Before I joined Forrester, my colleagues Jeff Pollard and Amy DeMartine initiated our product security research, leading to our first report on the topic, Secure What You Sell: CISOs Must Tackle Product Security To Protect Customers. In those bygone days of 2018 and 2019, we identified that:

  • Forrester was the first to market with this content from a security and risk perspective — something our clients have echoed in the years since.
  • Traditional security teams, practitioners, and organizational structures were not ready.
  • We were early, but this would become a major focus area for CISOs in record time.

Product Security Research: From Report And Keynote To Priority And Track

Forrester’s Security & Risk 2021 event prominently features product security as part of the Products And Applications Security track. The track leads off with my session, Secure What You Sell: Becoming A Top-Line CISO. Merritt Maxim and Lisa Singer follow up with some real-world examples in Designing Products With Security In Mind. Andras Cser discusses the role of CIAM in ensuring a secure and enjoyable customer journey, Michele Pelino and Merritt Maxim will discuss the challenges of securing a smart enterprise, and David Mooter will explain the dynamics of API management and service mesh (keep an eye out for a Star Trek reference!). In addition, I will be joined by my colleagues Alla Valente and Chris Condo for a discussion on securing the software supply chain.

When Forrester Decisions launched, product security became a foundational element of our research focus for CISOs and their teams as one of the seven priorities in the S&R service: Secure Products Through Their Lifecycle. At our 2019 event, Amy DeMartine led a keynote presentation on this topic, and things took off from there and haven’t really let up since.

So how does one report go from a 30-minute keynote to one of seven research priorities in the launch of Forrester Decisions and get a dedicated track at our flagship event? The answer is our clients. And for our clients, product security questions fall into two categories: concerns and opportunities.

Concerns: Traditionally, most CISOs spend their time securing stuff the company bought, not what it sells (hence our report and session title), but software supply chain attacks, the convergence of hardware and software, digital transformation, and Industry 4.0 create issues where poor product security practices can slow deals down via more rigorous third-party risk screening and procurement practices or — worse yet — cost your firm business.

Opportunities: Put simply, product security is the easiest way for a CISO to contribute meaningfully to the revenue-generating activities of their company. For CISOs who feel disconnected from the broader business objectives of their firm, turning to product security makes them a contributor to growth and revenue. The CISO can become a customer-facing evangelist for their organization’s security efforts; they can assist pursuit teams by helping win deals and accelerate the procurement and deployment process with mature product security practices.

To help CISOs fully embrace product security, we’ve built a body of research that aligns with the Product Marketing And Management Model available via Forrester Decisions.

Security leaders don’t need to rely on obstruction, process gates, and approval cycles to bolt on security. Using what we’ve created will help security programs plug right into how product teams work today.

We know security matters now, and our keynotes will cover how trust will move markets, how the future of the SOC and privacy will change, how Zoom recovered from its own product security flaws, lessons learned by SolarWinds post-breach, and how black swan events aren’t so rare after all.

To understand more about how these work together, please join my session, Secure What You Sell: Becoming A Top-Line CISO, at 1:35 p.m. EST on Tuesday, November 9, then check out the other sessions in this track.