Let’s jump in with the bad news: No organization is immune to product vulnerability. Moreover, holding your breath or blindly hoping for best-case-scenario outcomes isn’t the savviest approach. However, great product leaders protect their product teams from exploiting weaknesses and vulnerabilities.
Product vulnerability, defined as an exploitable glitch or flaw in a product, can happen to any product or service. Most importantly, that’s because products don’t exist in a bubble. Once products enter the world, they become part of an ever-changing, dynamic landscape. However, these uncontrollable, unpredictable variables can create weaknesses that morph into opportunities for potential attacks. These tasks compromise the best product’s integrity, functionality, or confidentiality.
That is to say, smart organizations are taking serious, actionable steps to protect their products from vulnerabilities. Consequently, they achieve this through hiring threat and vulnerability product management roles.
What Is Product Vulnerability Management?
Vulnerability management is a multi-step process that involves identifying, evaluating, treating, and reporting vulnerabilities that could impact a product’s ability to operate as intended. For example, here’s a snapshot of the four steps:
- Identification: Gather data through scanning or endpoint agents. This initial step provides insight into the security landscape and defines potential vulnerabilities.
- Evaluating Vulnerabilities: Evaluate the risks of vulnerabilities identified in the first step by scoring them.
- Treating Vulnerabilities: Treat an identified vulnerability as if it poses a risk by taking one of three actions: remediation (i.e., fully fixing or patching), mitigation (i.e., short-term or temporary fix to reduce the impact exploitation), or acceptance (i.e., taking no action at all.)
- Reporting Vulnerabilities: The data from the first three steps inform an organization’s overall product vulnerability management strategy.
Why Product Vulnerability Matters to Product Management
Because product vulnerabilities can pose a severe threat to a product’s integrity and even undermine an organization’s health and well-being, it’s vital that security is built into the product roadmap from the get-go (rather than taking a wait-and-see approach to potential threats materializing down the road).
Stewart Foster of Perforce writes that “up to 90% of software security problems are caused by coding errors, which is why secure coding practices and secure coding standards are essential.” Moreover, to improve software security, the Open Web Application Security Project (OWASP) offers expertise, open-source tools, and free resources to empower and educate organizations about security. Check out the nonprofit’s top 10 most common vulnerabilities here.
Most importantly, prioritizing security on the product roadmap shows stakeholders and entire organizations that security and protecting a product from exploitable threats is a top business priority, not just an IT issue.
Threat & Vulnerability Management in Product Teams
Roles that specialize in organization-wide vulnerability management and research are nothing new. Moreover, centering this role on an organization’s product or service brings a fresh perspective on the issue.
Enter the era of the threat and vulnerability management product manager.
A Threat & Vulnerability Management PM works closely with an IT project manager, who oversees projects involving a company’s IT infrastructure, like rolling out cybersecurity systems to research regulatory and data security threats and developing plans to counteract them.
A recent job listing at Salesforce, a provider of cloud-based CRM software, caught our attention. For example, here’s a snippet of what the company was looking for in this newly emerging product role:
Trust is the #1 company value at Salesforce. Are you the type of person that seeks out roadblocks or tough organizational issues and views those as an opportunity? Do you think of creative solutions to complex problems and solve them? Are you interested in driving product and program excellence in an enterprise-scale automated vulnerability assessment environment that collects vulnerability data from hundreds of thousands of hosts across the stack and turns it into meaningful actionable security intelligence? If so, this product manager role is for you.
Here are the nuts and bolts of the position:
You will ensure that our Threat and Vulnerability Management (TVM) program provides comprehensive and up-to-date information about our hardware and software assets to enable discovery, categorization, vulnerability collection, assessment, triage, patching, and response capabilities at scale across Salesforce and acquisitions, flawlessly. You will build meaningful relationships with teams and management in many Salesforce business units to drive implementation, execution, metrics, and sustainability of program objectives that allow security operations to continuously improve our ability to protect and respond to vulnerabilities and threats to our worldwide footprint.
Furthermore, topping the list of responsibilities for the threat and vulnerability management PM role at Salesforce was this one: Develop vision, roadmaps, and plans with executive management to expand the vulnerability and asset management program to public clouds.
Bingo! Taking a more proactive approach to product security means that security must be prioritized on the product roadmap.
If product integrity is your jam, a threat and vulnerability management PM role might be just what you’re looking for. However, at the time of the job posting, the skills sought by Salesforce included a minimum of 5 years of experience in product management, a background in building security products, superior communication skills, “demonstrated experience in gathering and transforming product requirements into an actionable product roadmap,” and the ability to deliver products in an agile environment.
Build Your Organization’s Immunity to Threats
In short, monitoring for product vulnerabilities should be an ongoing process. You must keep up with newly added systems or discovered weaknesses in a product or service. However, adding a role to your organization is smart. Finally, it allows your organization to build up your organization’s immunity to product vulnerability.