Check out our newest publication on the Modern CISO: From Security Leadership to Risk Executive here
What Risk Means in Product Security
Why risk is the only way to communicate and measure product security effectiveness
Article
Read Time
6 min
Executive Summary
Risk is the only meaningful way to communicate and measure product security effectiveness because it directly ties security outcomes to business outcomes.
Grounded in ISO risk management standards, this article reframes product security as a form of operational risk focused on people, processes and systems across the software development lifecycle. It explains why product security is best understood as product risk management and why ownership sits with the CISO as part of R&D operational risk. By aligning product security practices with the organization's risk appetite, leaders can and will make clearer decisions, improve impact measurements, and more effectively protect long-term business outcomes.
If security can't be expressed as risk, it can't be managed.
Risk is defined as the “effect of uncertainty on objectives” by international standards ISO 31000/ISO 31073 for risk management [1].
Only 28% of CISO leaders fall under the Strategic segment. These leaders either report directly to the CEO or occupy a high-ranking position in the hierarchy, while maintaining regular engagement with the board, meeting at least quarterly.
International Organization for Standardization (ISO) is an independent international body that develops and publishes standards to ensure quality, safety, efficiency, and interoperability.
When it comes to risk, everything is put into the context of the business. After all, risk management exists solely to ensure the business achieves its objectives (money).
​
The Risk Basics
Business operations are built on 3 core components:
-
People: employees, contractors, skills, culture
-
Processes: workflows, standards, how work gets done
-
Systems: tools, platforms, infrastructure, technology
These exist solely to achieve the organization's objectives. How these components are managed, however, is influenced by market forces and external events, which are largely outside the organization's control.
This is where management comes in - as they are responsible for making the decisions on how these 3 core components are invested to influence the objectives.
In the context of risk management, risk manifests as the different ways in which the management of people, processes or systems could deviate from expectations. In other words, risk is how uncertainty can cause operational components (people, processes, systems) to underperform, fail or produce unexpected outcomes, ultimately affecting the organization’s ability to achieve its goals.
​
Applying the Basics to Product Security
In outlining the basics of business operations, the hope is to make a clear parallel between business operations and product operations.
Sources {2} - {8}
Business Operations refers to the daily activities, systems, and processes a company uses to produce services, generate revenue, and run efficiently, transforming inputs (like labor, materials) into valuable outputs for customers. Essentially, it’s the “doing” part of the business.
Breaking it down by OpEx category to mirror what investments can be seen in the P&L of a company, a huge portion of a SaaS business’ operations are attributed to the product. Where traditional operational risk management is applied to sales, success and G&A and is typically owned by the COO, the CISO should view risk management in a similar vein with the R&D category of the P&L.
To reiterate: Product Security is a subcategory of Operational Risk Management.
While Operational Risk Management has traditionally focused on tangible assets and processes, shaped by the well-established practices of finance and manufacturing, the digital age calls for a split approach: one that requires deep expertise in the unique risks and complexities of software product lifecycles.
​
The Practice of Product Security
The term “product security” is a misnomer.
It’s like calling operational risk management “business security”. While technically true, it’s misleading. In reality, what we call product security is really product risk management: a disciplined approach to identifying, assessing, and mitigating the risks inherent in the 3 core components of operating or creating the product: 1) people, 2) process, and 3) systems.
Product Security (or product risk management) is then delivered through a Product Security Assurance Program, a coordinated set of initiatives, practices and controls designed to identify, assess, and mitigate risks throughout the product lifecycle. The program’s objective should be to align security practices with the organization’s risk appetite.
Product Security and, thus, the Product Security Assurance Program are owned by the CISO office. Since Product Security Risk Exposure lives in the R&D OpEx category, it becomes critical for the CISO office to fully understand and map the Software Development Lifecycle (SLDC) operations (people, processes, systems). This exercise then provides a critical and valuable output to enable the CISO office to explicitly define the security risk appetite that directly falls under the business’ general risk appetite.
This empowers the organization to effectively manage any risks that could derail the business from meeting its objectives, typically defined by the board for both mid- and long-term goal posts. And in effect, deliver on the promises of Product Security.
References
[1] International Organization for Standardization, ISO 31073:2022 — Risk management — Vocabulary, 2022.
[2] KeyBanc Capital Markets, KeyBanc Capital Markets SaaS Survey, KeyBanc Capital Markets Inc., Cleveland, OH, USA, annual editions.
[3] OpenView Venture Partners, SaaS Benchmarks and Expansion SaaS Reports, OpenView Venture Partners, Boston, MA, USA.
[4] Bessemer Venture Partners, State of the Cloud Report, Bessemer Venture Partners, San Francisco, CA, USA, annual editions.
[5] Meritech Capital Partners, SaaS and Cloud Operating Metrics Comparables, Meritech Capital Partners, Palo Alto, CA, USA.
[6] Battery Ventures, Cloud and SaaS Industry Reports, Battery Ventures, Boston, MA, USA.
[7] Public SaaS company annual reports (Forms 10-K) for Salesforce, HubSpot, Zoom, Atlassian, ServiceNow, Datadog, Snowflake, and Okta, U.S. Securities and Exchange Commission, Washington, DC, USA, recent filings.
[8] SaaStr, SaaS Metrics and Scaling Benchmarks, SaaStr Media, San Mateo, CA, USA.