A surge of corporate interest in the area of cybersecurity has generated scrutiny for the lack of an organizational, centralized position dedicated to critical service software safety. Many companies are mulling over the opportunity to introduce a dedicated chief product security officer, or CPSO. This follows the relatively recent creation of the CISO role, with emphasis on information as opposed to product, that many organizations brought in to indicate modern business savvy in regards to online operations and data sharing safety. A host of recent hacking campaigns has made it clear that software product security is its own, increasingly important entity.
Industries with integrated software product lines, such as medical device manufacturers, are ahead of the game in encapsulating these duties with a specifically devoted position or department. High regulatory standards beget chief product officers or product security managers in certain sectors. Cybersecurity, sometimes considered a nebulous pursuit due to lack of a tangible product, is nonetheless crucial to operational risk management. Emphasis on software security is at an all-time high following multiple national-level incidents occurring from apparent shortcomings in the area. The U.S. government has grown increasingly wary of its contracted services’ security standards, a concern that trickles down to private industry.
Chris Wysopal, Founder of application security company Veracode, said, “The idea is we need this new individual, to do something that... spans many different departments now. It spans engineering, it spans compliance, it might span your supplier management. It certainly spans information risk, but it's changing, and we're not sure that the CISO model really fits for what's needed for the future so that's why we're really calling for a CPSO now.” With projected responsibilities that cover multiple areas of information security, proponents of the new position believe the CPSO, in its ideal form, is entirely self-justifying.
Use of SBOMs is often a staffing-heavy undertaking that requires much attention from organizational leadership, and the Biden administration's executive order requirement for compliance is another sign that CPSO delegation is a well-founded financial decision. Other capacities for CPSOs include threat modeling, security architecture development, and conducting extensive testing for the sake of transparent risk management. The position would function as a ground-zero for safer hiring and application development processes. Rapid advances in software technology, accompanied by heightened scrutiny on cybersecurity regulations, make the CPSO a must-have appointment in any organization.
