Cyber security issues and privacy issues such as safeguarding data and safeguarding user identity were major concerns in 2019. There was an unprecedented volume of vulnerabilities, data leaks and malware, and we will most likely see a further increase in the years ahead. As a product manager, you might think that your job is simply to innovate, satisfy customers and ensure the continued success of your product and business. But just because the words “security” or “privacy” are not a part of your job title, doesn’t mean they’re not relevant to your job. You can’t leave all of the “boring” security challenges to someone else. It’s up to you.
Security isn’t just another set of Nonfunctional Requirements (NFRs) for your product. It is an essential system quality that determines the usability and effectiveness of the whole system. It’s not a question of if a cyber attack will occur, but when. Whether you take a reactive or proactive approach to security engineering depends on what product you have and how mature it is.
Speed can mean everything when working on your MVP. So very often, you don’t pay a lot of attention to possible data leaks or breaches. You are focused on finding a product-market fit and it’s your daily hot topic. Once your product has launched and is gaining traction in the market, and your focus shifts to product growth, security becomes even easier to neglect. While you might be able to get away with this strategy in the short-term, one day your initial security recklessness will backfire and your whole product might need to be rewritten. This can have catastrophic consequences, such as your business operations grinding to a halt, resulting in significant revenue losses, not to mention the loss of customer goodwill. Is it worth it?
As a rule of thumb, the choice of security engineering implementation has an inverse relationship with the product maturity lifecycle. The further along you are with your product, the higher will be the cost of implementing any security engineering from scratch. And the steeper the fines you might have to pay. If you don’t want to end up on the list of the worst security lapses, make sure you plan and prioritize security issues. Security tasks should have the top priority in your backlog and should be incorporated into each development sprint. Maybe not from the beginning, but security should be included as a must-have point through all your scope of work until the endgame. You should make security a key part of your agenda and include these issues in your regular updates to senior management.
So if you are wondering where to begin, here’s a starter list of items to keep in mind when building secure systems for your company’s products.