What Does a Security Product Manager Do?

A security product manager defines product capabilities and drives adoption for cybersecurity solutions, working closely with customers, sales, and engineering teams. Unlike most security roles that operate as cost centers, product management offers security professionals an opportunity to work in a profit center while leveraging their domain expertise.

What’s the role of a product manager responsible for overseeing cybersecurity solutions? Security professionals typically work in internally-focused positions that are considered a cost center, rather than directly generating revenue for the employer. Working in a cost center can be difficult, in part because when it’s time to cut costs, organizations often shrink internal IT and security budgets. Product management provides an opportunity for security professionals to work in a profit center, which provides a different set of career opportunities. There are other ways for aligning oneself with a profit center, including consulting and sales, but this post is about the role of a security product manager based on my experiences in the field.

What Does a Product Manager Do?

Though the role of a product manager differs across organizations, in many cases the product manager’s primary objective is to define product capabilities to support the company’s business goals. The secondary objective is often to drive product adoption. Sometimes these responsibilities are called solution management or product development, rather than product management. What do they entail?

Defining product capabilities involves working closely with customers and prospects to understand and anticipate their needs. It also requires understanding the company’s strengths and weaknesses related to the market and staying abreast of the competitive landscape.
Driving product adoption incorporates tasks that help the product find its way to customers, which means working closely with sales and marketing teams. This usually requires understanding the sales dynamics of internal as well as channel and partnership groups. It also involves regular customer interactions.

A product manager often works with the engineering team to articulate requirements in a way that leads to the successful creation and enhancement of the product, which is sometimes called a solution, to highlight the need for it to solve a meaningful problem. The product manager, therefore, needs to know enough about engineering disciplines, whether hardware or software, to communicate with the corresponding teams in the organization.

Though the specific responsibilities differ across companies, product managers often perform the following tasks:

Define a strategy for the product’s evolution to support business and customer needs.
Create specifications, prioritize requirements and maintain a roadmap of the features being developed.
Manage the process of making the product available to customers.
Act as the subject matter expert for the product’s capabilities in pre and post-sales discussions.
Collaborate with the engineering team building the product to clarify requirements and specifications.
Use product telemetry and customer usage data to inform feature prioritization.

Specifics of a Security Product Manager’s Role

Not surprisingly, a security product manager is a PM whose solution addresses cybersecurity needs of its customers. The product might be a SaaS platform such as a cloud SIEM, an endpoint security solution, a cloud-native application security tool, or a managed security offering. Sometimes the product is a combination of these categories, such as a managed detection and response (MDR) service that combines proprietary technology with analyst expertise in the company’s SOC.

A security product manager needs expertise in the domain relevant to their product. Many individuals in these roles used to be hands-on security practitioners, who’ve transitioned into product management. However, plenty of successful security product managers lack such deep technical background, and built up their security prowess after becoming a PM by building upon their business, software engineering or other expertise.

Overseeing a security product isn’t very different from being responsible for another technology solution. (Therefore, security product managers will benefit from my guide for creating security products.) On the other hand, the more domain-specific expertise the PM has, the more successful the person will be in the role. For a security product, this means being able to empathize with risk-sensitive customers concerned about issues such as online threats, data safeguards, information security regulations, security incident handling, etc.

As a security product manager, you should be able to answer questions related to your product’s security domain, including:

What measures are your prospective customers employing today to address the risks that your product tackles?
How will your product’s capabilities handle the ever-evolving threat and/or regulatory landscape?
To what extent does your product offer meaningful, rather than merely incremental security benefits?
To what extent does your product’s operational burdens compare to the product’s security value proposition?
Which security, compliance, audit or other roles within the organization will benefit from your product the most?
How does your product leverage automation or AI to scale protection without increasing operational burden?

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →