How to Build a Product Security Roadmap
Summary
TLDRIn this episode of Nucleus Shortcuts, host Adam Dudley discusses the concept of product security with Anshuman, a seasoned information security professional. Anshuman, currently a principal security engineer at 30 Madison, shares insights on building a product security roadmap, emphasizing the importance of prioritization and collaboration with stakeholders. He outlines key areas such as vulnerability management, security partnerships, and tooling and operations, advocating for a multi-year strategic plan. Anshuman's advice on ruthless prioritization and leveraging small wins to enhance security culture is highlighted as crucial for a successful product security program.
Takeaways
- 😀 Adam Dudley hosts the 'Nucleus Shortcuts' show, discussing product security and roadmaps for success with expert Anshuman.
- 🔒 Anshuman has over a decade of experience in information security, working at companies like Atlassian, Intuit, and Dell, and is currently a principal security engineer at 30 Madison.
- 🛡️ Product security is defined as a set of functions within an organization that ensures the protection of customer data and information against unauthorized access.
- 📈 Anshuman emphasizes the importance of establishing a shared understanding of risks among stakeholders and the role of a product security engineer in addressing these risks.
- 🚀 A product security roadmap is crucial for a successful product security program, helping to align stakeholders and prioritize security initiatives.
- 🔑 The product security function is divided into three major categories: vulnerability management, security partnerships, and security tooling and operations.
- 🔍 Vulnerability management focuses on dealing with discovered vulnerabilities, while security partnerships involve working closely with engineering teams to integrate security into the development lifecycle.
- 🛠️ Security tooling and operations involve deploying security scanners and ensuring the collection of valuable data to drive continuous improvement in security measures.
- 📝 A roadmap should be a multi-year plan, prioritizing smaller tactical projects that contribute to the overall strategic goals of improving the organization's security posture.
- 🤝 Anshuman suggests the term 'work streams' to describe the collaborative efforts of individuals representing various functions within an organization working towards a common project.
- 🌟 The key takeaway from the conversation is the importance of ruthless prioritization, thoughtful planning, and leveraging small wins to improve security strategy and culture.
Q & A
What is the main topic of the 'Nucleus Shortcuts' episode featuring Anshuman?
-The main topic of the episode is product security and how to build a roadmap for success in this domain.
What is Anshuman's professional background according to the transcript?
-Anshuman is an information security professional with over a decade of experience. He has worked as a principal security engineer at 30 Madison, a healthcare company, and has also worked for major companies like Atlassian, Intuit, and Dell.
What does Anshuman believe in with respect to the security community?
-Anshuman believes in giving back to the security community. He has open-sourced several security tools and is a strong advocate for innovation and solving challenging security problems using new technologies and automation.
How does Anshuman define product security in today's modern enterprise?
-Anshuman defines product security as a function within an organization that establishes processes and activities to set up tooling and security scanners to ensure that customer data or information handled by the company's products is protected against unauthorized access by malicious actors.
What are the three major categories that Anshuman suggests dividing the overall product security function into?
-The three major categories are vulnerability management, security partnerships, and security tooling and operations.
What is the significance of having a shared understanding of risks among stakeholders in a product security program?
-A shared understanding of risks is crucial for a founding product security engineer to align different stakeholders on what the organization faces and how the product security engineer plans to address these risks in a prioritized order.
What does Anshuman mean by 'work streams' in the context of product security?
-Work streams, as described by Anshuman, refer to teams of individuals representing different functions within an organization working towards a common project or goal, which in this case is improving product security.
What advice does Anshuman give for successfully building a product security program?
-Anshuman advises not to get overwhelmed, to practice ruthless prioritization, and to bring all stakeholders along on the journey for a successful product security program.
How does Anshuman suggest leveraging smaller wins to improve overall security strategy and culture?
-Anshuman suggests being thoughtful about what to do and when, using smaller wins to progressively enhance the security posture of the organization and its culture.
Where can interested individuals find more information about Anshuman's work and thoughts on product security?
-People can visit Anshuman's blog at anshumanbartia.com, follow him on Twitter at @anshuman_bh, or email him for collaboration and sharing ideas.
What is the key takeaway Anshuman wants people to have from the conversation about product security?
-The key takeaway is the importance of ruthless prioritization and including all stakeholders in the journey to build a successful product security program.
Outlines
🛡️ Introduction to Product Security
In the first paragraph, the host Adam Dudley introduces the topic of product security and welcomes Anshuman, an experienced information security professional, to the show. Anshuman discusses his extensive background in the field, having worked for major companies like Atlassian, Intuit, and Dell, and his commitment to innovation and open-source contributions. He provides a high-level definition of product security, emphasizing its role in protecting customer data and information from unauthorized access. The paragraph also touches on the broader scope of product security, which includes application security and cloud infrastructure security, and the importance of establishing a comprehensive security program.
📈 Building a Product Security Roadmap
The second paragraph delves into the importance of having a product security roadmap and the challenges faced by a founding product security engineer in a new organization. It highlights the need for stakeholders to have a shared understanding of risks and the steps to address them. The paragraph outlines three major categories for building a product security function: vulnerability management, security partnerships, and security tooling and operations. It also suggests dividing the roadmap into a multi-year plan, focusing on tactical projects that contribute to the strategic security posture improvement. Anshuman emphasizes the significance of ruthless prioritization and collaboration with stakeholders to ensure the success of the product security program. The paragraph concludes with a call to action for listeners to visit Anshuman's blog and social media for more insights and a final piece of advice on the importance of prioritization and leveraging small wins for overall security strategy enhancement.
Mindmap
Keywords
💡Product Security
💡Information Security Professional
💡Principal Security Engineer
💡Application Security
💡Cloud Infrastructure
💡Vulnerability Management
💡Security Partnerships
💡Security Tooling and Operations
💡Roadmap
💡Ruthless Prioritization
💡Stakeholders
Highlights
Adam Dudley introduces the topic of product security and its importance in modern enterprises.
Anshuman, an information security professional with over a decade of experience, shares his expertise on product security.
Anshuman's background includes working with major companies like Atlassian, Intuit, and Dell, and his focus on application and product security.
The definition of product security is discussed, emphasizing the protection of customer data against unauthorized access.
Product security is distinguished from application security, highlighting the broader scope of securing applications and cloud infrastructure.
Anshuman emphasizes the importance of establishing a shared understanding of risks among stakeholders in a product security program.
The concept of a product security roadmap is introduced as a strategic approach to building a successful security program.
Three major categories of the product security function are identified: vulnerability management, security partnerships, and security tooling and operations.
The necessity of prioritizing and executing tactical projects within the overall strategic roadmap is discussed.
Anshuman suggests dividing the roadmap into a multi-year plan based on resources and priorities.
The idea of 'work streams' is introduced to represent cross-functional teams working on specific projects within the organization.
The importance of ruthless prioritization in managing the demands of doing more with less is highlighted.
Anshuman's blog and Twitter handle are shared for further insights and collaboration.
The final recommendation emphasizes thoughtfulness in security strategy, leveraging small wins for overall improvement.
The phrase 'ruthless prioritization' is coined as the key takeaway for effectively managing a product security program.
The episode concludes with thanks to Anshuman for his valuable insights on building a product security roadmap.
Transcripts
[Music]
hello and welcome back to nucleus
shortcuts I'm your host Adam Dudley and
our topic today is what is product
security and how to build a roadmap for
Success so today's expert on the topic
is anshuman uh he is an information
security professional of over a decade
he's currently a principal security
engineer at 30 Madison which is a
Healthcare company and he's worked for
some pretty big names atlassian Intuit
and Dell as well and this is his first
time on the shows I've been in this
industry for about 13 14 years now and
I've worked in both big Enterprises and
smaller companies as well application
and product security is something that
I've been doing pretty much all my
career and over the years I've also had
the opportunity to look into other
domains like infrastructure security
automation uh incident response so I I
feel very fortunate to have those
opportunities during my career and you
know I believe in giving back to the
community I have open sourced a few
tools security tools and I really
believe in Innovation and solving some
challenging security problems using some
of the new technologies and automation
could you give us just a a very brief
definition you know how do you define
product security what does that look
like in today's modern Enterprise
product security you can think of it uh
it's a plague of function within an
organization that allows uh you know you
do establish processes activities like
setup tooling security scanners what not
to ensure that the customer data data or
information that the company's products
either store process or transfer is a
protected against unauthorized access by
malicious actors like that's a very high
level overview of how we can think about
it uh product security can uh you know
contain things like application security
which is more focused on just
applications but I know folks use both
the terms interchangeably securing
applications is one thing but then how
do you deploy those applications on the
cloud infrastructure like these is it so
it's all about Cloud right like right
right AWS Google Cloud Azure right so uh
apart from securing the application uh
you know the deployment piece also I
believe false under product security
okay
you want to make sure the product is
from the point where it's committed like
when the code gets committed to the
point where it's actually deployed so
the entire life cycle so getting into
the meat of our topic and the article I
read on your blog that inspired me to
invite you here to shortcuts is you
wrote an article about a product
security roadmap and I learned a lot in
that article and so you know first of
all why does this matter you know in the
context of having a successful product
security program hasn't been you know
you join
um you know like the first part security
engineer uh we are onboarded onto an
organization you have different
stakeholders that you're supposed to
work with right these might be your VPS
or different engineering organizations
these might be your EMS right supporting
different smaller teams engineering
teams so it's really important as a
founding product security engineer to
have your stakeholders come to a shared
understanding of what the risks are that
your organization faces and what are the
product security engineer you suppose
you're planning to do to address them
and in what order right so a uh making
sure everybody is speaking the same
language when it comes to the risk and
then B making sure uh there's like a
good understanding of how how to address
it and how to prioritize what so now in
Broad Strokes how does one go about
building a product security roadmap I
think of the overall product security
function being broadly divided into
three major categories uh first one is
vulnerability management or how do you
deal with vulnerabilities that you
discover right second is security
Partnerships or in other words you know
how how do you make sure you are working
with your engineering counterparts and
integrating Security in the hdlc so
those kind of relationships Partnerships
there are different activities projects
you can do underneath that so that all
falls under this the third is security
tooling and operations this basically
contains you know uh deploying your
scanners uh making sure you know any
programs that you run
you are collecting valuable data from
them to make sure that you make
continuous continuous progress things of
that nature
um and so like I said each of these
categories will have a bunch of
activities projects that you could be
doing underneath them it's really
important to highlight that uh you can't
be doing everything together at once you
know so you should really be thinking
about splitting the overall roadmap into
a multi-year plan can be a three year
Prime can be a five year plan really
depends on the resources and the
priorities and and this roadmap the way
you divide it it's really about working
on smaller tactical projects in a
prioritized order which eventually
contributes towards uh overall strategic
roadmap of how you go about improving
the security posture of the organization
got it got it so you mentioned three
buckets there you have your VM security
Partnerships and security tooling and uh
for me what came up also is you know I
think contained in all those buckets is
the classic people process and
Technology right okay areas of concerns
um and then once you have that road map
then you're building out those tactical
projects uh and prioritizing them to
make sure you're making progress on the
longer term road map right right yes
exactly now in your article you called
these uh work streams I think which yeah
I kind of like that word
um you know your workflows a lot work
streams I I like and that's an
interesting way to break out I guess
categories of work
yeah like if you think about it in other
words right like again uh based on my
experience
um the the places where I've heard work
stream being uses so for let's say uh
there's there's a big project right that
that your company is undertaking and it
impacts pretty much all the
organizations within that right so it
can be HR can be legal it can be
engineering can be advertising sales
marketing whatever right so really what
you need is a team of individuals that
represent each one of these functions
right and they're working towards this
project so you can think of it like a
work stream where you don't necessarily
have the entire teams working with you
but your individuals representing those
teams so I think yeah work stream is a
good way to sort of make make that sense
before we wrap up Angela would you
please tell people where they can go to
check out your blog and learn more about
the stuff you're writing about
yeah sure thing uh you can uh check out
my blog on anshumanbartia.com that's
just my first name last name.com uh you
can also follow me on Twitter I'm uh
available at lunch one underscore BH
yeah and you know you can feel free to
email me I'm more than happy to
collaborate share ideas that's great
well we'll link to the article that
inspired this uh this episode so people
can take a look at that and I just want
you to thank you for coming on uh today
I know you're very busy guy in the
security World
um this is excellent and um you know the
the last thing I want to ask like in
your view is there one most important
thing you'd like folks to walk away with
from this conversation
yeah sure thing so I think you know
since we are talking about like uh
product security and how to get started
and how to build a program I think not
getting overwhelmed and being able to
ruthlessly prioritize I I like that word
ruthless prioritization and then
bringing along everybody else with you
on the journey like all your
stakeholders is probably the most
important important thing you can be
doing in order to be successful at it
right and then just being very
thoughtful about what to do and when and
how to uh leverage smaller wins in
improving the overall security strategy
and and the culture that goes a long way
so that would be my recommendation yeah
thank you and I love that phrase
ruthless prioritization I'm going to
call that the phrase of the episode here
uh you have to do it right because
there's there's always the demand to do
more with less and we need to make real
progress see you again soon on the next
nuclear shortcuts thanks anjuman sounds
good thank you so much for having me
[Music]
Weitere ähnliche Videos ansehen
Understanding and Getting Started with ZERO TRUST
How Tide transitioned to developer-first security with Semgrep
BSidesSF 2020 - So You’re the First Security Hire (Bryan Zimmer)
Interview with an Expert - Michael Babischkin: CyberSecurity
Step-By-Step Cybersecurity Beginner Learner's Guide | Cyber Security Training for Beginners 2023
[BO] Khóa đào tạo An ninh thông tin ISMS
5.0 / 5 (0 votes)