In this series of articles the term ‘product’ will be used to denote the broad range of commercial digital products from software apps to devices, sub-systems, systems, and ultimately integrated solutions/platforms.
In a previous article, we discussed the rise of the Chief Product Security Officer (CPSO). The piece concluded that, as the role is new and evolving, the role’s organization and specific responsibilities are not yet clear. In this series of articles, we explore this topic and provide guidance for any inaugural CPSO office holders on where to start and how to achieve success and effect change.
The following guide is based on personal experience both from establishing a Product Security Office and acting in the capacity of a CPSO within a large and complex business (£1b in revenue) operating across multiple industries, countries, and regulatory environments, from safety critical transportation, to defense, and manufacturing, as well as from consulting on the implementation of similar PSOs in several multi-nationals.
The biggest challenge – and opportunity – for any new CPSO is that there won’t have been anyone previously in post to learn from, no existing strategy to execute on, and no industry best practice to build your governance around. This is especially true for those operating in the product, systems, or production industries, delivering physical or hardware solutions rather than pure software industries.
Even so, there is a growing community from which to draw support and best practice from. Companies such as Thales, Rolls Royce, BAE Systems, Google, Apple, GE Healthcare, Johnson Controls, Schneider Electric, Volkswagen, and Jaguar Land Rover have all recently established a Product Security Office (PSO) separate from the role & responsibilities of a CISO.
A new CPSO’s experience will depend on existing culture, remit for change, and the resources available to them. Therefore, corporate boards should not underestimate the challenge required to reach a suitable level of product security maturity. This transformation will impact many business areas including Product Management, Engineering, Quality, Procurement, and Operations.
The scope of transformation a CPSO and PSO must drive forward encompasses more than can be captured in this series of articles, but from experience the following six areas are the recommended ‘first steps’ that will deliver the biggest return on investment.
We will explore each of these areas in the articles that follow in this series:
- Establish a Product Security Office: put the right team in place, with the right commitment and remit to operate, to give yourself the greatest chance of success.
- Adopt Overarching Governance: ensure risk decisions are made by the right empowered people in a consistent manner, building confidence in the business.
- Define Core Processes & Objectives: integrate ‘Secure-by-Design’ approaches into the business’ engineering management system, to avoid friction in adoption.
- Define Acceptable Assurance Cases: set the standards for quality acceptable outputs, to help build a culture of security maturity and capability.
- Engage with the Supply Chain: work with procurement to adopt appropriate requirements & conditions, to enable you to deliver through-life security.
- Establish an Incident Management Capability: prepare the business to react to unforeseen product security events, demonstrating added-value early.