Why IoT Product Managers Need to Advocate for Cybersecurity
When it comes to discussing their device’s security, all too often product managers point to the R&D guy standing next to them.
Perceived as being part of the device build, along with connectivity, the cloud platform, and data processing, IoT product managers don’t take responsibility for security. But by not doing so they lose out on a critical component of their device’s product-market fit.
Why PM’s need to champion the security of their products
Underlying the necessity for device security is the ease in which it takes to compromise a device. IoT devices are the veritable ‘low hanging fruit’ of the IT threatscape. They have little, if any embedded security, and are therefore super easy to hack. But the lower threshold of entry doesn’t mean the risks are insignificant. The reverse is true, the consequences of breaching an IoT device is potentially devastating.
IoT devices are inherently used to sense information in their environment and transmit that data. Naturally, they hold reams of data, and depending on the device, that information can be highly sensitive, whether that be biometric data from medical devices or IP from industrial devices. For hackers this data can be used to hold an organization ransom, to commit fraud, identity theft or steal enterprise data for profit.
Device shut down
By gaining access into an IoT device a hacker can cause damage by impairing the device functionality or causing it to shut down entirely. A frequent method of achieving this is through a distributed denial of service (DDoS) attack. This is where a hacker overburdens an IoT device by sending a huge amount of communication to it all at once, causing it to overburden and become unavailable.
Physical safety risk
IoT more deeply immerses digital capability into physical reality. For all the practical benefits this creates, it also raises the stakes in terms of the scope of damage. For example, in an attack on an industrial setting a hacker can hijack critical infrastructure and cause them to malfunction with potentially dangerous outcomes that can cause physical harm to employees. In the case of an electrical power plant, the entire local environment could be devastated.
All of these risks represent possible damage that could be caused to an IoT device, after it’s left development and in the hands of users. Understandably, it’s difficult for product managers to ensure the security of devices after deployment, but the performance of a device throughout its lifecycle is crucial towards winning customer trust, continued engagement, and repeat sales.
Why security is the biggest challenge facing IoT products
The one major threat to the enormous business opportunity presented by IoT is security. All too often news of another IoT device getting hacked is splashed all over the media, which inevitably takes its toll on customer trust and willingness to buy connected devices. As awareness of security and privacy becomes more ubiquitous, buyers want security embedded in their devices.
Putting aside the brand damage that can be caused if your device is hacked, a global survey conducted by CIGI-Ipsos found that overall, security ranks as the top factor influencing the decision to buy a connected device. Security was the top priority at 26%, followed closely by price at 24% and functionality at 20%. To get a product successfully selling in today’s market, product managers have to prioritize security as it poses the biggest potential threat to the sales performance of their IoT devices.
So who owns security?
It’s a good question. Currently only 8% of product managers claim to take responsibility for security, that leaves another 92% who are leaving it to someone else, whether that be a dedicated product security expert, R&D, engineering, external experts or just no-one and hoping for the best.
Martin Eriksson, co-author of Product Leadership, developed the venn diagram of a product manager’s responsibilities which included UX, technology, and business. This diagram is useful not only because it brings clarity to a complex role, but also because it shows the relational impact of decisions on other aspects of a product. So for example, every UX decision has an impact on both business and technology. And all three components are constantly being balanced to find the right product-market fit that will enable success.
But product management guru, Daniel Elizalde, proposes in the era of connected devices this diagram warrants an update that addresses the inclusion of security. Previously, if security came into the picture at all, it was perceived as an aspect that touches on technology. But if security is going to be present across the end-to-end lifecycle of a product, it’s inclusion will have bearing on all aspects of a product’s make-up.
Security clearly has technology implications as it will guide decisions in regards to the platforms, the processes and the testing procedures. It has UX implications in striking the right balance between being easy to use but also secure. But critically it has business implications not just due to the costs, but the results that it will deliver on ROI, and its ability to meet buyer demand for secure devices.
Key Takeaways: 4 ways product managers can act on security to build better products
Given their key strategic position there are several steps that Elizalde recommends IoT product managers can take that ensure security is prioritized.
1. Learn about security
Be aware of the security implications of your connected device. This doesn’t mean being able to implement security solutions, know the security aspects of the kernel or data encryption technologies. What it does mean is being conversant in security and taking a step back and looking at the entirety of the product in terms of how security will be managed throughout the product’s lifecycle; from design and development through to deployment. When your device is being used, how will you know it’s been attacked and how will that attack be mitigated?
2. Advocate for security in your product
As the leader that works to implement the company’s vision, product managers have two main tools at their disposal; the first is a roadmap, the second is influence. Product managers need to prioritise and advocate for IoT security to make sure that it gets on the product roadmap – otherwise it will never get addressed.
3. Seek expert advice
In the same way that expert advice is sought with design teams for the UX, and finance and sales are collaborated with on the business side, product managers need to collaborate with security teams, whether that’s inhouse or external, to understand security implications and how they can be managed. This doesn’t mean using the resident “expert” on security who has done an online course, it means using a specialized security expert who can help you avoid the high stakes of your device being hacked.
4. Leverage the value of security
On having gone through the effort of putting in comprehensive security, this value needs to be leveraged as the product is taken to market. IoT product managers will need to work with marketing teams to ensure that the advanced security of the device is well communicated to buyers across marketing campaigns, promotions, box labelling, packaging etc. To ensure that the full ROI potential is met.
Build Products that Customers Trust
Traditionally, the aspiration of a product manager was to build products that their users would come to love. In the era of connected devices where cyber threats loom large in the buyer’s mind, this aspiration warrants an update to building products that customers can trust. Afterall, as Elizalde put it best, “from trust grows love”.