What's the role of a product manager responsible for overseeing information security solutions? Infosec professionals typically work in internally-focused positions that are considered a cost center, rather than directly generating revenue for the employer. Working in a cost center can be difficult, in part because when it's time to cut costs, organizations often shrink internal IT and security budgets. Product management provides an opportunity for infosec professionals to work in a profit center, which provides a different set of career opportunities. There are other ways for aligning oneself with a profit center, including consulting and sales, but this post is about the role of a security product manager based on my experiences in the field.
What Does a Product Manager Do?
Though the role of a product manager differs across organizations, in many cases the product manager's primary objective is to define product capabilities to support the company's business goals. The secondary objective is often to drive product adoption. Sometimes these responsibilities are called solution management or product development, rather than product management. What do they entail?
- Defining product capabilities involves working closely with customers and prospects to understand and anticipate their needs. It also requires understanding the company's strengths and weaknesses related to the market and staying abreast of the competitive landscape.
- Driving product adoption incorporates tasks that help the product find its way to consumers, which means working closely with sales and marketing teams. This usually requires understanding the sales dynamics of internal as well as channel and partnership groups. It also involves regular customer interactions .
A product manager often works with the engineering team to articulate requirements in a way that leads to the successful creation and enhancement of the product, which is sometimes called a solution, to highlight the need for it to solve a meaningful problem. The product manager, therefore, needs to know enough about engineering disciplines—be they hardware or software related—to communicate with the corresponding teams in the organization.
Though the specific responsibilities differ across companies, product managers often perform the following tasks:
- Define a strategy for the product's evolution to support business and customer needs.
- Create specifications, prioritize requirements and maintain a roadmap of the features being developed.
- Manage the process of making the product available to customers.
- Act as the subject matter expert for the product's capabilities in pre and post-sales discussions.
- Collaborate with the engineering team building the product to clarify requirements and specifications.
Specifics of a Security Product Manager's Role
Not surprisingly, a security product manager is a PM whose solution addresses information security needs of its customers. The product might be a hardware gadget, such as a network tap, a piece of software such as an anti-malware tool, or a service, such as a managed security offering. Sometimes the product it is a combination of these categories, such as a threat discovery service that uses a proprietary monitoring device, which runs proprietary software and is overseen by the company's SOC team.
It goes without saying that a security product manager needs to possess expertise in the infosec domain relevant to his or her product. Many individuals in these roles used to be hands-on security practitioners, who've transitioned into product management. However, plenty of successful security product managers lack such deep technical background, and built up their infosec prowess after becoming a PM by building upon their business, software engineering or other expertise.
At a high level, overseeing a security product isn't very different from being responsible for another information technology solution. (Therefore, security product managers will benefit from my cheat sheet on the broader practice of product management.) On the other hand, the more domain-specific expertise the PM has, the more successful the person will be in the role. For security product, this means being able to empathize with risk-sensitive customers concerned about issues such as online threats, data safeguards, information security regulations, security incident handling, etc.
As a security product manager, you should be able to answer questions related to your product's security domain, including:
- What measures are your prospective customers employing today to address the risks that your product tackles?
- How will your product's capabilities handle the ever-evolving threat and/or regulatory landscape?
- To what extent does your product offer meaningful, rather than merely incremental security benefits?
- To what extent does your product's operational burdens compare to the product's security value proposition?
- Which security, compliance, audit or other roles within the organization will benefit from your product the most?
For a closer look at the methodology that product managers can use to make decisions, take a look at my article A Product Management Framework for Creating Security Products.