Secure by Design in Practice

AI changes the pace, but not fundamentals

As organizations move quickly to adopt AI, security leaders are facing a familiar challenge in a new form: how to innovate at speed without increasing risk. At Microsoft Ignite, we sat down with our partners at IBM to talk candidly about what Secure by Design looks like in practice, and why it’s becoming a foundational expectation beyond its previous buzzword status.

This conversation is about how organizations need to change their mindset, culture, and the real-world tradeoffs security and business leaders are navigating as AI becomes embedded across the enterprise. All of which stems from IBM’s Institute for Business value’s most recent paper Secure by design, smarter with AI.

AI is already reshaping how both defenders and adversaries operate. While some headlines focus on novelty or worst-case scenarios, the reality is more grounded: attackers are accelerating familiar techniques, not reinventing the game overnight.

That shift in speed is an important factor. It puts pressure on organizations to move from reactive security models toward approaches that emphasize resilience, prioritization, and preparedness from the very start. As IBM's Institute for Business Value highlighted, this remains a cat-and-mouse problem, but one where response time, visibility, and architectural decisions increasingly determine outcomes.

“AI doesn’t fundamentally change the fact that security is a cat-and-mouse game, but it does make that game move much faster,” said Srini Tummalapenta, co-author of the new paper and Distinguished Engineer & CTO IBM Security Services.

Explore the discussion

Skip ahead to the most relevant section in the video based on the following time stamps.

2:00 – Why Secure by Design matters now

IBM introduces the joint research and frames Secure by Design as a response to real-world AI and security pressures, not theory.

3:00 – AI accelerates attackers, not just defenders
Discussion on how adversaries are using AI to move faster, increasing the importance of detection speed and proactive defense.

08:00 – Culture, leadership, and accountability
What blocks adoption: misaligned culture, lack of sponsorship, and unclear guardrails.

10:00 – Getting boards and executives to care
How boards already think about AI and security through risk, resilience, and business impact.

12:00 – Threat intelligence belongs at the design stage
Why intelligence must inform architecture and application design, especially for regulated and critical infrastructure sectors.

15:00 – Prioritization over perfection
Using threat intelligence, ISACs, and peer insights to prioritize protections and plan for recovery, not just prevention.

17:00 – Secure by Design across AI consumption models
Practical breakdown of shared responsibility across AI-as-a-service, RAG/hybrid, and private model deployments.

23:00 – Secure by Design drives efficiency
Concrete examples of how early security decisions prevent rework, delays, and costly backtracking later in development.

27:00 – Making security a shared KPI
Why Secure by Design must be measured across teams—not isolated to security—and reinforced through budget and leadership support.

30:00 – Secure by Design as brand trust
How security underpins customer trust, brand promise, and long-term business relationships.

Secure by Design is a leadership problem before it’s a technical one

One of the strongest themes in the discussion is that Secure by Design succeeds or fails long before code is written. While awareness of the concept is high across the industry, adoption still lags largely because security is often treated as a downstream activity instead of a shared responsibility.

Boards and executives are increasingly fluent in cyber risk, especially when framed in terms of business impact, resilience, and brand trust. The challenge is translating that awareness into consistent action across teams, tools, and workflows.

When security is embedded early, especially through governance, architecture reviews, and threat modeling, it reduces friction later. When it isn’t, organizations pay for it in rework, delays, and lost confidence.

Intelligence belongs at the start, not the end

Threat intelligence is another recurring thread in the conversation; however, not as a standalone function. Different industries face different adversaries, motivations, and attack paths. Treating intelligence as optional or generic leaves teams blind to what matters most in their environment.

Leading organizations are using intelligence to:

Inform architectural decisions

Guide threat modeling exercises

Prioritize controls based on likely impact

Justify security investments in business terms

When intelligence is inseparable from design, it becomes a force multiplier, and increases accuracy in executing against a strategy.

Measuring security as a shared outcome

A recurring misconception is that security slows innovation. In practice, organizations with higher Secure by Design maturity often move faster because they avoid costly resets late in the development cycle.

Embedding security early helps teams:

Reduce rework

Shorten time to market

Align procurement, compliance, and engineering decisions

Manage risk without halting progress

The most effective programs treat Secure by Design as a shared KPI that is measured across teams, supported by leadership, and reinforced through culture and incentives.

“It’s not about dictation, it’s about guardrails. You give teams clarity on what to do and what not to do, and then you make security part of how work actually gets done,” said Tummalapenta.

To gain more perspective from Shrini and Trina, read IBM Institute for Businesses Value’s latest paper.

Watch the video