If you had to make a choice between building features that help your customers solve their problems or keeping your product secure, you would probably pick the new features. In today’s world, it’s not a choice you can make. You have to find a way to do both. Enterprise organization needs to ensure that product manager security knowledge remains a top priority.
You can’t assume it’s ok to put off working on security until “you have more time.” That is unless you’re willing to accept the publicity that comes to products with security problems and the resulting impact on your product’s reputation and sales.
Here’s a further explanation of why security is important to product managers and what you can do to incorporate it as an ongoing part of your work. We’ll also provide some insight into what we do at Product Plan to ensure your secure roadmaps.
Why security is important to product managers
A Product Manager’s overriding goal is not building a secure product. But having a secure product is an extremely important step for mitigating significant business, legal, and regulatory risks.
Business risks
If your digital product is like most, you ask your customers to hand over a significant amount of private information about themselves or their organization. Increasingly, customers pay a lot of attention to the information they provide and are not willing to provide information about a product that they don’t trust.
If users don’t trust that your product is secure, they’ll stop using it or won’t use it. That means security is important for growing and maintaining sales. It’s not sufficient to say, “trust us.” You need to exhibit that your product is secure.
For example, if your product requires any form of payment, customers won’t complete orders if they don’t think their connection is secure. They’re worried about what will happen to their credit card information.
Legal risks
Of course, trust only goes so far. If you sign customers, their trust will be short-lived if their data is stolen through a security breach.
When that happens, you can’t rely on the fact that you had your users agree to terms and conditions to protect you from lawsuits. You must protect users’ security instead of claiming, “it’s not my fault.”
If you experience a security breach, your users are much more likely to blame you than the bad actors that caused the breach. That means those users are going to file lawsuits to get financial compensation.
At the least, you’ll spend time and money defending against those lawsuits and potentially have the money you have to pay out in a settlement. Worse case, you lose the lawsuit and face potentially significant financial penalties.
That doesn’t even consider the reputational harm that comes along with a data breach and the resulting fallout
Regulatory risks
If these risks weren’t enough to spur companies to action, several governments have enacted various laws and regulations to govern privacy and security.
These regulations can lead to large fines and sometimes criminal penalties. They also can have a wider scope than you may realize.
For example, the European Union’s General Data Protection Regulation (GDPR) applies to any company with users in the European Union, even if your company is not based there.
How to build security into your product
“Ok,” you’re saying, “I get that security is important. But how do I make sure my product is secure?”
Here are three key things you and your product team can do to ensure you’re building a secure product.
Think about security from the start
The best time to think about security is when you work on your product. Several capabilities that influence the security of your product are foundational to its infrastructure and architecture. They are things you can’t easily retrofit after the fact.
You’ll often impact security in the infrastructure you build it on and the features you include in it.
When you build your product’s infrastructure, you’ll want to consider the following things when selecting the platforms and services you use:
- Do you back everything up regularly?
- Do you have procedures to restore your systems from a backup when needed?
- Do the third-party platforms and services you use meet or exceed your own security standards?
- Do you encrypt all sensitive material using the latest technology?
You introduce some security capabilities through the functionality you add to your product. Examples of this functionality include:
- Storing relevant data, transactions, events, and change histories, so you know what data changed and who changed it
- Secure authentication practices such as two-factor authentication, single sign-on, and regular password updates
- Only collecting and storing data do you need to perform the purpose of the product.
- Asking your users to opt-in to letting you store their data
- Giving your users the option to opt out of those programs
Most of this functionality appears throughout your product and is better built in from the beginning rather than added after most of the product is already built.
Consider security in prioritization decisions
Because the main purpose of a product is to solve user problems, there’s a natural tension between building and maintaining features to solve those problems and ensuring that the product is secure.
Because of that tension, you can’t expect security changes to beat out new features in a head-to-head prioritization decision.
Instead, set aside a certain proportion of your team’s capacity each sprint to keep up to date on security matters and make security a key part of your roadmap. That way, you’re not forced to decide between the two, and you can ensure that you’re securely addressing customers’ needs.
Regularly update your product
Unfortunately, achieving a highly secure product is a moving target. Bad actors are constantly finding new ways to breach systems, and platform providers are constantly trying to stop them.
In addition, governments create new regulations or update existing regulations.
To stay on top of this ever-changing situation, use that ongoing proportion of capacity set aside for security to consider:
- Do you regularly update, upgrade, and patch your systems?
- Do you keep your antivirus and firewall solutions up-to-date and fully functional?
- Do you keep up with all applicable regulations and regulatory requirements?
Regular updates include applying updates to the services and platforms you use, making any necessary updates to your product, and providing them to your users.
How ProductPlan prioritizes security
As an overview of what is involved in keeping a product secure, here’s a look at how ProductPlan keeps your roadmap data secure.
We host and manage our physical infrastructure within the Heroku cloud platform (PaaS). Heroku manages its infrastructure within Amazon’s secure data centers and uses Amazon Web Services (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
ProductPlan includes features and services designed to ensure that ProductPlan is secure as possible. These include:
- Single Sign-On
- Enhanced Password Security
- Advanced Admin Management
- Restriction on Sharing via Private Links