Product security: Navigating regulations and customer expectations

As manufacturers across industries such as automotive, industrial equipment, consumer devices, software, and others innovate new products and services, cybersecurity has become a critical component of a product’s life cycle, from ideation to decommissioning.

Beyond enterprise and application security, developing a holistic approach to product security is no longer a barrier to business, but a necessity—and it offers a competitive advantage to those that get it right.

Product cybersecurity covers all activities focusing on securing a product from external threats (see sidebar, “Twelve levers to drive product security excellence”). That protection includes secure coding practices, vulnerability scanning, penetration testing, product incident response, attestation and certifications of production processes, and much more. Product security “includes” application security, which focuses on coding techniques used to ensure an application or system is secure from external threats. Finally, product security should include sales and aftersales, such as customer-service-related activities, responding to customer queries about security, training, and software updates.

Product security partially overlaps with enterprise security, which focuses on protection of the organization itself, rather than the products it produces, sells, and ships to its clients.

Growing relevance—and challenges—of product security across industries

Companies face a range of challenges when introducing new products and services, driven by regulatory requirements, consumer expectations, and changing buying habits. In addition, companies are challenged by increasing costs of failed product security, reputational issues if a product ends up compromised, and increased risks from cyberattackers.

The following are three key factors driving manufacturers of products to ensure cybersecurity is a part of their product security plan:

• Upcoming regulatory scrutiny. Upcoming regulations, such as the European Union’s Cyber Resilience Act (CRA) and Delegated Act of the Radio Equipment Directive (RED), and upcoming regulatory specifications of the United States’ National Cybersecurity Strategy, will include the manufacturers of digital products (software, hardware, and other connected devices) in the regulated realm and place significant requirements on them, including secure development, vulnerability scans, penetration testing, and certification of products. Fines under the CRA can be as high as €15 million or 2.5 percent of annual sales. Depending on how the certification framework will be regulated, the impact of the CRA alone can be millions for a large industrial client. Some industries, such as automotive, are already navigating industry-specific cybersecurity regulations such as UN Regulation 155.
• Changing buying factors. Corporate buyers of software and hardware products, particularly in critical-infrastructure industries, increasingly value certified and secure products, which shows that cybersecurity has become a unique selling position in the industrial context. Product manufacturers often undergo significant certification efforts to comply with industry standards (for example, ISO 27001, IEC 62443, SOC 2) to signal to their customers how much effort and investment they conducted to ensure a cybersecure product.
• Risks of failed product security. Recalls show legal liability, costs, and reputational risks involved in fixing issues postsale can be significant. It can be costly when issues are discovered late in the development life cycle or when a product has already been sold or available on the market. With a strong product security organization, certifications can be a key factor in building business reputation and improving operational efficiency and resilience.

Five key success factors leading security adopters follow

Adding to those challenges, in a business climate where everyone needs to stand out and differentiate, creating and continuing to ensure support for a cybersecure product can help a company build a reputation of being a high-level security and privacy leader.

In an effort to create a positive product environment, from ideation through sales, the following are five key success factors successful security adopters follow for a winning strategy:

1. Establish a value case for product security. Formulate a clear vision, together with product management, sales, and security teams, of why product security matters to the organization. This vision should focus on reducing risks (defensive) as well as gaining a competitive advantage (offensive) through product security. Teams should be aware that poor product security can lead to product recalls or the inability to sell products due to regulatory noncompliance, which, besides having a large negative financial impact, can lead to customer churn and reduced innovation. On the other hand, a good product security program—one that includes employees from different departments, allowing for different perspectives—can create a competitive edge by enabling the company to showcase security features that matter to customers and respond to customer questions and concerns during sales and aftersales customer care.
2. Define, build, and scale product security capabilities. Develop a clear model to outline all capabilities needed to reach the product security target for product families and to clarify budgetary lines between enterprise security and application security. The model should specify security objectives for each step of the product life cycle and link them to a list of specific capabilities that need to be implemented to achieve the objective. The role of different departments in implementing each capability should then be clearly defined to ensure all relevant parties are involved in the implementation of each capability. The application of capabilities to products must follow a risk-based prioritization, based on which products would benefit most from certain product security measures and customer expectations. Quite a few organizations already do this for a part of their products in the form of application security; however, good product security looks beyond applications and more holistically at security. In order to ensure—and reassure—product capabilities, some organizations set up a “product security incident response team,” which acts as an incident response function for connected products used at the client site. Others designate stand-alone “security operations centers” for product security.
3. Align operating model with product teams. Product teams should have access to all necessary security capabilities, tools, and processes. In a modern organization, there are autonomous product teams that often work in silos; thus, security needs to be brought in when products are in development. Due to cybersecurity resource and talent constraints, it may be best to use a center of excellence (COE) approach, which should be tailored to organizational needs. A COE—a central group of experts who define guidelines and standards and provide tooling, implementation, and incident resolution support—is mostly used for aligning operating models with product teams. In this model, it is beneficial to keep product security experts already embedded in teams in their current roles and strengthen reporting lines to the COE. In cases where new certification requirements arise, the security team will have to find new ways to address the requirements without hindering the innovation and deployment speed of product teams.
4. Build talent and capabilities. Organizations should have a dual strategy of embedding security champions in product teams and upskilling these teams on security. Security champions can role model security practices in the product team to ensure the team’s adherence to security policies, standards, and guidelines while promoting a culture of security consciousness and continuous learning. Upskilling programs ensure each employee in the product security team has the knowledge needed and should be tailored to employee roles and existing knowledge. Currently, it is difficult for organizations to fill product security roles, leading to outsourcing, which makes it difficult to build internal capabilities.
5. Enforce governance over product security. Product security standards can be split into three levels: regulatory requirements (to sell the product), enterprise standards (nonnegotiable security standards set by the organization), and best practices (optional security measures to align with industry leaders). For each standard, key performance indicators (KPIs) and key risk indicators (KRIs), across the operational and management functions, are defined and used to measure the realization of those standards. These KPIs/KRIs can help develop a product security scorecard that can be used for transparency and to track the development over time.

Product security is not a “make sure the product gets a security certification and let’s get it out the door” proposition. It is much more. Security is much like manufacturing in that everyone has to think, “safety first.” Security is not an add-on. It has to be a part of the discussion when a product is in the creation stage, all the way to when it is in working mode. Everyone on the development team should think about making sure the product is secure—and know it will be ready to help the customer, whether banking, manufacturing industrial, or medical, ward off an attack.