Security and Product Management
Security and Product Management
As a 21st century product manager, there’s a pretty good chance your product suite includes something that is connected to the Internet. And unless you’ve been hiding under a rock for the past few years, it’s become very apparent that hacks, viruses, and malware are no longer rare occurrences.Thanks to quirky-named critters like WannaCry, Bad Rabbit, and NotPetya foisted upon us by bad actors from around the world, 2017 raised the table stakes on security for anything and everything digital. Whether it’s a free email service (Yahoo!), a financial institution (Equifax), or a movie studio (Sony), it’s pretty clear that no one is safe from being a potential target. And with the number of connected devices skyrocketing to the tens of billions thanks to the Internet of Things, that means there are exponentially more ways for the bad guys to find a way in.In case the fear of an attack wasn’t enough to make you lose sleep, there’s also a new consumer protection regulation coming in 2018 will impact every company in the world that stores anyone’s personal data. The EU General Data Protection Regulation may be created for European consumers, but it doesn’t let anyone off the hook when it comes to accountability:Your company now needs to protect users’ cookies and IP addresses as well as their social security numbers, plus you need to seek consent before storing anything personal. Don’t comply, and you’re looking at a potential for €20 million (around 25 million USD) in penalties.So what—other than hiding under the covers and calling in sick—is a product manager supposed to do? You got into this business to delight customers and innovate, not fortify your defenses and read reams of regulatory documents, right?
Yes, this is part of your job
Just because “IT” and “security” isn’t in your job title doesn’t mean you can assume someone else has this security stuff covered. While it’s not your job to actually patch the holes and shore up the firewalls, you shouldn’t assume this is a priority for everyone else in your organization. Sales teams are chasing revenue, finance is paying the bills, marketing is worried about trade shows and click-through rates, while engineering is focused on the current sprint. Even if your operations and IT teams realize this is important, have someone from the business side of the house raise the profile of security issues and make it a priority. You shouldn’t go overboard and make security the sole focus of the organization, but you should be including these issues in your updates to senior management and keeping this topic as part of your overall prioritization process. And just because it’s “obvious” that certain security considerations should be taken, there’s no reason to assume the people actually writing your code and designing your infrastructure are on the same page. There are countless examples of cavalier coders taking shortcuts that have exposed personal data such as user locations, emails and credit card numbers because no one explicitly told them not to.
Stay informed
It’s hard to know what to do about security if you’re not up on the latest news and information, but you also don’t want to get lost in a tsunami of constant security bulletins and details. But here are some good tips to stay in the know:Subscribe to the security updates/bulletins for all systems that your product runs on or leverages. For example, you can join the Android Security Updates group or view all of the the Apple security updates or get the Microsoft security bulletins. Join the server security lists such as Ubuntu’s or Red Hat’s. And find a couple security-related blogs you like and follow them to make sure you’re not in the dark about the latest bad news on the security horizon.
Make infrastructure investments and updates a priority
No one gets excited about sidelining feature development for “maintenance” work, but the vast majority of security breaches could have been prevented if companies were using the latest versions their vendors’ products. For example, Apache released a patch and update in March of 2017 that Equifax still hadn’t applied in May, when the data breach first occurred. If they had simply kept up with the recommended updates, the problem would have been completely avoided.So instead of complaining that you have to spend an entire cycle upgrading the latest release of XYZ, insist that everything is running on the shiny new versions. And if your own product is being installed on other companies’ systems, then you should be making security updates for your product just as important as that slick new UI update.
Include security concerns from the start
When you’re rushing out an MVP, no one is thinking about massive data breaches; they’re just worried about market viability. But when the excitement of gaining traction sweeps through your organization, it’s easy to put the focus on features and forget about the boring stuff.While this might help you land some new customers or funding, it’s also a recipe for down-the-road disaster. Not baking security into your product from the early days means you’re essentially building your business on a house of cards; one unplugged hole and your credibility can go kaput in a heartbeat.To avoid ending up on next year's list of worst security lapses, make sure you don’t put off security issues. Even if you don’t build them on Day One, they should be in your backlog and incorporated slowly but surely into each sprint. To make the case for security in your roadmap, remind people of the financial angle. When the VCs or potential acquirers come calling, you can bet their due diligence will include a security audit. Your team doesn’t want to be the one blamed for scuttling the deal.
A starter checklist for security concerns
As you try to incorporate security into your product management worldview, here’s a list of items to keep in mind:
- Keeping Current - Are all of our systems updated, upgraded, and patched? Are our anti-virus and firewall solutions up-to-date and fully functional?
- Backups - Is everything being backed up on a regular basis? Do we have procedures on how to restore systems from a backup if necessary?
- Vendor Vetting - Are out vendors meeting (or exceeding) our own security standards?
- Compliance - Are we keeping up with all applicable regulations and regulatory requirements?
- Auditability - Are we storing all relevant data, transactions, events, and change histories so we could pass any audits that may come our way?
- Encryption - Is all sensitive material encrypted and are we using the latest and greatest technology to do it?
- Authentication - Are we using two-factor authentication where it makes sense? Single sign-on? Requiring regular password updates?
- Limit Liability - Are we capturing and storing data we don’t need? Are we sending or potentially exposing information that isn’t critical to the core application?
- Policy - Does your company have a well-understood security policy? Do your users know and have access to it?
- Opt-in/Opt-out - Are you requesting that your users opt-in to letting you store their data? Are you giving them the option to opt-out of those programs? And do your systems actually function differently based on which option they’ve selected?
Security may not be fun or sexy or exciting, but just like fastening your seatbelt and locking your doors, it’s better safe than sorry.