Question: What does a chief product security officer (CPSO) do? Why should I have one?
Sean Nikkel, senior cyber threat intel analyst at Digital Shadows: On the heels of recent executive orders and White House policy changes, demanding more cooperation between government and industry means that more people will need to break out of their traditional silos. Having a chief product security officer means having someone who can reach across the aisle between developers and security and hopefully guide some fundamental changes in a company's security philosophy.
Not every developer is security-minded, and not every security person is a coder. Finding the right person to bridge that gap while also thinking strategically is crucial for vendors that provide applications and services. It's a significant step in making security better for everyone and, hopefully, tackling many of the fundamental problems from insecure products that have plagued the tech industry for decades.
What can differentiate a CPSO from a CISO or CSO, for example, is the expertise in software development and design, while bringing more of a security focus to the table. This ensures that teams responsible for developing new software have someone at the head of the table who not only knows that side of the business and can speak to the myriad challenges that come up during the development life cycle, but can also ensure that best practices and the right teams to help with secure coding principles are in play.
There is no uniform hierarchy among organizations, as it is a fairly new role. An organization should determine how a CPSO’s responsibilities fit within the business and make a decision that streamlines instead of hindering operations.