 Hey everyone, thanks for joining me today for Product Schools webinar on Product Management and Cybersecurity, a customer-centric approach to securing enterprises. Before we get started, a little bit about myself. I'm Sharanya Ramakrishnan, working as a senior tech product manager at Amazon Web Services. Started my product journey as an intern with Adaptive Insights, currently part of Workday. I worked on the API strategy there and after that, I moved on to join the PayPal product management team and worked on building cybersecurity products there for the engineers and analysts in the team. Currently part of AWS Identity, learning a lot about building products for customers related to their identity and access management needs. I enjoy learning about building enterprise-scale products, that's currently what I'm doing and apart from that, I'm passionate about tech leadership as well. I've been part of several initiatives related to women in product and women in tech. I also hold a master's degree in management information systems from the University of Arizona. Outside of work, when I'm not spending time with my dog, I enjoy traveling, hiking, reading and trying different kinds of workouts. Before we get started, just a quick disclaimer, all the views that are expressed in this presentation are purely my own and they do not reflect the views of any of the organizations that I was or currently are part of. So today we will first start off with learning a little bit about the enterprise security landscape, what it looks like and the challenges that it brings. Then we will dive a little deeper into how product management can help in this space, the benefits that it has to offer and how we can implement it, what the process looks like and then jump to the key roles in cybersecurity and what product managers can contribute there. So cybersecurity teams in organizations today operate with one key goal, don't get breached. So enterprises are constantly working on figuring out how they can secure their customers' information and at the same time adapt a very proactive and not reactive approach to cybersecurity. If you were to do a quick Google search about the key statistics in cybersecurity today, you'll probably be shocked. In just the first half of this year, 18.8 billion records were exposed because of cybersecurity breaches. If companies were to actually estimate all of the total losses because of cybercrimes over the span of 2021, it would amount to about $6 trillion. The pandemic really hasn't helped the situation at all. Start with organizations moving to a hybrid or a fully remote sort of culture for their employees. It's definitely complicated things and the cybercrime rate has increased by almost 300% since the pandemic started. In this landscape where companies are very worried about being a part of the headlines tomorrow because of a data breach or so, product managers come into the picture and play a very critical role in helping build scalable, reliable and really versatile products that can actually keep pace with the hackers. So as enterprises work towards building, establishing and maintaining a really good cybersecurity posture, they invariably end up running into several challenges. Now we said that the cybersecurity landscape itself is very volatile, very dynamic, right? And the key reason for this is because there are hackers out there trying to infiltrate enterprise systems almost on a daily basis trying out different techniques. Cybersecurity teams always need to be one step ahead by actually understanding how they can go ahead and protect their enterprise systems. Another interesting aspect is enterprises deal with security issues almost on a daily basis and in many cases in efforts to mitigate or resolve these issues, teams end up building tooling to address the issues and most often it's abandoned as soon as the issue is resolved. This has definitely led to the proliferation of certain homegrown products which are no longer being used in the company and no longer even accounted for. Companies also invest a lot in buying security products to solve specific problems but never really look into whether they are fully utilizing all of the capabilities that the product has to offer. There may be a situation where a product offers 10 capabilities but the teams are actually leveraging only maybe two out of those 10 capabilities. Now TechTet is another interesting aspect, something that all engineering teams deal with and it's a little more complicated with cybersecurity teams because they're always in a firefighting mode and don't really have the time to dedicate towards addressing the TechTet and this accumulates over time very quickly. Another interesting challenge, in fact the most interesting challenge when it comes to cybersecurity is the fact that it's very challenging to actually quantify the return on investment that cybersecurity teams bring to the company and associate a dollar value to it. The reason why this is complicated is because a company not getting hacked or breached on a particular day is actually because of the proactive efforts and mitigations that are done by the cybersecurity team but tying a dollar value to this is a little tricky. Now that we've seen what the cybersecurity landscape looks like understood a little bit more about the challenges that it brings, let's see what product management can do here to add value to the space. Product managers by default are the voice of the customer, they really establish this feedback loop between the customer and the engineering teams. When it comes to cybersecurity this is even more critical because requirements in this space are very ambiguous in most cases, they're constantly changing because the landscape itself is very dynamic. Now consider an example where an engineering team is trying to build out tooling to help a security operations analyst with avoiding water tax. In the situation if the security analyst is able to provide feedback on the latest techniques being used by hackers then to the engineering team then the engineering team can make sure that the tooling is at par and will be able to mitigate the latest techniques efficiently. Product managers help to establish this feedback loop and make sure that the feedback from the security analyst goes back to the engineering teams and is incorporated into their product development cycle. Product managers come with long-term strategy and vision. They not only establish or figure out what are the products that need to be built and when but they also see how they align to the long-term vision or goals for the company. With this mindset the proliferation of ad hoc products that are built and then not used is minimized because product managers are constantly questioning why we're building something, how this is going to benefit the customer and also questioning how this aligns with the long-term vision. With this mindset we'll really be able to tackle this problem of ad hoc products being built and even in the case of the example that we saw earlier even if the team is building something for the bot attacks that tooling could very well be aligned with the long-term vision of a threat mitigation platform that the organization may build and build on top of that. Now, failing fast and learning from the failure and then iterating quickly is something that product management brings to the table. With this mindset cybersecurity teams are able to test out innovate really quickly and this really adds value to the table. We spoke about how different products are being purchased by companies but all of the capabilities are not really being completely utilized. When product managers are involved they spend a lot of time trying to understand the problem what the challenge is that the customer is facing and then mapping it to relevant products whether it's being purchased or whether it's being built in-house. Understanding the problem statement completely helps to avoid the situation where there are multiple products for solving a single problem or underutilizing the capabilities of existing products as well. Now that we've taken a look at what's the value that product management brings to the cybersecurity space let's dive a little deeper into what this looks like from a process perspective. Now all of the core principles that apply to product management of course apply here as well and by default we always start with the customer. It's very important to understand what the end goal of the customer is or what the customer is trying to accomplish and in that process we also figure out what does the customer journey look like towards reaching this end goal. Along the journey and as we try to understand the journey a little bit better we identify points of friction these friction points or pain points basically translate into the feature requirements. Consider the case of building tooling for bot attacks here the security ops analysts goal is to ultimately make sure that an end user who is trying to sign in to the device or application has a very secure experience knowing that there are no bots trying to hack their accounts. To accomplish this goal the security analyst needs a way using which they can accurately detect what are the bot attacks and when they're happening and distinguish them or the suspicious activity from legitimate silence. To accomplish this what they need is a tool that is able to accurately detect this. So we've also identified and this in turn will distill into requirements of what does what a tool must have to actually be able to accurately identify the suspicious attacks. Coming to the next phase which is the feature distillation so once we have the product requirements what happens is the next step is to understand whether you want to build this product in-house or go ahead and leverage a solution that is available in the market and purchase this for the company to solve that particular problem. If this is a company building cybersecurity products then it's a different situation where customers come to you and share the problems that they're facing and you build out solutions or services to address those problems. Once you make a decision of build versus buy you basically identify the key milestones that are required to actually achieve that goal or meet all of the product requirements and what does success look like in this journey. For example in the bot attack example itself I can say that for me the success metric is a 95% accuracy of detecting suspicious activity. The next phase is prioritization where you know these are the requirements that the product should have but you also know that you can't build out all of the requirements and deliver quickly. So in that case you narrow down the scope of the requirements themselves and focus on what are the core features or the p0 requirements. Now in the cybersecurity world to understand or prioritize one of the key lens through which you need to look through is the risk reduction lens or what is the level of risk reduction that this particular feature brings to the table. Once you understand this it'll be very easy to figure out what's the right scope and that in turn will flow into effort estimates and then you can prioritize it as part of your roadmap. For example in the bot attack scenario suppose I have three different ways in which I can identify suspicious activity. Now out of the three ways I know that one of the ways will give me an accuracy of 80% while the other two give me something between 50 and 60%. I can consider the 80% goal as my MVP and make sure that I start with the effort estimation of that 80% solution and evaluate or weigh that against the other solutions and prioritize the one which gives me the maximum risk reduction which is if I'm able to accurately identify 80% of the bot attacks then by default I have higher odds of also reducing the number of attacks. So that's the risk reduction lens. Once you're able to prioritize and scope it down to what you can iterate on and quickly deliver it's in the execution stage or the iterative development stage where you go ahead break it further into smaller user stories or epics and then plan it into sprints deliver quickly and every sprint you engage with the customer in this case the security analyst and get their feedback on hey if this is going to work help against the techniques that are being used by hackers today and incorporate that feedback into your product. Suppose you're building out a product for external customers or you are the security vendor building out products for the enterprises. There is obviously an aspect of a product launch and marketing engagement also involved in this case. Now we spoke about the build aspect here both whether you're building this product for internal teams or for an external customer. When it comes to the buy aspect the last two cycles of the process look a little bit different where once you identify that you want to buy the product you go ahead and identify what are the different products available in the market solving that particular problem. You do a vendor analysis you do a comparison of what features the products have to offer and then once you narrow down on a single solution you invariably end up doing a proof of concept. If the proof of concept shows positive results then you go forward with budget approvals legal approvals and whatever is needed from a process perspective to actually purchase that product for your company. After that rather than going into development or iterative development this is more of a deployment process where you're basically implementing a solution in your environment. So there's a lot of integration work involved probably a lot of customization as well and this can also be planned into sprints but it's more about operationalizing the tool and then training and making sure that the analysts or whoever is the customer is able to use the product efficiently. So we saw what the process looks like if you're trying to incorporate product management into the cyber security landscape and how that varies a little bit for build versus buy sort of products. Now let's take a deeper look into what are the key roles in cyber security and how they come together. Now within cyber security itself and the product management practice is unique. You could be an internal cyber security product manager where your customer is essentially maybe a cyber security engineer or an analyst and you help build products to aid them in securing the enterprise on a daily basis or you could also be a product manager who's building tooling for all of the developers within the company to help them make sure to push code with zero vulnerabilities and do this in a very seamless efficient manner. You will also be by default involved in a lot of build versus buy analysis and decisions if you're an internal product manager. The other aspect of this is being an external cyber security product manager where you're building out products or services or solutions for enterprises to actually consume and in many cases buy. Here the interesting aspect is you're building these products and that will cut across several different industries. What this means is it comes with an interesting angle where if you're building out products and many of your customers are in say the fintech industry it by default comes with an additional set of compliance and security requirements with standards like the payments card industry standard which these customers will expect you to be compliant with. Similarly suppose most of your customers are healthcare customers you will be expected to be HIPAA compliant or basically given assurance that you're handling the confidential information of patients and their medical records in a way that is defined or dictated by HIPAA. So we spoke about internal cyber security product management, external cyber security product management. Another interesting thing that's happening is actually organizations themselves are going through a mindset shift. So cyber security has always been this division that's been very implementation driven or deployment driven. So it's always been buying a product implementing it or incorporating it in your infrastructure. Only in recent times have companies really opened up and cyber security teams are actively investing in product management functions to really examine what the customer problem is understanding the problem better and then developing solutions or purchasing the solutions. So what this means is product managers often work hand in hand with program managers who basically track the product deployment and make sure that the product deployment is meeting the goals and metrics defined by leadership. And hand in hand product and program work together with engineering who drives the execution or the iterative development of the product itself from a technical standpoint. And collaboration between these three functions that is product management, program management and engineering is really critical in making sure that a company is able to achieve all of the security goals and succeed in securing their enterprise. So the key takeaways from today's conversation is basically that the security landscape is very volatile and because of this volatility, it brings with it a unique set of challenges. Taking a very product centric approach helps in addressing several of these challenges. And we also discussed the product framework and how it can be expanded to cyber security and what internal versus external product managers look like in the security space. Leaving you all with a very popular quote where it talks about how good companies manage engineering but the great companies manage product. Product management ultimately is all about taking a very customer centric approach to solving problems and investing in the right space. It's that bridge between business and technology and adding cyber security to this makes it all the more interesting because you're constantly on your toes and you're constantly challenged with a different variety of problems almost on a daily basis. Thank you very much for your time today. Really appreciate it if you have any questions or would like to stay in touch. Please feel free to reach out to me on LinkedIn or through email. Have a nice day.