerate that model in the automotive industry. Yet it has become standard operating procedure in software.

The federal government has begun recognizing that this approach is fundamentally broken. Through its Secure by Design initiative, the Cybersecurity and Infrastructure Security Agency has urged software developers to prioritize security during development rather than relying on customers to compensate for insecure products after deployment.

It’s an important first step. But voluntary pledges won’t solve a structural problem. The United States needs to move beyond encouraging secure software development and begin requiring it.

For too long, software companies have operated under an economic model that rewards speed, feature development, and rapid market entry while treating cybersecurity as a downstream responsibility. If vulnerabilities emerge—and they inevitably do—the expectation is that customers will install patches, security teams will detect attacks, endpoint protection vendors will block malware, and incident responders will clean up whatever slips through.

That’s not accountability. That’s outsourcing risk. The costs are staggering. Ransomware attacks have disrupted hospitals, municipalities, manufacturers, and schools. Supply chain compromises have exposed thousands of downstream organizations through a single vulnerable vendor. Every new critical vulnerability forces businesses into emergency response mode, diverting resources away from innovation and toward crisis management.

Meanwhile, attackers continue to capitalize on known weaknesses. Recent campaigns deploying CryptoClippers demonstrate how cybercriminals exploit compromised systems to silently redirect cryptocurrency transactions, stealing assets before victims even realize they’ve been targeted. Likewise, newly disclosed vulnerabilities such as CVE-2026-50656 serve as another reminder that attackers are constantly searching for flaws that should never have reached production in the first place.

These aren’t isolated incidents. They’re symptoms of an industry that still too often treats security as an optional enhancement instead of a foundational engineering requirement.

That mindset has to change. Congress should establish legal standards that hold software manufacturers accountable for preventable security failures caused by negligent development practices. Companies that consistently ship products riddled with avoidable vulnerabilities shouldn’t be able to externalize the financial consequences onto customers, insurers, and taxpayers.

This isn’t about punishing innovation. It’s about creating incentives that reward responsible engineering. Manufacturers already face liability when defective products harm consumers. Pharmaceutical companies must demonstrate safety before medications reach the market. Aviation manufacturers follow rigorous certification processes because failure carries unacceptable consequences.

Software increasingly powers our hospitals, power grids, financial institutions, transportation systems, and military infrastructure. Why should it be held to a lower standard?

The federal government possesses another powerful tool that remains underutilized: procurement. Washington purchases billions of dollars in software every year. Those contracts should go exclusively to vendors that can demonstrate meaningful compliance with Secure by Design principles. Security shouldn’t merely influence purchasing decisions; it should determine eligibility.

Government procurement has long shaped private industry. Federal safety requirements transformed automobile manufacturing. Defense contracts accelerated technological innovation. Environmental standards reshaped industrial production.

Cybersecurity should be no different. When the federal government establishes rigorous baseline expectations, the private sector follows.

Secure by Design also complements another principle that organizations increasingly recognize as essential: Zero Trust Architecture. Rather than assuming users or devices can be trusted simply because they’re inside a network, Zero Trust continuously verifies identities, limits privileges, and assumes compromise is always possible.

It’s a far more resilient approach than perimeter-based security alone, but even Zero Trust cannot compensate for software that is fundamentally insecure by design. Organizations shouldn’t have to build elaborate defensive layers simply because vendors failed to write secure code.

At the same time, government agencies must continue preparing for the inevitable threats posed by emerging technologies. CISA’s artificial intelligence cyber incident exercise demonstrated the importance of coordinated response planning before AI-enabled attacks become commonplace. That kind of forward-looking preparation deserves praise—but preparedness alone cannot substitute for preventing vulnerabilities before they reach customers.

We cannot exercise our way out of insecure software. Nor can we patch our way to resilience. Cybersecurity has reached an inflection point. Artificial intelligence is accelerating software development, but it’s also accelerating vulnerability discovery and exploitation. Nation-state actors have become more sophisticated. Criminal organizations now operate like multinational corporations complete with customer support, affiliate programs, and profit targets.

The defenders are improving. The attackers are improving faster. Continuing to rely on endless patch cycles while hoping organizations keep pace is no longer a strategy. It’s wishful thinking.

The era of “patch and pray” should come to an end. Secure software should be the default expectation—not the premium option.

If software manufacturers know they will be held accountable for avoidable security failures, they’ll invest more heavily in secure development, rigorous testing, and resilient engineering. If the federal government uses its purchasing power to reward companies that embrace Secure by Design principles, the marketplace will respond accordingly.

America doesn’t have a cybersecurity problem because we lack talented defenders. We have one because we’ve spent too long accepting insecure software as an unavoidable cost of doing business.

It’s time to shift the burden where it belongs—back to the companies that build the digital foundations on which all of us depend.

Print Friendly, PDF & Email
Spread the news:

 RELATED ARTICLES

One thought on “‘Patch and Pray’ Security Culture a Dangerous Game for American IT

  1. Sorry, Julio but you are full of crap. Your proposal would stop all software production. So you think software vendors can find every bug in millions of lines of code? Get real! You are living in a fantasy land. Nothing gets built in this world, software or otherwise, that is perfect.

Leave a Reply

Your email address will not be published. Required fields are marked *