Security is someone else’s problem. It’s up to IT. The developers will handle it. We use AWS or Azure, so we’re cool. We use someone else’s payment gateway, so they’ve got it covered. We’re just a startup, who’s going to want to hack us? Sound familiar? Product managers don’t want to spend time worrying about security. Bolstering digital defenses doesn’t generate revenue. It doesn’t spur growth. It definitely doesn’t delight users or reduce friction. And yet, it’s still your problem. Yes, you, the product manager, you have to worry about cybersecurity, too.
Why is such a seemingly non-essential topic critical to your product’s success? Because getting it wrong could completely torpedo your entire business — not to mention your product roadmap.
Why cybersecurity matters
Customers must trust their vendors. They’re handing over personal information, financial data, photos, term papers, contracts— all kinds of sensitive materials. There’s an expectation of privacy and protection. Moreover, there are plenty of laws and regulations to back that up.
Requiring users to agree to a set of terms and conditions might give some product managers a false sense of security. We may all joke that we’ve unknowingly signed over the rights to our firstborn when we click “accept” on the iTunes terms and conditions but new and existing laws go a long way in ensuring users haven’t handed over all their rights.
But beyond the legal implications, a well-publicized security breach or other faux pas can jeopardize the years and years of goodwill and trust products have built up with their users (will Equifax be able to bounce back?). When we talk about the customer journey, it, unfortunately, must include these kinds of unfortunate events.
Users will always blame your company and not the cybercriminals or subcontractors who might ultimately be responsible. Most often, it won’t matter if it’s not intentional or was initiated by a bad actor from outside the company,
If things go sideways, it could even result in a permanent shutdown. Code Spaces had to shutter their doors after they had massive amounts of data wiped out due to a hack, and more often than not, small businesses go under after major cyber attacks.
5 Things about product security you should be aware of
Security lapses come in all shapes and sizes. Here are some of the major areas that should be keeping you up at night:
1. Sloppiness, laziness, and cutting corners
In the go-go environment of Agile, continuous delivery, and SaaS, code is getting cranked out and deployed faster than ever. The increased speed creates plenty of incentives to take shortcuts in both the development and then testing phases of every release.
There simply isn’t the same rigor as there used to be. It’s neither as apparent as leaving passwords and payment info in plaintext, reusing open-source code that has known weaknesses, nor only testing for functionality and not the unexpected. Full, thorough code reviews rarely occur anymore. Testers don’t have the technical know-how to probe for potential problems fully.
Sometimes it’s not even the coder’s fault. They often don’t have proper education, coding examples, or guidelines to follow. Moreover, if the culture doesn’t actively value and preach good security, they’re unlikely to take those steps themselves.
2. Regulations and rights
There are plenty of acronyms in the security domain. If you’re dealing with medical information, HIPAA (Health Insurance Portability and Accountability Act) is top of mind, and if you’re in the payments space, PCI (Payment Card Industry) is something that is always a concern.
But the most important compliance issue for many SaaS companies are new and often misunderstood. The European Union General Data Protection Regulation (GDPR) went into effect in 2018 and has left many companies scrambling to comply. Already hefty fines have hit the likes of Google, Marriott, and British Airways as a result of data breaches.
But there’s another aspect beyond battening down the hatches, executing proper security protocols, documenting preventative measures, and dealing with the aftermath of a hack. This regulation also requires companies to get consent from users regarding retaining their personal information. It also requires them to share what personal data is stored upon request, and allows a user to request that all of their data is completely destroyed.
Typically, this was not a pre-existing capability for many products, so it will often take dedicated work to comply. Also, if you think that this doesn’t apply to you because you’re an American company, think again. If your product allows anyone in the EU to use it, you’re subject to comply with this regulation.
Looking ahead, similar regulations are on the horizon in the United States as the California Consumer Privacy Act goes into effect in January 2020, and Washington state isn’t far behind.
3. Patches and updates
Many security breaches are preventable by making sure any internal systems are running the latest-and-greatest version. Software companies are continually issuing security updates and patches that address weaknesses and holes that could be exploited by bad actors.
Taking a lackadaisical approach to this matter can leave your company unnecessarily exposed. Conduct a full audit of which products are being used in the technology stack and their current version can uncover several items that you can address easily.
4. Cybercrime
Cybercriminals are everywhere, testing your defenses, and devising new ways to steal data, hold it for ransom, or sell it on the black market. They’re searching the dark web for compromised credentials, running phishing scams, and are generally up to no good.
Don’t think that your scrappy startup isn’t a target. In fact, cybercriminals prefer going after smaller companies because they’re easier prey and more likely to pay up since they don’t have the same backup and recovery capabilities.
Making the case for cybersecurity on your roadmap
Now that you’re quaking in your boots, it’s time to make security a priority. But how can you bump features and functionality for things no one will ever see or benefit from?
1. Start with the opportunity cost
Yes, security takes time, money, and resources away from adding new stuff to the product or improving the experience. But none of those excellent features will matter if someone steals your user data and everyone abandons the product. Or if your entire budget takes a hit because you’re paying fines and hiring lawyers after a compliance issue arises.
2. Make security a selling point
If you’re investing in security improvements and going the extra mile to keep user data safe, then let everyone know. It should be a standard part of your pitch, particularly in the B2B, B2E, and B2G markets. Backup and data recovery plans are a must and can now be part of service level agreements, too.
3. Get certified
If there’s an applicable standard for your product, then do the paperwork and go for that ISO 27001 or CSA STAR badge of approval. It will become something salespeople can discuss and something the tech team can rally around instead of relying on a vague understanding of what’s important.
Making room for cybersecurity on the roadmap
What’s just the right amount of security initiatives to work into a roadmap that keeps user data safe and secure without completely derailing product growth and improvements?
Well, it depends. First, you need to do a full assessment of your current state. The assessment might be a task for an outside consultant than someone who’s been on the payroll.
If your team has made security somewhat of a priority all along, there may only be some minor items requiring attention. They should jump to the front of the line, get knocked out quickly, and then you can get back to the business of creating a great product.
If your product has been full speed ahead on other matters and your security profile is left wanting, you’ll need to spread things out. A big push to take care of the most significant holes or low-hanging fruit is a great start to your new commitment to security.
From there, it’s about finding a balance between new functionality and continuing to shore things up. Incremental improvements can be included in every release or sprinkled throughout the timeline. The product can’t get too stagnant during this security-focused backfill.
Don’t forget your product’s features can also improve security. Making users change passwords and relying on multi-factor authentication is an easy way to get weave security into your product.
Of course, you’re not done once you “catch up.” Security is a continually evolving landscape with additional requirements arising all the time. So the plan should be to anticipate that more time must be spent on those issues as they come up.
Next steps for your cybersecurity roadmap
Creating a culture that values security takes time and it extends far beyond the roadmap. For instance, we know the most common security breaches come from sloppy employees reusing credentials or utilizing sketchy public WiFi networks.
You need to cement security’s importance in your product by dedicating some valuable roadmap real estate to it. When cybersecurity is on your roadmap, it communicates to stakeholders and the technical team that this is a business priority and not just an IT issue.
With the right amount of attention, products can make vast improvements in their security profile. Make sure your definition of done includes proper cybersecurity testing and defenses.