Product Security Needs A C-Suite Champion

Chief Product Officer at GrammaTech, where he leads product strategy for the company’s application security testing product portfolio.

Five years ago, Congress was concerned enough about the safety of devices in the emerging Internet of Things that it considered creating ratings to show the security level of connected products. The law proposed a scale like the Energy Star efficiency ratings to validate products that are designed to minimize their vulnerability to hacking and protect users’ privacy and safety.

While that legislation may have been ahead of its time, not much has developed since to give users visibility into the security of devices that are everywhere today, from the camera in your smart doorbell to the critical infrastructure in the power grid.

One development is encouraging: the evolution of product security executives (PSE), the professionals responsible for the security of cyber-physical products. They are the ones who ensure the software inside these devices is secure and not vulnerable to cyberattacks.

PSEs share some responsibilities with the chief information security officer (CISO), but they have very different functions. PSEs focus on the digital security of products, including software, firmware or other products embedded in hardware. They implement a product security program that addresses cybersecurity throughout the product life cycle. In short, they are responsible for keeping bad actors from breaking into their products via the software.

Just like the role of CISO grew in response to the explosion of data breaches in the first wave of digital disruption, the PSE has been a response to the growth of “phygital” operations, where many processes that were once manual are now digital and controlled by networked devices. Everything from pacemakers to cars can be vulnerable to hackers if the code inside them is compromised, but the security of these devices has not always been top-of-mind.

Even organizations that take information security seriously may need to put more focus on the security of the code inside the products they make, as can be seen by the size of the teams and the number of resources dedicated to one versus the other. The hack