EP 51 — Ping Identity’s Arthur Loris on How to Tell Better Stories About Your Product Security Success

In this episode of the Future of Application Security, Harshil speaks with Arthur Loris, Senior Manager, Product Security at Ping Identity, a company that provides self-hosted identity access management (IAM) solutions. They discuss what product security constitutes at Ping Identity, the biggest challenge to great product security, and how security teams need more strategic, tactical plans to achieve their goals. They also talk about better approaches to risk remediation and why it’s more effective to tell the story about how your security efforts improved the organization instead of just generating tickets.

Topics discussed:

• How Ping Identity defines product security.
• The biggest challenge to product security, which involves building good partnerships with the engineering team.
• How security teams can be better messengers of tasks that are created by the threat landscape.
• A better approach to risk remediation and how to to think about it at scale.
• Better ways of measuring your security efforts, and why telling a story about your impact — like how much money you saved — is more effective than simply generating tickets.
• How security teams can flatten the learning curve when understanding the development process.
• What the future of product security will look like, and why it should include an increased focus on strategy.

Resource: How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard and Richard Seiersen

Quotes: 

“It puts me in a position to be able to tell those stories and say, hey, this is really important because it applies to all possible threat categories and therefore this is a huge ROI as far as risk reduction. And being able to frame that into that context versus saying, hey, we triaged all these findings and we created four tickets. Four tickets. Okay, nothing wrong with creating tickets, but it’s better to tell a story.” 

“The biggest challenge is to build good partnerships with those engineering teams and to put yourself in a position where you’re delivering value to them by making security as painless as possible.”

“The value that we add is to make it easier to do security things rather than to be constantly bringing new tasks.”

“I would like to see a strong emphasis on strategy, which is really finding those points of high leverage efforts across the department and then leaning into those and building goals and tactical plans to achieve those.”

“What does it mean for you not to get breached? What are the important things that need to not be compromised? And work your way back from what that actually looks like on the ground.” 

Listen to more episodes: 

Listen on Apple 

Listen on Spotify