IoT Product Security Program Part 1

00:00

Hi, I'm Matthew Clark, and this is less than 2.2 developing an i. O T. Product security program, Part one.

00:08

In this lesson, we will look at the goals of an I. O T. Product security program, will introduce the sip so roll and we'll discuss product security in the real world. So let's get started.

00:20

When the organization launches an effort to stand up, a product security program will be certain goals that the business will want to achieve.

00:27

First and foremost is the success of the business itself. A new organization implements a product security program because they see it as a way to achieve broader organizational goals.

00:39

Another goal is to ensure the safe operation of the I. O T device,

00:44

and another common goal might be to protect organizational, customer data and secrets.

00:49

The success of the product security program is going to be most likely based not on technology but on the ability to successfully integrate across functional areas. And for most organizations, this may be the very first time many individual departments have had toe work across political or reporting lines,

01:08

and the key to making all this happen is to have the right person leading the effort,

01:15

and many organizations need a superhero to pull this off.

01:19

If you've looked at job descriptions lately, you've probably noticed that most of them require either a unicorn or a superhero.

01:27

So I've created a superhero job description.

01:30

Let's get to know our superhero requirements.

01:34

We'll need someone with strong technical skills, engineering or new product development, someone with R and D background

01:42

both in electrical and mechanical engineering, computer engineering and software development. And depending on where the position says, maybe it doesn't have toe be extremely strong in these areas, or these might actually be the make it or break it requirements that you need, especially for smaller teams.

02:01

You also need someone with a strong analytical side.

02:05

You'll have to be able to make them take lots of information and details, boil them down to actionable decisions and then be able to make a final decision or recommendation. And many times you're making these without having all the knowledge or fax.

02:20

You'll also need someone with a strong products, hyper security knowledge.

02:24

We're going to talk more detail about the differences between enterprise, cybersecurity and product cybersecurity,

02:30

but you're gonna need someone that understands how to apply cyber to products,

02:35

for example, someone with experience in making decisions between usability and security.

02:40

Also someone with knowledge of hardware, roots of trust and over the air updates and how toe perform threat modeling for I o. T. Products.

02:50

We also need someone with software development knowledge. So when it understands secure coating and the implications of different licensing models,

02:59

someone who understands the security implications of AP eyes, for example,

03:04

we'll also need someone with risk management knowledge and experience because products are never really secure and risk can Onley become can't be completely mitigated, so you'll need someone who knows how to mitigate that risk

03:16

and manage it.

03:19

He also needs someone with strong business actor someone who's comfortable with communicating with the C suite,

03:25

which means that the role also need to be positioned correctly within the organization.

03:30

That individual need to understand marketing and sales and the voice of the customer on what the customer really wants. Eso that product features and products security or properly aligned.

03:42

You also need to have someone with the ability to affect product road maps, you know, and be able to work with individuals who drive that road map process,

03:52

which might means that this individual could be customer facing, depending on the product in the organization.

03:58

We also need somebody who can partner with legal,

04:00

you know, as an integral partner.

04:02

You know, what are the things that that makes sales and marketing? What are the things that sales marketing is gonna tell our customers right about security? What the contractual terms that we're giving to our customers

04:14

and what should they be?

04:15

Photo When it comes to vulnerability disclosures, how should we handle that process?

04:20

We also need someone to partner with the chief technical officer.

04:25

You know, engineering is really where products security happens.

04:29

We also need someone that can partner with the sea. So you know, and there's all aspects of the program are going to require you to work well with enterprise security,

04:38

and the organization will need toe need a really a transformational leader

04:42

unless this role is well established, which it's not. In most companies, this is going to require really a transformational leadership,

04:50

someone who understands the culture and can navigate the organizational structures

04:56

and as security never really comes free, and security never reduces these times, and it never really generally makes life easier for individuals.

05:05

We need someone who isn't the chief product security, no officer, right where the answer is always. No,

05:14

we'll need security is always gonna cost more money, and it's always gonna increase product development times.

05:19

And so we need someone who can work with the business to be able to communicate those trade offs.

05:26

So that means a change agent. Someone's a disrupter usually,

05:30

and someone is also a security crusader.

05:32

This role rule your cars someone to become part of the conscience of the company. Because at the end of the day, this is the person that would lead the efforts against those who would willfully or ignorantly misuse the products that are that we make

05:49

you know. That's an awful lot of characteristics toe ever expect to find in a single individual. In fact, I don't think I've ever met somebody who could check off every single one of those boxes.

06:01

And that's okay, because as a leader, it's important that you have the ability to recognize what you're good at and what you're not good at, and then surround yourself with individuals who can complement your own skills,

06:15

and that's the House Security. A Security is really a team sport on DNA that doesn't really concern itself with, you know, having just a couple of superstar players.

06:26

This is really a relatively new role. It's historically come out of R and D come out of the engineering organizations, probably has its roots most times, and an individual who like security and kind of took on that role and over time, the rule kind of kind of grown.

06:43

But it is becoming an increasing focus for the business, and the legal landscape is changing in a way in which businesses air forced to really change are recognized that they need to change. And so they're making these types of changes

07:00

from what I could tell, Uh W. Edwards Deming first said this in 1993 at a four day seminar in Phoenix, Arizona said a bad system will beat a good person every time

07:13

and dimming is suggesting that even the best person struggling to do the right thing, making the right decisions is only going to achieve so much when the system in which he is working within has a fatal flaw

07:26

and for many transformational leaders. That fatal flaw is the one thing that they really can't change themselves, and that's generally support and commitment from senior management.

07:38

This could be especially discouraging when success is based on heroic effort against all odds. Right then, more than a natural output.

07:46

In many ways, the sip so position is where the CSO position was about a decade or so ago.

07:53

You have some companies really embracing this idea and others that aren't

07:58

and historically this hasn't really been seen as a strategic role, right? It's had an operational focus is part of the maybe part of the design process, very much embedded in the weeds.

08:09

This role typically has been reactive, more than proactive

08:13

and generally speaking, there hasn't been a lot of budget that's been associated projects security. It really comes from engineering and all the security efforts air really tied to the product development cost

08:24

Compliance is starting to creep in with the passages of some of these new regulations and laws, and I think in many ways this role will take kind of a similar path. That the CSO role has taken its just behind the CSO role by a few generational steps.

08:41

So in summary, this lesson we discussed the I O T product security program,

08:46

including the goals of the program Outcomes and drivers of business may want to achieve way introduced the chief product security officer role or the sips a role.

08:56

We created a superhero job description, and we talked about our origin story

09:01

aan den. We went, you know, it came pretty much straight out of the depths of engineering.