Often overlooked, Product Security is fundamental to Product Management

7 minutes

Products are core to modern business strategy

If you read Ellen Merryweather’s (of Product School.com) post of January this year (refer Further Reading), you may get the sense that product management is coming of age. A focus on products for businesses can provide stickier customers, unlock access to non-traditional markets, and generate annuity revenue rather than single transactions. These days, I find there are two main categories of products:

  • Products in their own right – such as medicines, or items of clothing and auto parts (e.g. tyres)
  • Products that are bundled with services – we see this with cloud-based software solutions, as well as products connected to the Internet of Things (IoT)

Increasingly, physical products are incorporating connections to the IoT to provide after-sales services such as device updates or performance monitoring. Unlike services which are transactional, products have a finite lifespan both in terms of their operations (how many times they can be used, or will last) and from a market perspective before they are imitated by competitors, superseeded, or in the case of patented products when the patent expires. This means there is a target window in which to generate Return on Investment.

vehicle headrest monitor
Photo by Mike Bird on Pexels.com

Product security and integrity risks are varied

There are a range of fraud, security and integrity risks which impact products, many of which are specific to products and indusries. If not properly managed, product risks can have material implications on profitability and reputation, including:

  • Revenue loss or margin shrinkage due to theft, fraud and abuse by customers, staff and suppliers
  • Consumer safety / law issues including product safety and product recall
  • IP risks including patent, trademark (counterfeiting) and copyright infringements, and the tort of ‘passing off’
  • Commercial risks arising from brand damage, competition etc
  • Geopolitical risks – such as trade embargoes, disruptions and material shortages
  • Information and cyber risks – data theft, privacy breaches, cyber attacks, malware
  • Supply chain and distribution risks – including end user fraud, distributor fraud, and product diversion
  • After market risks – such as parallel imports, grey market products, resold products etc.

Despite this risk landscape, I find it’s rare to see product management or product strategy frameworks that clearly articulate the importance of product risk management and the role of product managers in this. Contemporary product protection programs need to address cybersecurity, fraud, insider threats, supply chain security, and product integrity issues such has tampering to mitigate these and other fraud and security threats.

lake with mountain view
Photo by Ian Beckley on Pexels.com

Inherent risks mean security & integrity has a place in product development

When they materialise, fraud and security threats can have a range of direct and indirect impacts which affect product manufacturers, their suppliers and distributors, and customers (end users). Examples here include unplanned losses which erode product margin, sales or resales by unauthorised distributors which financially impact and poison relationships with authorised suppliers, and warranty and returns frauds by customers which compounds financial loss with additional expenses such as staff handling time.

Consideration of security related issues is fundamental to realising both the return on investment into designing and releasing a product, and to maintaining the confidence of regulators and consumers that a product does what it says it will.

To properly consider and mitigate these problems, I would argue that starting with a product risk assessment is an essential first step. Product managers need to assess and quantify fraud, security and integrity risks during the New Product Development (NPD) process. What is NPD? This is a 6-stage process that runs from concept to design, prototyping, and market, as illustrated below:

The C-I-A triad of information security provides three risk categories that can be used as a starting point for product risk identification irrespective of whether the product is tangible (e.g. a computer chip or bottle of wine) or intangible (e.g. software):

  • Confidentiality – has the ability to keep sensitive information secret
  • Integrity – making sure your product is trustworthy, has not been tampered with, and is authentic, conforming, and reliable
  • Availability – making sure the product servicable as and when expected

When we think about integrity and products I almost find it easier to think about it from two perspectives: seller and buyer. Supply Chain Integrity, which focuses on Provenance, Authenticity, and Traceability, is increasingly important for buyers where there are consumer safety or critical infrastructure protection considerations. In regulated industries, sellers (manufacturers) may need to consider how their products (and supply chains) may be compromised in order to make their products more attractive to buyers:

Product Security and Integrity is more than cybersecurity

In my experience, it is common to see product security programs focus exclusively on cybersecurity; however, this one-dimensional approach fails to understand the true nature of security threats. Security theory relies upon the concept of ‘security in depth’ – the use of multiple, complementary controls of many types (e.g. system, people, financial, physical security) which are mutually reinforcing and provide layers of redundancy to protect the asset.

Focusing on one layer (e.g. cybersecurity) at the expense of all others just encourages criminals to achieve the same objective via other means. Examples of the varied security programs required at different stages of NPD include information protection programs and prototype security:

Security and integrity risks need to factor in pricing decisions

Understanding how to factor security and integrity risks into product pricing requires an understanding of how products are priced. Typically, a product is priced using a method which calculates total cost of inputs to create (and sell) your product, plus a profit margin – the article from Shopify (referenced in Further Reading below) provides a great introduction to product pricing and strategy.

Importantly, calculating the cost to produce and sell a product differs from your pricing strategy – for example, you may have a product which is cheap to product but can be sold at a very high margin, either because of some unique factor, market demand, or limited supply. Conversely, you may wish to quickly gain a large market share for first mover advantage or to displace competitors, in which case you may be prepared to cut your margin.

So what sort of security and integrity programs might you need to cost?

  • Product security and integrity controls including anti-counterfeit packaging, tamper evident features and anti-theft measures
  • Cybersecurity features such as Identity and Access Management, data encryption, network security and cyber threat intelligence, particularly if connected to the Internet of Things
  • Fraud protection features to mitigate the way opportunistic and organised fraudsters can abuse your product, such as via warranty fraud
  • Supply chain integrity and security including distribution frauds, product diversion and returns fraud. Whilst not product security per se, this add to the costs of goods sold
  • Market Surveillance to consider security threats such as counterfeiting and gray market activity as well as consumer safety and quality issues
black dslr camera on white surface
Photo by Pixabay on Pexels.com

Some product managers include an additional ‘charge’ for fraud or security issues in the product cost. This effectively acts as an insurance mechanism, with the aggregated charges on sales not affected by fraud or security underwriting those that are. Obviously the ability to do this depends on many supply demand factors in the market.

If you didn’t appreciate the importance of managing security and integrity risks inherent in product development and product management, hopefully you will now. As you can see, product risk has brings material considerations that need to be a feature of any product management framework.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.