Breaking Down the Barrier: Embracing Product Security as a PM
When someone says “security” in the tech industry, everyone expects cool hacking stories or Hollywood movie scenes but nobody wants to talk about how to prevent it.
When someone says “security” in the tech industry, everyone expects cool hacking stories or Hollywood movie scenes but nobody wants to talk about how to prevent it. Because it sounds scary, complex, and contains illegal stuff. As a product manager, I was one of those guys.
I always focused on customer needs, easy-to-use features, metric improvement, etc. as every PM does. When a bug or task was created by security guys, I just ignored it and left the card at the very bottom of the backlog graveyard.
Honestly, product security is a serious issue that should not be ignored. You don't want to experience a security breach due to neglecting some straightforward tasks.
Before diving into product security, here are some examples of hacking incidents to prove its seriousness.
Sony Playstation Network Outage (2011)
Players could not reach Playstation online services for 23 days.
77 million users’ data was exposed.
Cost of incident: $171 million
Wannacry Ransomware Attacks (2017)
Ransom payments are demanded from 300.000 devices worldwide for encrypting the data.
Estimated loss: $6 billion
Twitter Account Hijacking (2020)
130 high-profile Twitter accounts are hijacked for promoting a Bitcoin scam.
Twitter market value loss during the incident: $1.3 billion
The incidents above show that a security breach might cause a huge loss of productivity, revenue, and reputation of companies or people. Not only these but also might cause loss of world-changing power: nuclear…
Stuxnet (2010)
First cyberweapon known
A cyberattack which disables uranium enrichment centrifuge systems to stop Iran's Nuclear Program
The alarming examples of security breaches mentioned above underscore the critical importance of prioritizing product security in the tech industry. Neglecting it can result in severe consequences, not just in terms of financial and productivity losses but also sometimes potentially impacting global power balance(NUCLEAR!).
Let's get back to product security
As a product manager who had no idea about security, I talked to many people in the industry from my network to gain some knowledge. Most of them mentioned how they encrypt their data, what tools they use, how to protect source code etc. Yes, all of these are crucial parts of product security.
On the other hand, this concept has a more holistic perspective that includes not only applications and features but also topics like customer-employee awareness and legal considerations. So product security is not only for security people in the company, it should be everyone’s responsibility.
Should PMs care about security?
If I ask this question to the previous version of myself, I would say “NO. Security people are doing their job and I don’t need to do anything.” But now, we know it’s more than this. We do not need to be an expert but at least we can ask “WHY” and “WHAT” to security people to understand the basics and be aware of the concept.
Don’t be like “old” me, no one wants to have a potential security breach in their product, just because of ignoring some security tasks. Your company, your product, and your reputation are at stake when you decide to ignore security concerns.
Okay, right now, we started to chat with security people, understood the basics and convinced ourselves about the importance of security. But as I mentioned above, product security has a holistic perspective, “everyone” should be aware of it and we have the most important role here.
Because on a casual business day, we are probably in touch with almost every department in the company. This condition makes us an excellent awareness spreader. We have the power to let everyone know about it!
Since security sounds like a huge topic, we just need to pay attention to some details to get stakeholders to care about it:
Know your audience: everyone’s concern is different and try to be specific at some points. For example, a CFO might care about the cost of product security while others focus on different topics.
Be simple and clean: Remember, it’s a scary topic from people's perspective. Try to not use technical terms that no one cares about.
“We need to use AES-256 encryption to secure our data.”Instead, try “We need to use a strong method to secure our data.”Use stories and examples: It’s the most fun part. People love hacking stories!
Listen and engage: Try to understand what risks and problems people see about product security.
Highlight risks and consequences: Loss of productivity, revenue, reputation, and world-changing power…
Everyone is convinced so let's do some tasks!
We know that prioritization is everything but security seems equal to COST. Investigation time/money cost, development or buy cost and many more. Also, customers do not even feel the difference after some big security tasks are done.
While everything looks like a big negative, Sony Playstation might prevent losing $171 million and 23 days of unhappy customers. Twitter might prevent $1.3 billion of market value loss if they could care more about product security.
We can just do some simple analysis like:
Sensitive data analysis in the database and assess the importance of data you have in case of an exposure incident.
Simple calculation of outage cost of a product/service. Ask yourself “What happens if our users can’t reach this product for 1 week?” (Bad things happen :( )
Interview the users and understand their security needs. Try to get the most important stuff for them in your product.
There are also some other cases like legal considerations and regulations. Simply you’re forced to do that feature to prevent hefty fines, especially in fintech. Or you might be a B2B company and your potential customers will demand some security features from you to work with you. If you want that type of customer, you’ll prioritize it.
Is the trade-off between being secure and being user-friendly real?
Convincing people, check. Prioritizing and making some security tasks, check. But you should find a fine balance between being secure and UX. No one wants a forced password change every week or authentication on every action.
The trouble here is people think that you can’t have both and sometimes it justifies security people to create some unusable solutions. We shouldn’t fall for the over-simplified “trade-off” narrative and we should be a gatekeeper for the customer requirements.
Product security is a hard topic, it needs serious consideration of human factors as well as technical ones, and having a “this or that” mindset rarely leads to good outcomes.
In conclusion, I tried to shed light on the vital role of product security in the tech industry. It has shown how the conventional attitude of sidelining security concerns can lead to catastrophic consequences, not only in terms of financial losses but also in terms of reputation and even global power.
Product managers like me, once distant from security issues, should now be encouraged to engage with security guys, grasp the basics, and foster an environment where security is everyone's responsibility.
Let’s go! It’s time to organize small coffee talk meetings!