As technology rapidly integrates into every facet of our lives, the lines between product management and cybersecurity are becoming increasingly blurred. A once siloed approach where product managers focused solely on functionality and user experience is no longer tenable. In the current landscape, product managers must also be attuned to the complexities of cybersecurity to ensure the safety of their products and the trust of their users.
To explore this convergence further, we sat down with Abhishek Bansal, an expert in the space, to glean insights into this evolving dynamic. Bansal is a prominent leader in the Identity and Access Management (IAM) domain with over 14 years of experience, having contributed significantly to both startups and Fortune 100 companies in the cybersecurity industry. As such, he has the insider knowledge to share a new perspective on how product management meets cybersecurity.
Question: Cybersecurity is a big issue; can you give us some numbers on how frequent cyberattacks are?
Abhishek Bansal: Forbes and the Deloitte Center for Controllership report that over a third of executives believe their financial and accounting data faced cyber threats in the past year. From this group, 22% did experience a cyber incident, and about 12% encountered multiple challenges. Almost half of these executives predict a rise in both the magnitude and frequency of cyber-attacks on their financial information in the coming year. But only around 20% actually mention consistent collaboration between their finance and cybersecurity teams. This points to a significant vulnerability, especially as many anticipate increasing threats to accounting systems.
Q: How devastating are cyberattacks to businesses and other entities?
Bansal: By 2025, cybercrime is forecasted to cause $10.5 trillion USD worth of damages worldwide, surpassing the annual damage caused by natural disasters by a significant margin. So, in short—it's massively devastating. It can be even worse for small and mid-sized businesses, which often don't have dedicated cybersecurity teams.
Q: How does cybersecurity affect product management?
Bansal: It's actually an indispensable aspect of product management in today's digital age. More and more products are integrated with digital components, networks, and software. Because of this, ensuring their security from cyber threats becomes paramount. Product managers have to consider the user experience, functionality, and design, and also how secure their products are from potential cyberattacks.
This involves performing a risk assessment to understand the potential vulnerabilities in the product's software or hardware, the data it might collect or process, and the ways it interacts with other systems. Addressing these concerns requires product managers to work closely with cybersecurity experts throughout the product development lifecycle, integrating security measures as foundational elements rather than as afterthoughts.
Q: How do product managers anticipate cybersecurity breaches?
Bansal: Well, as we know, the ramifications of a cybersecurity breach on a product can be catastrophic for businesses, both in terms of financial costs and reputational damage. A compromised product can lead to data breaches, loss of customer trust, and significant remediation costs. So, product managers must be proactive in their approach, constantly staying updated on the latest cyber threats and ensuring that security protocols are rigorously tested and updated. We have to prioritize cybersecurity to protect the end-users and the brand. We also have to make sure that the product can enjoy long-term success and relevance in a competitive marketplace.
Q: So when a breach actually happens—what is the role of a product manager?
Bansal: In case of a breach, we have a key role in managing the crisis, managing the crisis, and activating incident response plans, which involves coordinating with different teams and ensuring a swift response to mitigate the damage. First and foremost, we have to quickly assemble the product team and related stakeholders to assess the severity of the breach. This will involve coordinating with the cybersecurity team to understand the nature of the attack and its immediate impact.
Then, depending on the severity and the nature of the breach, legal and PR teams should be informed. Many jurisdictions require companies to notify users and regulators of breaches within a certain timeframe. For example, in the EU, the GDPR requires notification to be given to authorities within 72 hours, and if there is a delay, the reasons for the delay. The product manager, in coordination with PR and legal teams, should ensure that communications are clear, transparent, and compliant with regulatory requirements.
Q: What if the breach is still happening?
Bansal: If it's still ongoing, we work closely with the technical team to prioritize actions that stop the breach and prevent further unauthorized access. This might involve patching vulnerabilities, taking certain parts of the system offline, or changing security protocols.
We need to understand how the breach occurred and its full impact. Sometimes we have to hire external cybersecurity experts or work with internal teams to analyze logs and system data. We try to make sure that all findings are documented for future reference.
Q: Once the breach is contained and understood, what's next?
Bansal: The next step is to restore any affected services or data. This also involves performing a damage assessment, sort of a post-incident review, to understand how the breach occurred. It's important to start restoring the least critical services and data. The product manager will need to coordinate this effort, ensuring that it's done in a way that won't expose the system to further vulnerabilities. And honesty, a breach—while never something we want to see—can provide a learning opportunity. Any product manager should know how to facilitate a retrospective or post-mortem with all involved teams to understand the root causes, the effectiveness of the response, and areas for improvement. It's also critical to inform the relevant authorities—law enforcement agents, etc., as needed.
Then, we strengthen security. Using the findings from the breach, the product manager, in coordination with the technical team, should implement measures to bolster the product's security. We might end up needing new tools, better encryption, stricter access controls, or more regular security audits.
Q: How do you communicate breaches with stakeholders?
Bansal: Throughout the process, a product manager should be regularly updating key stakeholders, from company leadership to customers (if appropriate). This lets everyone be informed and take necessary actions on their end.
Q: What's the aftermath like?
Bansal: It can be a lot of work! We review the current product roadmap to prioritize any new features or changes that could enhance security. This might mean delaying some features to prioritize security-related updates.
Then, if the breach was due to a human error or oversight within the product team or broader organization, we often need to advocate for more robust training and awareness programs to prevent similar incidents in the future.
Q: Thank you so much for sharing your insights with us!
Bansal: Thank you for having me.
Clearly, the product manager's role during a cybersecurity breach is multi-faceted, requiring effective coordination, clear communication, and swift decision-making. A product manager like Bansal has to develop the ability to manage such a crisis, with the goal of significantly influencing the product's and the company's reputation in the long run. It's a constant balance of foresight, emergency measures, and learning from mistakes.
About Abhishek Bansal
Abhishek Bansal stands out as a distinguished figure in the Identity and Access Management (IAM) sphere. With a solid track record spanning over 14 years, he has made notable contributions to both emerging startups and esteemed Fortune 100 firms in the realm of cybersecurity. A graduate of the University of Southern California, he has deep expertise in Identity Governance and Compliance across regulated sectors and has actively participated in major cybersecurity associations, championing ethical AI use, zero trust architecture, and advanced IAM technologies.
Learn more: https://www.linkedin.com/in/uscgradabhishekbansal/
* This is a contributed article and this content does not necessarily represent the views of sciencetimes.com
