As product manufacturers are required to secure their devices, a new, specialized, role is emerging: Chief Product Security Officer (CPSO)
According to most countries’ legal system, any physician can perform any type of surgery. However, would you trust an oncologist to conduct a gum surgery?
Similarly, as product manufacturers are required to secure their devices, a new, specialized, role is emerging: Chief Product Security Officer (CPSO).
Manufacturers’ motivation to secure their devices
Customers are becoming aware that third-party connected products, on their networks, may be compromised and enable hackers to infiltrate the enterprise through those devices.
Compromised mission-critical devices can halt operations and inflict a significant financial burden. Moreover, hacked safety-related devices, such as vehicle ECUs or medical devices, may risk consumer lives. For example, hacked Abbott’s pacemakers could result in heating the device, and melting down the heart, where the pacemaker is placed.
Customers and regulators have started to demand manufacturers to protect their devices and to establish processes to ensure secured development, implement security measures and operate incident-response mechanisms. Enterprises have started to put product-specific liability clauses in contractual agreements with manufacturers, and regulations such as NIST-IR 8259, UN ECE/Trans/WP.29/GRVA/209/2, ENISA, ISO 21434 and the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices FDA regulation drafts, put cybersecurity responsibility on manufacturers’ shoulders.
CPSO vs. CISO
Both the CPSO and the CISO are crucial for the organization’s business. The former responsible for supporting function of IT and its associated data. The latter oversees the security posture of the organization products, which impact revenues and costs.
CPSO role is related and spans throughout the product development lifecycle. They consist of:
- Secure design
- Secure coding
- Standard compliance
- Vulnerability management (pre and post-production)
- Policies and procedures
- Incident response
CISO’s responsibilities, on the other hand, cover operational responsibilities to maintain the organization’s data, i.e. the security of network, system and data.
The term “incident response” for example has different meanings when it is implies to the CISO’s role vs. the CPSO’s role.
When an attack on a device is reported, the CPSO must:
- Recreate the attack on the reported of devices
- Realize the business impact of the affected devices, or family of devices
- Patch the device within SLAs promised to customers and regulators
CPSO must ensure that the company products comply with the relevant regulations and standards. As shown by recent regulations coming from NIST, ISO, ENISA, FDA, and even the United Nations (with the automotive UNECE standard), manufacturers must ensure that their products are secured. Each of those regulations has specific measures that the company must comply with, when delivering a new connected device like smart home IoT, enterprise edge device, industrial controller and automotive ECU. Not meeting the standard may cause significant delays in time to market and excessive revenue impact. Needless to say that CISOs are not concerned with such product standard compliance.
Unlike CISO, who should not, CPSO should have a strong engineering background in order to deeply understand the product lifecycle, develop and influence product requirements and oversee product recalls and security patches. At the same time, and similarly to CISOs, CPSOs must be security savvy. They must have in-depth knowledge in the threat landscape and state of the art security measures to ensure that their products are well secured, to minimize friction in production time, i.e., reduce the probability of hackers to exploit vulnerabilities in devices in production.
Good CISOs are their companies’ IT security commanders in chief. They have direct supervision on their teams and lead by experience and authority.
CPSOs are in an advisory role. They rely heavily on R&D cooperation, legal teams’ partnership, and management support. They must have impactful soft skills in order to convince R&D and product teams to adhere to their guidelines. However,, the responsibility they hold in terms of representing customer security requirements - abidance to standards and regulations, operational impact of a breach - is critical to the organization’s commercial success.
Product security officers are a new breed in many manufacturing organizations. They represent a hybrid of strong technical skills, deep security understanding, and skills to drive different teams in the organization, which do not report directly to them. The high responsibility that they represent to their companies’ commercial success requires them to be up to date about new development in cyber technologies, standards, and competitive offerings. Overall, CPSO is becoming a critical factor in manufacturing companies’ commercial success when they design, develop, and sell new connected products.
Update: Following the increase of supply chain attacks, Karamba has recently started to provide free analysis of software binaries, to list in-use open-source libraries, and also suggest free CVEs monitoring.