Check out our newest publication on the Modern CISO: From Security Leadership to Risk Executive here
Product Security Risk Framework
A Beginner's Guide to Managing Risk in your Organization
Article
Read Time
5 min
Executive Summary
Product security risk management often fails in the gap between strategy & execution. While organizations know what good security looks like, they lack a clear way to turn intent into action.
This article introduces PSCG's Product Security Risk Management Framework to help leaders define risk, align to business objectives, establish accountability, and ensure findings lead to decisions. By treating product security risk as operational risk, the framework enables teams to make informed tradeoffs, reduce friction with engineering, and focus on managing risk rather than chasing tickets.
Product security is operational risk. It can't be eliminated, only actively managed.
There isn’t a right or wrong way to manage risk, but there sure is a good way.
The biggest gap we see in the product security industry is what sits between strategy and execution. There are a lot of great and grand ideas of what good looks like, but how you get there is the real question. The “how” is missing because product security is such a big and hairy domain.
This is why frameworks serve as a critical and valuable tool for security leaders.
Below, we outline the Product Security Risk Management Framework to assist you in managing the security risk involved in your organization's product domain. Note: We take risk management concepts from the financial sector, as it helps to inform a more rigorous approach to understanding and framing product security risk.
Given this is a management framework, it’s important to call out that this only works if it leads to management action.
As security leaders, it is our responsibility to ensure we are managing against the wider organization’s business objectives and to understand how and where security sits in the context of that. This is the first step to specifying the business’ risk appetite that you, as a leader, will manage against.
Before all else, good governance is required. Ideally, this governance comes through a board approved operational risk policy; in practice, we recognize that is ideal and not reality.
Leading a strong security culture requires setting the standard, holding others accountable and continuously adapting to the organization’s evolving risk appetite. This is why having structure - a framework - is so valuable.
This management framework clearly communicates the following:
-
What your security organization is tracking & monitoring,
-
How security risk and findings are defined,
-
What security findings constitutes action,
-
Why actions must be taken, and
-
Who is accountable to deciding which actions are taken
Every decision in business involves tradeoffs, especially so in product development. The security organization is responsible for managing and communicating product security risks, but it is the engineering organization that takes action to address them. Think of it like noticing a door without a lock: security identifies the risk, proposes solutions, and makes a strong recommendation. But ultimately, engineering decides and implements the fix based on the information provided and context/priorities they are working within.
This framework makes it possible for the product security organization to do what it does best – actively manage risk. This removes the time spent on chasing after follow-ups and the dwell time between ticket and remediation. Instead, time is created for value-add activities that proactively safeguard business continuity:
-
Identifying, assessing and prioritizing risk,
-
Recalibrating automations to better reflect the organization’s risk appetite, and
-
Developing novel way to scale security controls and monitors
At the end of the day, this is what needs to be recognized:
Product security risk is operational risk.
Operational risk can never be fully eliminated as it is the risk inherent to running a business. Similarly, product security risk can never be fully eliminated; it is the risk inherent to developing a product.
To address this reality, we actively manage it. How we manage is with a framework that clearly communicates priorities and clarifies execution expectations.