Business Owner: "It's My Decision!; IT Owner: "No, It's My Decision!" -- Who has final say over product security?

Product security can be defined as the built in protection of a commodity's design, development, and maintenance.  It is ensuring and reassuring that protection features are available at every level of product creation. For instance at the design level, it is the inclusion of error response management based on specified use cases. At the development level it is using best practice coding techniques that prevent internal (code failures) and external (cross-site scripting) vulnerabilities. And from a maintenance standpoint, it is applying regular security patch updates which mitigates system failure and ensures product availability. Specifically, McKinsey and Company defines product security as covering "all activities focusing on securing a product from external threats". Furthermore, the article provides "12 levers to drive product security excellence". Each security lever accounts for all facets and levels involved with product protection.

However, the article does not discuss the ownership of product security decisions. Given that there are so many facets of product security each must be considered and consulted when a final decision is made.  Business decisions regarding product security can include budget setting -- which is the amount of funds set aside to provide infrastructure and encryption, industry standards -- such as payment card industry data security standards (PCI DSS) or health insurance portability and accountability act (HIPPA)--,  and vendor selection -- the company used to manage databases or cloud services or to include in their manufacturing process. These particular business decisions can influence the quality of product protection offered by both IT application and security teams. Although business users can drive the quality of product security based on their requirements does this truly mean that they should have the final say?

Keep in mind that the IT application and security teams must provide insight on their best ways to respond to system failures and security incidents. This response may curve the list of business requirements and change budget options offered by the business. Since it is the IT teams (application and security) that must always respond to incidents, I believe that the IT teams should have ownership of product security decisions.

The ownership of product security  by IT does not necessarily let the business of the hook. As business users must always be consulted and notified when making product security decisions. Business partners must be willing to invest in product security financially and skillfully (invest of IT talent). Furthermore, business partners must see the IT department as a key business function such as marketing or finance. And the IT department must treat this responsibility as a joint venture with their business partners and not just another requirement.

Resources Consulted:

https://www.m:ckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/product-security-navigating-regulations-and-customer-expectations