Over the past ten years, rising security breaches within leading companies have continually reinforced the need for a chief information security officer, or CISO, to protect critical things like IT systems, brand reputation, revenue and even stock prices. As a result, many boards and other invested figures currently demand a higher level of accountability and focus for managing cyber-preparedness, threat prevention and executive reporting, all of which the CISO must provide.
Because the security of our applications is now a business imperative, the CISO often reports to the CEO or equivalent in most organizations, which helps ensure these issues get the attention they need. But there’s a new executive management position currently taking hold, one that serves a separate but related purpose, and it’s changing the way organizations view their products.
The CISO vs. the CPSO
This new role, known as the chief product security officer (CPSO), is emerging at a time when product security is taking center stage for many organizations. When companies first decided they needed an executive focused specifically on security, they created the role of the CISO. And today, with digital transformation continually exposing the ways applications or other “products” can be threatened or compromised, their need for a dedicated CPSO makes sense. Companies ensure their internal systems and networks remain secure by relying on the CISO, but they also need to find ways to guarantee the products they build are safe.
The product-focused work of the CPSO is important because it strengthens the bridge between security and product engineering today. Given that product security has never been more critical, the CPSO oversees the security of a company’s products, such as software, firmware or other product with code. By implementing and overseeing a product security program, the CPSO can address security in all stages of a product’s life cycle. This means both security and product innovation are encouraged and supported.
So, at the end of the day, what makes a CPSO different from a CISO? At a high level, their responsibilities appear similar—but their functions are greatly varied. While CISOs manage security for the entire enterprise environment, CPSOs focus more specifically on the separate (but critical) domain of product security. This means the CPSO watches over the digital products within a company, such as software, firmware or code-related products, and designs a security program intended to address AppSec across all stages of the development life cycle.
The work of a CPSO also requires switching up the status quo by raising awareness and educating product-focused professionals on how to build security into products while in the design phase. This often demands a cultural shift within an organization, to one that invests in new tools and training. And, of course, CPSOs shouldn’t be relegated to just research and development; they must gain access to the higher-ups to implement such changes, often reporting directly to the CEO. Companies looking to promote product safety across the board will settle for nothing less.
Product Hacking is a Thing
This is a sweet spot for the emerging role of the CPSO. With the potential to do more damage than a corporate data breach, product hacking can have downstream impact on an organization’s customers and their customers as well. Like a domino effect of security woes, the repercussions of a product breach can become massive financial and reputational nightmares, spanning the software supply chain of all industries. And this is making customers sit up and take note, even adding product security-related clauses to their purchase agreements.
Unlike a CISO, the CPSO should possess a separate set of skills meant to address product hacking, such as (but not limited to) engineering training, product-related cybersecurity practices, threat modeling, secure coding and security risk management. While research and development competencies are always a plus, the CPSO must be a strong advocate for product security above all. Companies looking to produce products where safety and security are essential will surely lead the way in establishing more seats at the management table for the valuable new role of the CPSO.
To find out how ZeroNorth can help your organization secure products and reduce risk, contact us or schedule a demo of our application security automation and orchestration platform.