CISA Adviser Recommends Appointment of Chief Product Security Officer
An official at the Cybersecurity and Infrastructure Security Agency is advocating the appointment of a chief product security officer.
Senior CISA adviser Josh Corman said the role would address the software failures that he claimed allowed recent disruptions in critical services, including the Colonial Pipeline and SolarWinds Orion cyberattacks.
He said the CPSO would be equal or superior to the chief information security officer, whose role is focused on enterprise security and operational risk management, Nextgov reported.
Chris Wysopal, founder of application security company Veracode, added that the CPSO’s responsibility would cover many departments, including engineering, compliance and supply management.
“It certainly spans information risk, but it’s changing, and we’re not sure that the CISO model really fits for what’s needed for the future so that’s why we’re really calling for a CPSO now,” Wysopal said during an RSA information technology security conference.
Corman said the scale of the SolarWinds attack courted the attention of many government stakeholders and roused political will for heightened federal cybersecurity.
The Russia-linked hack reportedly compromised the networks of at least nine federal government agencies and about a hundred American companies.
NIST said the effort supports President Joe Biden’s May 12 executive order on enhancing the federal government’s cybersecurity.
The executive order directs the secretary of commerce to consult with federal agencies, academia, the private sector and other stakeholders on the said sector’s security.
Once completed, the guidance will be used to inform how federal agencies make procurement decisions on software products and services.
Tags: chief product security officer Chris Wysopal CISA Colonial Pipeline CPSO cybersecurity Cybersecurity and Infrastructure Security Agency Executive Order Joe Biden Josh Corman Nextgov NIST RSA Conference SolarWinds supply chain