The Emerging Role of the Product Security Officer

[fa icon="calendar"] Apr 5, 2020 12:22:13 PM / by David Barzilai, Executive Chairman & Co-Founder

David Barzilai, Executive Chairman & Co-Founder

According to most countries’ legal system, any physician can perform any type of surgery. However, would you require an oncologist to conduct a gum surgery?

Similarly, as product manufacturers are required to secure their devices, a new, specialized, role is emerging: Chief Product Security Officer (CPSO).

Manufacturers’ motivation to secure their devices

Customers are becoming aware that third-party connected products, on their networks, may be compromised and enable hackers to infiltrate the enterprise through those devices.

Compromised mission critical devices can halt operations and inflict a significant financial burden. Moreover, hacked safety-related devices, such as vehicle ECUs or medical devices, may risk consumer lives. For example, hacked Abbott’s pacemakers could result in heating up the device, and melting down the heart, where the pacemaker is placed.

Customers and regulators have started to demand manufacturers to protect their devices and to establish processes to ensure secured development, implement security measures and operate incident-response mechanisms.  Enterprises have started to put product-specific liability clauses in contractual agreements with manufacturers, and regulations such as NIST-IR 8259, UN ECE/Trans/WP.29/GRVA/209/2, ENISA, ISO 21434 and the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices FDA regulation drafts, put cybersecurity responsibility on manufacturers’ shoulders.

CPSO vs. CISO

Roles

Both the CPSO and the CISO are crucial for the organization business, either on the supporting function of IT and its associated data, or the organization products which are related to the revenue and costs streams.

CPSO role is related and spans throughout the product development lifecycle. They consist of:

  • Secure design
  • Secure coding
  • Standard compliance
  • Vulnerability management (pre and post-production)
  • Policies and procedures
  • Incident response

CISO’s responsibilities, on the other hand, cover operational responsibilities to maintain the organization’s data, i.e. the security of network, system and data.

The term “incident response” for example has different meanings when it is implies to the CISO’s role vs. the CPSO’s role.

When an attack on a device is reported, the CPSO must:

  • Recreate the attack on the reported of devices
  • Realize the business impact of the affected devices, or family of devices
  • Patch the device within SLAs promised to customers and regulators

Regulations compliance

CPSO must ensure that the company products comply with the relevant regulations and standards. As shown by recent regulations coming from NIST, ISO, ENISA, FDA, and even the United Nations (with the automotive UNECE standard), manufacturers must ensure that their products are secured. Each of those regulations has specific measures that the company must comply with, when delivering a new connected device like smart home IoT, enterprise edge device, industrial controller and automotive ECU. Not meeting the standard may cause significant delays in time to market and excessive revenue impact. Needless to say that CISOs are not concerned with such product standard compliance.

Background

Unlike CISO, who should not, CPSO should have strong engineering background in order to deeply understand the product lifecycle, develop and influence product requirements and oversee product recalls and security patches. At the same time, and similiarly to CISOs,  CPSOs must be security savvy. They must have deep knowledge in the threat landscape and state of the art security measures in order to ensure that their products are well secured, to minimize friction in production time, i.e. reduce the probability of hackers to exploit vulnerabilities in devices in production.

Skillset

Good CISOs are their companies’ IT security commanders in chief. They have direct supervision on their teams. They lead by experience and authority.

CPSOs are in an advisory role. They rely heavily on R&D cooperation, legal teams’ partnership, and management support. They must have impactful soft skills in order to convince R&D and product teams to adhere to their guidelines. However. The responsibility they hold in terms of representing customer security requirements, and abidance to standards and regulations and the operational impact of a breach is critical to the organization’s commercial success.

Summary

 Product security officers are a new breed in many manufacturing organizations. They represent a hybrid of strong technical skills, deep security understanding, and skills to drive different teams in the organization, which do not report directly to them. The high responsibility that they represent to their companies’ commercial success requires them to be up-to-date about new development in cyber technologies, standards, and competitive offering. Overall, CPSO is becoming a critical factor in manufacturing companies’ commercial success, when they design, develop and sell new connected products.
David Barzilai, Executive Chairman & Co-Founder

Written by David Barzilai, Executive Chairman & Co-Founder

David is a serial entrepreneur with go-to-market executive experience, with a track record of major increases of shareholders value. David serves as Karamba Security’s Executive Chairman and running the company’s go-to-market strategy.

[fa icon="linkedin-square"]Linkedin