Security & Privacy — Bake It In!
Expertise in Security and Privacy areas should not be seen as some isolated domain expertise — or — left to some specialist silo to do as their specialist voodoo secret hidden dance either.
Be it software or hardware or both and at all layers within the team or organisation should be both collectively accountable & responsible for it.
It’s not Black/White
Key is to have some levels of expertise based on their perspectives on Privacy & Security tailored to each of the roles instead of “none at all” to enable better cross-collaboration.
Business as the driving force should understand to prioritise early or “bake in” the security & privacy into the product and not some afterthought that only gets fixed once a major s%itstorm finally passes by hurting the business.
No need to ditch all the Silos!
But your cross-functional teams or squads should be more like:
Instead of this:
It starts from the Product
As the mother — you will make a lot of balancing decisions on to:
- Ensure you get all the metrics/review/feeback you need
- Ensure frustration/friction free experience
- Not lose people signing up for your service
- Without being seen/perceived as scary/creepy/evil and finally
- Convenience does not Override Security
Apple is a very good example of this and clearly at Apple these are correctly thought at the product level as features.
Especially if you were to look at their recent advertisements and should show some urgency for other companies to pick their game up as well.
Compared to say organisations who see this stuff as an afterthought that can quickly grow out of control when it was just a self-service machine vendor forcing some selfie features on customers and customer just blindly enabled it.
Convenience over Security is the junkfood for the Product owners
Clearly a lot of companies fail at this, leaving all this to R&D or perhaps to some separate silo’ed obscure department called cyber security.
This mindset often results these “less important” departments or functions not being appreciated by organisation at large and rather seen as the obstacle or hindrances despite their supposed to be huge role.
This mindset has not only led to some major security breaches when nobody takes accountability/responsibility — it’s afterall some other department’s responsibility!
It all leads to s%itty product & experience with Friction
You will eventually lose customers who have grown averse with products that don’t take their privacy seriously.
I just wonder how much more enterprise sales Zoom might have made where the real money is at if they would have baked the security & privacy in from the beginning.
Ofcourse if you are some credit agency or some candidate profiling tool, that people might not have a choice of not using you soyou might be just lucky..
But do you really want to be like that?
You can see the same mentality in action from the film production perspective especially at independent productions where the sound recordists are treated as trash especially by those who don’t understand the qualities and importance of this invisible art.
Perhaps it is most essential that people let people be multiskilled and controlling the Know It All disease instead — it is really the know it all disease that hurts the organisation not the diversity of skills people have which should be encouraged for the sake of continuous learning.
This under appreciation and where the department only gets negative feedback also leads eventually to even worse silo mentality with reluctance on accountability and participation/sharing.
People who don’t “get” security think blind convenience is way more important without understanding the tradeoff and alternative solutions for both better usability as well as security.
Different countries with Different Attitudes
Also different jurisdictions differ with their attitudes towards privacy — in some parts of Europe you will be thrown in jail for violating it whilst in U.S./U.K./Australia etc. you will be just slapped in wrist unless you hit the GDPR fines which go by global turnover.
I see this all is often outsourced to R&D and/or regulatory and/or security departments but they are again clueless about the product and can hamper product decisions if everything needs to be ran via separate department as a trade-off — if they run it at all that is!
Most companies with separate silo’ed regulatory and security departments who have not addressed these issues at top level of the product seem to be the worst offenders relating to security incidents, privacy violations and madness with the usability e.g. bad password rules that prevent people from signing up!
Not only that but have you perhaps seen much of those irritating cookie warning that popup now everywhere that GDPR is in effect? — Quality product management would ensure that these popups are not a hindrance but are both enjoyable to look at and useful.
Maybe also often some U.S. company doing a global product should also think localisation aspects around these attitudes by the differing cultures — which I’ve often seen as a reason why some global company product launches failed because they didn’t simply understand the culture aspects.
Legacy Sales-led Organisations are the worst
I saw this especially a lot with the legacy sales-led products that were historically either full of special cases/technical debt or straight up sloppiness from both bad R&D/product management decisions that were accepted as the norm by their customers and where nobody questioned it.
Or worse if anybody questions it — they get ridiculed or gaslighted.
I don’t know how many times I’ve only raised feature requests to improve security/privacy just to be not understood and not being taken seriously to both improve the product and security/privacy.
Like how many bank websites do you know that are supposed to have bank grade security you get annoyed with which enforce some really weird password rules that make no sense at all — product really should be pushing smooth customer experience for this and be responsible of eradicating that nonsense out.
Even better it should be a competition differentiator (at least for a while!) for some bank that offers FIDO/U2F security tokens support — but we all know some companies are reluctant to raise standards because it apparently costs money a.k.a. perceived cost strategy?
Now a good product manager again would understand these aspects are worth the cost— just like accountants who understands the value of their beans they are counting instead of treating them blindly 1:1 between — but you miss that unless you understand some falsely perceived to be domain expertise of security and privacy.
For example, I was forced to create once a mother of all backdoor scrapers that shut backdoors down and it was a situation where someone (who had historic personal investment on that backdoor) left because of me and it was also the naive product leaders telling me it’s not an issue as they didn’t understand it enough to care to begin with.
I had to observe the people using the product on what they did using the product (which allowed it and was surprisingly accepted as normal) and only found out from that there was this hidden backdoor.
These people did not have the self-awareness to tell anyone because they were probably suffering from what I suspect was the Stokcholm syndrome inflicted by the product vendor by then.
The World Is Not Perfect — Again
Due to people’s lack of self-awareness, we often have to solve these things in products which is not rare when it comes to security and should be product’s responsibility to always improve on from the mother’s perspective as it requires a lot of balancing acts to keep it all together.
In one case about a year after I demonstrated the vulnerability to the reps of a product I’m not naming, it was exploited in wild at massive scale that could have bankrupted organisations I shut the sloppy backdoor at.
The backdoor was deeply embedded in the product as a feature and this organisation was supposedly having the world class security department but yet the deep care or awareness clearly wasn’t there.
It’s just amazing how careless product managers in general are sometimes with security and privacy when they don’t “get” it.
As with software developers this should be one of the core competetencies to understand also at product side, not something you outsource if you ask me for any type of connected software :)
Better product happens from shared Motivations & Understanding
And treat the people working for you more as balanced multi-skilled individuals, who will be motivated to respect and trust each other as they are not treating each other as just the cogs in the wheel who do something they don’t understand —
Shared motivations and some level of underestanding on what each other do goes a long way to both keep people focused what they do and respect what others do.
Better product happens when everyone across upholds the common standard and both hold and take accountability for Security & Privacy.
Some of the most great film directors didn’t start their career just by being a director but they did individual roles before jumping taking the creative direction and these people know how to ask “the right questions” in a right way to get things done and gain understanding.
It starts from the Motivation & Understanding
I mean how good say a product manager is if they don’t ask anyone:
“Why did we have to have this backdoor x again?”
Within the product whilst balancing and juggling all the other things?
I mean would this be the first time you seen say in some website source you apply a mortage from a seemingly innocent comment by the business pressured (and potentially outsourced/siloed too) R&D that sloppily implemented & documented some request by business (or de-facto product manager) to install a seemingly small innocious looking tracker javascript that was supposedly not up to do no harm from the business’s lingo & perspective?
Just like about every other legacy company, one could then shift the blame and leave it to R&D to guard it — or worse — a separate security department silo.
But you get a better product if your whole business is motivated to safeguard it thru all the involved decision making processes without it being a separate artificial hurdle that needs to be bypassed.
