Prepare and Protect: Security Concerns for Product Teams

“You may not be interested in war, but war is interested in you.”

― Leon Trotsky

There is a subject that is impolitic if not downright impolite to mention in most digital product management circles. Bring it up and you might be thought of as wearing the tinfoil hat of the conspiratorial, if not the black hat of the deviant. It is a subject that is unclear, unnerving, and nowadays, all too ubiquitous.

I am not referring to warfare, but to digital security.

Why Should Product Teams Care About Security?

Product teams need to incorporate security concerns into their product plans, not as an ancillary service, but as a core feature of their product. Why? For one, digital insecurity has become normalized. It is pervasive, multi-headed hydra. Each week brings news of new attacks and new vulnerabilities. In fact, this week’s headlines ranged from flaws in fingerprint scanning software to Rammstein-blaring ransomware. There is little doubt that such attacks and vulnerabilities will inexorably follow Moore’s Law and continue to grow exponentially.

And for another, consumers, businesses, and government agencies are becoming increasingly concerned about the safety and privacy of networks, transactions, and data. 2018 saw the European Union adopt the General Data Protection Regulation (GDPR) and California the Consumer Privacy Act. Corporations are increasingly adopting multi-factor authentication as a standard for identity verification.

These are your customers. Their expectations are changing, and your product team must be ready to meet them.

Three Security Considerations

Right about now, you are probably getting a sinking feeling. I am going to make your stomach feel downright queasy by telling you that you need to know what’s going on out there. Phishing attacks are getting increasingly sophisticated. Hackers are adding artificial intelligence (AI) as a new tool for their toolbox. Ransomware and identity theft are in full effect. And the explosive growth of the internet of things (IoT) has opened up whole exciting new vistas for mischief-makers.  Lions, tigers, and bears, oh my!

Relax. Product teams do not need to become experts in ALL areas of cybersecurity — just the ones that touch your product. Here are three simple heuristics to consider:

  1. Each new platform is a new attack vector.
  2. Over time, attacks get more sophisticated.
  3. Frequently, human behavior is the weakest link in the security chain.

Let’s go through each of these in turn.

Each New Platform Is a New Attack Vector

A platform can be a product or a piece of technology. It covers anything from a drone delivering Buddha Bowls to a mortgage app on your iPhone to a commerce website.  “Vector” is just one of these intimidating security words that means something that can be exploited, penetrated, or abused. Any and every platform — from a scooter to social media — can be exploited, penetrated, or abused. Be mindful that if your product is cross-platform — for example, a responsive website — it inherits the inherent security weaknesses of both the desktop and the mobile phone operating system.

Over Time, Attacks Get More Sophisticated

This one is pretty self-explanatory. Humans come up with defenses, and other humans figure out how to defeat or circumvent them. In turn, this prompts the first set of humans to come up with revised or additional defenses in an evolutionary spiral. This is why product teams need to be aware of the latest trends in attacks to create the last defensive features. Product teams also need to recognize, however, that just like rock music, some classics never grow old. A 1998-style SQL injection can be just as dangerous in 2020 if your product is unprepared for it.

Frequently, Human Behavior Is the Weakest Link in the Security Chain

The common technology that the social media political ad, the Nigerian prince’s email, or the IRS representative phone call exploit is human psychology. Humans are biased, oblivious, and often hard-wired to do the wrong choice for the right reasons. Sometimes, a product team has to protect its customers from themselves.

Prepare and Protect

Security is a product team’s responsibility. Don’t be reactive, waiting for customers to advocate for the protection of their data or the patching of your product’s vulnerabilities in their requests for enhancements. Don’t be passive, thinking that doing nothing or “security by obscurity” are acceptable options. Draw inspiration from other fields, such as the UK’s “Secured by Design” organization, which helps develop anti-theft standards for the construction industry.

Product teams need to evolve from “surprise and delight” to “prepare and protect.” Product management is a field with its fair share of breathless tech evangelism, but do not focus on delight to the detriment of defense. It is time for product teams to be objective. Objectivity is not cynicism or a Chicken Little syndrome. The digital sky is not falling, but it is OK to recognize that there are real cybersecurity dangers out there, and they must defend their product against them. Those teams who cite a positive user experience as a placebo for security will have neither.

Empathy and Security

One of the most important things a product team can do to improve the security of its product is simple in concept but difficult in practice: developing a deep and real understanding of and empathy for customers. Customer research is absolutely essential. You cannot secure your product effectively if you do not know your users: their demographics and psychographics, goals,  tasks and mental models. The most effective security measures align with a customer journey rather than impede it.

In my next post, I’ll cover risk profiles, threat models, friction, usability testing, and frequent security challenges for product owners. Stay tuned.