In a recent Ed TALKS, I had the distinct pleasure of hosting three prolific industry thought leaders in cybersecurity: Matthew Rosenquist, Shira Rubinoff, and John Yeoh. Our discussion was broad-ranging and included everything from the impact of artificial intelligence on security to cryptocurrency and security roles.
I challenged our panelists to debate an interesting topic discussed on another security panel that included Kelly Shortridge and Fernando Montenegro – the fundamental difference between InfoSec and Product Security. Both Kelly & Fernando said, and I'm paraphrasing, that product security/engineering is often ahead of and nimbler than InfoSec and, thus, better equipped to know what's best with respect to incorporating security into product development. They went so far as to say that in such instances, InfoSec isn't just getting in the way of development, but here it's even getting in the way of security. The irony, eh?
Matthew Rosenquist, a CISO himself, didn't disagree. There are different domains in cybersecurity that focus on security software applications and products. Today, with so many "things," including infrastructure, electronic devices, cars, et al., dependent on software, many organizations are creating CPSOs (Chief Product Security Officers) to complement the CISO (Chief Information Security Officer) positions. In this modern organization:
- The CISO's org is a group that protects the IT/infrastructure. They primarily deal with the enterprise's corporate data, policies, compliance, and overall risk management.
- The CPSO's org is a group that protects the products or services that the company is building. These are typically engineering groups focused specifically on securing revenue-generating products for the enterprise.
In many cases, there are distinctly different groups with different responsibilities. Suppose an organization has sound security engineers on the product side. In that case, they really should not be impeded by the information security group, i.e., the specialization focusing on those internal assets & resources, corporate brand, etc.
"You should let good security architects and engineers who know the products do what they need to do," Rosenquist said... and then added, "but there are challenges. Active collaboration becomes a key to success regardless of what the split of responsibilities is because you have to establish mutually supporting posture. There has to be teamwork."
There is, of course, rush to market pressures – nothing wrong with that. Clients, both internal and external, need technology to do things cheaper, better, and, likely, faster. In many cases, you have organizations where the security team may not be empowered or, worse, undermined by their executives. Organizationally, a product security engineering team/leader often reports to that product line manager or VP. Regardless of the who, what is their motivation? Get the product out the door to make money for the firm. So, in many cases, those engineers can have a lot of tension and difficulty. They know how to secure it but are not given the time, resources, or voice. If that's the case, this is when the CISO on the other side needs to step in, give them the necessary air cover, and provide security leadership to ensure they can do what they need to do.
This is where InfoSec should lean in hard and engage. They need to advocate for the product security team to make sure that they get the right resources and time to do the security code reviews, penetration tests, etc. There's the partnership, but again, if you've got a stellar product security and architect team (and I've worked in organizations that do), you should sit back and watch them do their thing. You're there to support, incorporate with them to track key metrics, and ensure they're tied to your security goals, but it's important to let smart people be, well, smart.
I'm thrilled to see some companies take it further; for example, Dell Technologies formed a single product and application security organization. They did so because, like many organizations today, they had two teams performing nearly identical (important) functions, often in an inconsistent and disconnected manner.
Shira Rubinoff and John Yeoh had some valuable insights as well. Shira pointed out that organizations have a lot of hierarchy, and we often hear things like, "You must report to me. I need to be involved in everything you do." Successful organizations are diverse – everybody does their job and is equipped to do it. She emphasized that many organizations have "multi-level" people in the same position, making it so people are micromanaging each other, which slows down production and causes unnecessary conflict. And if you start to micromanage them and question everything they're doing, that will be perceived as a lack of trust, and they will feel undervalued. But the cycle works in reverse as well. Trusting your workforce, working alongside them, and creating an ethical culture within the organization, leads to retained employees and heightened productivity.
John Yeoh went so far as to say Product Security and InfoSec are "two different domains" because InfoSec has a broader scope of responsibilities. He agrees that if engineering is moving faster with security, let them. He cautioned there would be things like compliance that naturally slow things down. Still, as InfoSec professionals, the best thing you can do in this scenario is to help them understand why you're asking them to do something, not show them how. If you look at the layers of security from networking to devices & products to the data itself and add in the complexity of moving things in and out of cloud services, for InfoSec, there's a lot to track. The best thing to say is, "Let's move fast together and not slow each other down"….Then watch the real magic happen.
While there are times that InfoSec should step aside a bit more, everyone agreed that they shouldn't be relegated to the role of cheerleader when there's a strong product security engineering function. InfoSec has a lot of ground to cover. If another group is doing a good security job, take advantage of that and move on to higher priority, riskier areas of your enterprise.
About Ed Adams, CEO
Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since 2002 and as CEO since 2003. Ed has held senior management positions at Rational Software, Lionbridge, Ipswitch, and MathSoft. He was also an engineer for the US Army and Foster-Miller earlier in his career.
Ed is a Ponemon Institute Research Fellow, Privacy by Design Ambassador by the Information & Privacy Commissioner of Canada, Forbes Technology Council Member, and recipient of multiple SC Magazine’s Reboot Leadership Awards. He sits on the board of Cyversity, a non-profit committed to advancing minorities in the field of cyber security, and is a BoSTEM Advisory Committee member.