Security in Product Management

Written By Agnieszka Kłobus

Product development traditionally views security as a non-functional requirement that must be provided, with little contribution to the overall business value. However, recently security has become a critical aspect that can impact a company's success. Users are more aware of the risks involved in sharing their data and demand secure solutions.

Therefore, it's important to approach security with a proactive mindset and consider it not only from a technical standpoint but also as an integral part of the overall product strategy.


How do you work on security as a product manager?

I have put some tips below.

Make security an asset

As product developers, we often chase after more features and treat security as something that has been imposed on us. We forget that our users like to feel safe. So why not communicate to them the additional security features we introduce as something of value? Even, or perhaps especially, when they are not visible at first glance. 

For example, when communicating with the backend, we can display a message such as 'Encrypting your data' during the encryption process. This not only helps users understand why there may be a delay, but also highlights the added security measures we're implementing. By communicating the value of security, we can make it a selling point for our service.

Involve the team

Security requirements are closely related to the technicalities and so the product developer may be tempted to shift responsibility for them to the team. And well, involving the team is a good idea. However, product development requires a team effort, and security is no exception. While it's important to rely on your team's skills and expertise to ensure the security of your product, it's also essential for the product manager to take a proactive role in this area. 

If you and your team tend to forget about the security (or other important topic) it might be worth making it one of the DoR (Definition of Ready) criteria that the team regularly works with. This will help to ensure that security is not forgotten or overlooked during development, and that it's always considered as an essential part of the product.

Involve people from outside the team

Security requirements are closely related to the technicalities and so the product manager may be tempted to shift responsibility for them to the team. And involving the team is a good idea. However, product development requires a team effort, and security is no exception. While it's important to rely on your team's skills and expertise to ensure the security of your IT system, it's also essential for the product manager to take a proactive role in this area. 

If you and your team tend to forget about the security (or other important topic) it might be worth making it one of the DoR (Definition of Ready) criteria that the team regularly works with. This will help to ensure that security is not forgotten or overlooked during development, and that it's always considered as an essential part of the system.

Negligent security has a cost

Often when weighing up which element of the backlog is worth doing first, new functionality wins out over security elements. We forget how great the losses can be when security is not adhered to. Security breaches and data leaks have tremendous costs for the organisation and can result in serious legal and financial consequences, as well as damage to the company's reputation.

But neglecting security can also have the cost of lost benefits. There are customers, especially corporate ones, for whom the security aspect is very important and can weigh on the purchasing decision.

Security - a competitive advantage

In today's world, where cybersecurity is a growing concern, presenting your product as secure and highlighting its security features can be a valuable selling point. It can be a competitive advantage that sets you apart from your competitors, especially when it comes to corporate customers who prioritise security. 

In most corporations, security departments are involved in the purchase process. Very often when it comes to purchase of a digital product, the security assessment has a significant impact on the final decision. In such cases security can be seen as a great competitive advantage.

If you have an idea for additional security features, it is worth validating such hypotheses in direct discussions with your clients and their security departments.

Security is also about compliance

When you think about security take into account also legal aspects. Often it is compliance requirements that are behind the implementation of additional security measures. Some industries, especially those that deal with finance or process sensitive data have more of these requirements. Every industry must comply with the GDPR requirements. Failure to comply with the security requirements is not only a breach of safety rules, but also a breach of the applicable law and has also legal consequences and can lead to legal penalties.

Remember about security testing

Security testing plays a crucial role in ensuring that a product is secure. It provides external validation of the product's security features and identifies potential vulnerabilities that need to be addressed. Typically, security testing is conducted by external experts who generate a report that outlines the product's strengths and weaknesses in terms of security. In large organisations, there may be dedicated teams responsible for security testing, and it is important to work closely with them to incorporate their feedback and requirements into the development process. In smaller organisations, the product manager together with the CTO and/or CEO may need to take responsibility for arranging security testing. Regardless of the organisation size, it is important to communicate to customers that the product is subject to regular security testing. Again this can be particularly reassuring to corporate clients who are concerned about the security of their data

Security and usability find a balance

Very often security requirements can lead to additional steps in the process or other obstacles to the end users. But security and UX experts don’t have to be antagonists. It is worth it to create a space for collaboration between them. Of course, this requires mutual understanding and a shared focus on delivering the best possible experience for end-users while staying secure. But when both sides understand each other's rationale and focus on looking for best for the end user solutions, they can find ways to strike a balance and provide both security and usability.


In summary, security does not have to be a crutch in your product work delaying product development. Safety can be a competitive advantage and a differentiator for your product.

It is no longer a non-functional requirement that can be ignored or delegated to the development team alone. It is a crucial aspect of product development that directly impacts customer trust, compliance, and competitive advantage. As a product owner/manager, you can create a culture of security by communicating its value to customers, involving the team, collaborating with security experts, prioritising security testing, and finding ways to balance security and usability. By treating security as an integral part of your product strategy, you can build a product that not only meets customer needs but also protects their data and privacy.


Agnieszka Kłobus
Previous

Analyzing Backend and API Performance Issues as a Startup or Scale-Up
Next

HTTP API Security Best Practices