How do you know your product is secure, or what to track?
In this What That Means video, Camille talks with Vernetta Dorsey Windsong, Director of Product Security Governance at Intel. They get into how product security and governance work together, how organizations can implement product security governance, and leveraging new innovations in automation and AI while preventing governance creep.
Understanding Product Security and Governance
Vernetta explains product security as the practice of designing products with security as a core focus, enhancing not only the product but also integrating support networks like cybersecurity for its protection. Governance, in this context, is described as a product security assurance program adhering to specific requirements and rules. These are derived from industry standards, organizational needs, and compliance regulations. Vernetta highlights Intel’s Security Development Lifecycle, examining how well these requirements are met, their effectiveness, potential improvements, and the impact of industry evolution, such as AI. She points out that product security governance is about refining both the practices and processes and enhancing the final product. A key aspect is that a thorough governance program, guided by accurate metrics, should leave no room for unexpected findings during external reviews.
Implementing Product Security Governance
For organizations initiating product security governance processes, Vernetta underlines the necessity of governance within product security, centered around accurate data and metric tracking. It’s crucial to deeply understand the product being developed and its specific security requirements and to monitor how the existing tools and requirements are being utilized within the company or team. She advises introducing governance elements gradually to avoid overwhelming the teams. Vernetta emphasizes that many companies or teams delay considering product security, suggesting that early training and the incremental introduction of governance processes yield the best outcomes.
Leveraging Automation, AI, and Managing Governance Creep
In the realm of secure development lifecycle, automation significantly enhances product security governance processes. Vernetta points out the potential for software automation, including automated requirements, code check-ins, and responses. The role of governance here is to monitor and address issues like problematic check-ins, using effective data management strategies. Regarding AI, Vernetta acknowledges its ability to expedite data processing in product security programs, noting that many are already incorporating AI. Nonetheless, she maintains that the process remains largely dependent on human oversight. To prevent governance creep, Vernetta reiterates the importance of early integration of product security governance, ensuring teams comprehend the tracking essentials, and scheduling retrospectives for evaluating what is and isn’t working.
Vernetta Dorsey Windsong, Director of Product Security Governance at Intel
Vernetta has held the position of Director of Product Security Governance at Intel since 2021. In this role, she oversees the monitoring, oversight, and evaluation of Intel’s Product Security Assurance Programs. Her career at Intel also includes serving as a Product Security Staff Engineer, Security Research Manager, and Security and Privacy Leader. Before joining Intel, Vernetta owned her own business at ACN and held significant roles at Bank of America as a Senior Business Continuity Manager and Vice President, Application Manager. Additionally, she has a military background, having served in the U.S. Army as a Second Lieutenant and Captain. Vernetta earned her MBA in Global Business from the Scheller College of Business at the Georgia Institute of Technology, and she holds a bachelor’s degree in Computer Science from the University of Denver.
Check it out. For more information, previous podcasts, and full versions, visit our homepage.
To read more about cybersecurity topics, visit our blog.
#productsecuritygovernance #productsecurity #securedevelopmentlifecycle
The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
—–
If you are interested in emerging threats, new technologies, or best tips and practices in cybersecurity, please follow the InTechnology podcast on your favorite podcast platforms: Apple Podcast and Spotify.
Follow our host Camille @morhardt.
Learn more about Intel Cybersecurity and Intel Compute Life Cycle (CLA).