Digital transformation has changed the way companies do business, which has in turn changed the way consumers interact with the products and services companies provide. Where once the concept of product security was a niche feature of paramount importance to those companies that had a tangible product, the world has changed. As a result, the need to secure technology has also changed, which has given rise to the role of chief product security officer (CPSO).
Hugh Thompson, program committee chair of RSA Conference, said that the need to bridge the essential requirements of cybersecurity with the innovation and productivity of software development has never been greater. Thompson believes the emerging role of the CPSO can walk in both camps and serve as a guardian and an enabler of the business.
Increasingly, we are seeing evidence that validates Thompson’s claim. Earlier this year, RSAC 365 hosted a podcast with guests Megan Samford, chief product security officer, energy management, Schneider Electric, and Patrick Miller, founder, director and President Emeritus, EnergySec and US coordinator for the Industrial Cybersecurity Center, who discussed whether product security was the new frontier of the cybersecurity industry.
Indeed, more organizations are shifting left, and because they are taking security more seriously at the product level, companies are baking security in from the start. As a result, many organizations are finding they need someone beyond the CISO to lead this effort at the organizational level. Samford says a CPSO needs to work in close partnership with the CISO. “There’s a lot we can learn from CISOs, and it’s exciting to be along on this journey and be in these very action-oriented roles where product teams are hungry to learn more about security…we are enabling product teams and incentivizing good security behavior,” Samford said.
Security Teams Are A-Changin’
Because organizations now have hundreds or even thousands of developers who are building software, security has become a much bigger challenge than a CISO can handle. Product security requires a new type of skill set, that’s different from navigating the challenges inherent in locking down, configuring firewalls and/or being in compliance with different regulations.
“There are new emerging needs of the organization, which traditional product security companies have always had,” said Chris Wysopal, founder and CTO of Veracode. “Because they are becoming dependent on secure software engineering to operate their businesses, every company across sectors needs a CPSO.”
Wysopal and his RSA Conference co-speaker Joshua Corman, chief strategist, healthcare sector, CISA, are quite passionate about the future of application security. As Corman explained, security teams are undergoing an evolution of necessity. He said the demand signal went up as regulated spaces started asking for product security hygiene, and companies realized they needed someone who specialized in product security. Corman adds that CPSOs serve a different role and need to go beyond being versed in firewall rules and incident response. Product security hygiene has become a very different discipline that most (not all) classically trained CISOs are not familiar with.
Where traditionally the CISO was the one to make sure a company didn’t have a breach, digital transformation has brought to light the reality that people depend on products. If trust in those products gets compromised because of security flaws, consumers will go to competitors. As different sectors – particularly the medical device and manufacturing field – started to see an increased regulatory appetite for cyber requirements on products, the CPSO’s role gained traction. At the same time, Corman said that the attack density shifted toward app and product attacks and companies began to see the cost, which got the board’s attention, because it highlighted the added risk of reputational damage.
While some Fortune 500 companies may have a CPSO, Megan Samford and Patrick Miller agree they are optimistic that 99% of all Fortune 500 companies will have such a role in the next five to 10 years. Even without that specific role, Wysopal said the responsibilities may fall under other titles, ranging from product security lead to security engineer, with the functions of product security distributed around penetration testers, DevSec teams, and security officers. Wysopal said the CPSO has emerged as the leadership role to harmonize all of these elements. “Security as a separate team doing oversight doesn’t work anymore,” Wysopal said. “Product security needs to be a more centralized discipline that’s tightly integrated, with security and engineering working together.”
The future of product security
All of these shifts to security teams had been brewing when GDPR was ushered in, which raised awareness among those companies that realized they had apps that touch regulated data. But many shifts to good security hygiene have been reactive, not proactive. As companies advance along their digital transformation journeys, they can choose to stay the course and react only when public policies (or a breach) forces their hand, or they can engage in shaping those policies.
Sometimes the best way to predict the future is to help cause or nudge it, said Corman, who has actively pushed for policy changes and encourages others to do the same. Regulations and policies will force the hand of change. As global demand for product hygiene becomes more commonplace, vendors that can’t produce evidence of hygiene will exclude themselves from entire markets. And that’s an outcome that Corman said no company wants.
Kacy Zurkus, Content Strategist, RSA Conference