Who Needs a Chief Product Security Officer?September 27, 2022 Tweet
Vince Arneja, GrammaTech CPO, talks about the evolving role and emerging need for a CPSO.
For decades, commercial software vendors could ignore product security with relative impunity. But that changed after the 2020 SolarWinds breach, which bared the soft underbelly of the software supply chain. Since then, the White House has issued several orders for protecting critical infrastructure and, in particular, the software supply chain.
With new scrutiny and demand for visibility into their software, some vendors of commercial products realize they need security champions, and some at the C-level, especially for software embedded into critical systems, such ICS, automotive programs, or healthcare devices, says Vince Arneja, Chief Product Officer (CPO) of GrammaTech. But the role of chief product security officer is new, nebulous, and needs more awareness and recognition.
Vince has a deep background in software product leadership, managing early e-business solutions in the 1990’s, then managing wireless, mobile, and security software. In his roles, he’s managed product strategy and development, planning, design, and execution, as well as pricing, user experience and, of course, security.
In this interview, he shares his thoughts on the evolution of the CPO and CPSO roles and responsibilities, and how either role can be a driver to shift left for product security.
Q: Can you tell us how the role of Chief Product Officer (CPO) evolved?
A: The CPO role has evolved from VP of product management to chief product officer so that the product group can have an independent seat at the table given the criticality of the software product for each company. A CPO is focused on interacting with all the stakeholders while seeking external feedback from all directions. The goal of the CPO is to position their product to be ahead of the macro-level trends while guiding the various teams. Historically this has been accomplished to some degree by the CTO, but that role is too inwardly focused, and focused on the technology itself. In my case here at GrammaTech, engineering is under my umbrella since it leads to significantly better business outcomes.
Maybe 15 years ago, the VP of product management reported to marketing or engineering. To see that trend turn completely around—to where you have engineering reporting to the head of product—shows the value of end-to-end product strategy and management. More recruiters are making requests for CPOs because they want the CPO to have an internal lens for engineering and product strategy, management, and execution, and to also have an external lens for product evangelism and customer support.
Q: Should CPO’s have oversight for software product security? In your experience, do they?
A: For companies that are building software-only products, as in our case, absolutely you need to have security under the CPO umbrella. For product companies, it’s imperative to champion secure software in the design phase and integrate it into the workflow with embedded static analysis, binary analysis and penetration testing, as well as SBOM administration and secure release, all built-into the development workflow.
Q: But a CPO is not the same as a CPSO—A Chief Product Security Officer. What’s the difference? And what type of product companies require a CPSO?
A: The main difference is that a CPSO is not responsible for building products but is only responsible for securing products.
Most software-only companies do not need a CPSO but might have someone to lead up product security. Hardware companies with software components are hiring CPSOs because of the criticality of their products—for example, a pacemaker or other medical device that needs to be certified and go through FDA approvals. Another example would be electric car makers, who need a CPSO to secure the software that goes in these software-driven vehicles. In both cases, the CPSO is not responsible for the overall product development.
The CPSO, then, is responsible for hardware and software security, and would report either to a CPO if there is one, or the CTO, which is the most common case on the hardware side.
Q: Does every product company with a software component require a CPO or CPSO?
Not always. In many cases, such as with services companies like banks and other financial products that are customer-facing, a CISO is usually responsible for all forms of information security, from web apps at the customer layer all the way back to the infrastructure layer.
Q: How do CPO’s and CPSO’s successfully champion product security?
A: Don’t negatively impact the existing workflow. Do detect code weaknesses and get security more accepted in the landscape. That requires integrations with all the different IDEs, build tools, and CI/CD tools. Make security seamless so it’s viewed as an enabler.
Want to know more? Read Vincent’s article in Forbes: Why Product Security Needs a C-Suite Champion
Have a product security champion? Nominate them for the Product Security Executive of the Year Award here.