Más contenido relacionado La actualidad más candente (20) Similar a What every product manager needs to know about security (20) Más de AIPMM Administration (20) What every product manager needs to know about security1. What Every Product
Manager Needs to Know
About Security
Protecting Your Brand and
Revenue
Phil Burton, Principal Consultant and Trainer
280 Group LLC
© 2010 280 Group LLC
Page 1 ©2010 280 Group LLC
2. Agenda
• Why Is Information Security Important?
• Causes of Website Insecurity
• Issues and Consequences
• Market Requirements
• Takeaway Ideas
Page 2 ©2010 280 Group LLC
3. Why is Information Security
Important to You?
• Effective privacy requires excellent security
– not always understood by “privacy advocates”
• Lack of effective privacy (security) can
damage your business model
loss of trust and reputation brand damage
Decreases in site visitors lower revenue
• Real risk of government regulation in US, EU
Page 3 ©2010 280 Group LLC
4. What Is Information Security?
• Information security broadly defined
– Confidentiality of data
• Privacy
• Controlled access
– Integrity of data and systems
• Data has not been modified
• Systems function as intended
– Availability of systems and data
• Systems online and functioning
• Data available whenever needed
• Traditional applications protect corporate
networks and consumer systems
Page 4 ©2010 280 Group LLC
5. Threats to Website Security
• Professional criminals, in organized gangs
– Eastern Europe, “Nigeria,” parts of Asia
– Anywhere in the world
– Relatively risk free and no geographic limitations
– Using social media websites to distribute malware
that gets downloaded to users’ systems
• Repressive governments
– China, “cyberwar”
• New developments almost daily
Page 5 ©2010 280 Group LLC
6. Causes of Website Insecurity
• Corporate policy
– Business model monetizes private data
– Complete indifference to privacy issues
• Poor operations and programming practices
– Badly designed, buggy software and configurations
– Hackers “contribute” content with malware or
forcefully plant malware
• Lack of user education
– Users don’t know how or why to protect private data
– “Social Engineering” tricks users
Page 6 ©2010 280 Group LLC
7. Corporate Policy Causing Privacy
Issues
• “Your Privacy Isn’t So Private” – San Jose
Mercury-News, Tech Files column, May 3,
2010
– Facebook is “cavalier” with privacy of its users
– “Alarm bells went off in my head over the privacy
issues”
– “Astonishing how much information Facebook now
considers ‘public’ and is sharing with its marketing
partners”
• Facebook login allows users to log in to other
websites
Page 7 ©2010 280 Group LLC
8. Corporate Policy Causing Privacy
Issues
• “A Blurring Line: Private and Public” – NY
Times, Bits column, March 15, 2010
– Google Buzz service “complete disaster” by
linking email accounts to status updates on social
networks
– Facebook makes members information public by
default
– Issue is “broader muddying of the line between
what is private and what is public online.”
Page 8 ©2010 280 Group LLC
9. Corporate Policy: Facebook
Places issue
• Facebook announced location service
“Places” August 18, 2010
• Immediate criticism of default “opt-in”
– No single opt-out setting
– No ability to control which people can see check-in
– Can “check-in” friends without permission
– Available to Facebook partners and phone apps
Page 9 ©2010 280 Group LLC
10. Corporate Indifference:
Uploaded Photos Uploaded To
Websites Reveal Exact Location
• “Geotags” in uploaded photos
identify exact location
• Children, friends, houses,
expensive cars, etc.
• Website APIs make it easy
for criminals and stalkers to
locate on Google Maps
– “Cyber-casing”
• Users “compromising their privacy, if not their safety”
• Illegal under copyright law to strip out all “metadata” from
photos
• Smartphones and websites need better user controls
Page 10 ©2010 280 Group LLC
11. Issues From Poor Operations and
Programming Practices
• The “niece’s blog” – not so private
– The aunt periodically did Google search on nieces
and nephews to keep up with their activities
– The niece was college freshman
– Wrote one blog for parents and relatives
– Wrote a second blog for just for friends
• Password protected
• Drugs, sex, wild parties, disparaging comments on family
• Google found it with normal “spidering”
Page 11 ©2010 280 Group LLC
12. Issues From Poor Operations and
Programming Practices
• Application reveals credit card numbers
Page 12 ©2010 280 Group LLC
13. Issues From Poor Operations and
Programming Practices
• Not enough
testing
– http://techie-
buzz.com/tech-
news/credit-
card-numbers-
of-blippy-users-
show-up-on-
google.html
(April 23, 2010)
Page 13 ©2010 280 Group LLC
14. Issues From Poor Operations and
Programming Practices
• Insufficient
testing or poor
configuration
reveals private
chats on
Facebook
Page 14 ©2010 280 Group LLC
15. Issues From Poor Operations and
Programming Practices
• Hackers
successfully
penetrate well-
known site
– Hackers plant
“Drive-by
downloads” on
poorly protected
sites
• safeweb.norton.
com/buzz
Page 15 ©2010 280 Group LLC
16. Issues from Poor Operations
and Programming Practices
• AT&T website
exposed phone IDs
email addresses of
114,000 iPad
owners
– dozens of CEOs,
military officials,
and top politicians
– FBI investigating
– Wall Street Journal,
June 11, 2010
Page 16 ©2010 280 Group LLC
17. User Education: “Forget Email...
Social's the New Spam Vector”
• “… this shift in spammer strategy from email to
social networking sites tracks perfectly with users'
online behavior”
• “spammers are counting on … our collective
naïveté.”
Page 17 ©2010 280 Group LLC
18. Privacy Issue Consequences
• Sun Microsystems Alumni Assn. threads
about security on Facebook and Yahoo
– My yahoo e-mail account was hacked about a
year ago. … When I tried to report this to yahoo
support, I received a return e-mail asking for my
account name and password.
– Obviously, this account is toast for anything but
the most casual use. … I regard Yahoo mail,
Facebook, and any social networking site as a
threat to my security and use such things very
little.
Page 18 ©2010 280 Group LLC
19. Privacy Issue Consequences
• “Facebook Seeps Onto Other Web Sites,” -
NY Times, April 19, 2010
– Analysts say Facebook’s desire to spread its
tentacles across the Web could run into privacy
hurdles, as it will require the company to share
increasing amounts of personal information about
its users with other sites.
– “They are going to have to secure more
consumers’ approval for data-sharing,” said Augie
Ray, analyst at Forrester Research.
Page 19 ©2010 280 Group LLC
20. Privacy Issue Consequences
• Increased Privacy Concerns – “Tell-All
Generation Keeps Some Things Offline,” –
NY Times, May 9, 2010
– “Mistrust of the intentions of social sites appears to
be pervasive … telephone survey found 88
percent of 18- to 24-year olds said there should be
a law … to delete stored information [on social
media websites.]
– “Two weeks ago, Senator Charles Schumer …
petitioned the Federal Trade Commission to
review privacy policies of social networks.”
Page 20 ©2010 280 Group LLC
23. Zuckerberg Public Letter Really
Targets Federal Government
• Zuckerberg letter to blogger and
Op-Ed piece in Wash. Post, May 24, 2010 --
http://www.washingtonpost.com/wp-
dyn/content/article/2010/05/23/AR2010052303828.html
– “There needs to be a simpler way to control your
information," he wrote. "In the coming weeks, we will
add privacy controls that are much simpler to use. We
will also give you an easy way to turn off all third-party
services.”
– First response to “furor over Facebook's user privacy
moves that left the site with a public relations problem
and fighting to defend its reputation.”
Page 23 ©2010 280 Group LLC
24. Damage to Facebook Brand
• Why Facebook’s “private” messages are a joke,
Jesse Stanchak on May 6, 2010,
http://smartblogs.com/socialmedia/2010/05/06/why-facebooks-
private-messages-are-a-joke/
• ACLU Weighs in on Facebook’s Privacy Issues,
Rex Gradeless, May 13, 2010,
http://socialmedialawstudent.com/featured/aclu-weighs-in-on-
facebooks-privacy-issues/
• 6 Alternatives to Facebook, Itamar Kestenbaum,
May 20, 2010,
http://www.socialmediatoday.com/SMC/199443
Page 24 ©2010 280 Group LLC
25. Damage to Facebook Brand
• Facebook, privacy settings and taking control of
your personal brand online, 26th May 2010, Matt
Rhodes, http://www.freshnetworks.com/blog/2010/05/facebook-
privacy-settings-and-taking-control-of-your-personal-brand-online/
• Social Media: The Privacy and Security
Repercussions, Johnny Widerlund, Search Engine
Watch, Jun 19, 2010, http://searchenginewatch.com/3640696
• Give some thought to social media and privacy,
Janet, July 9, 2010, http://janetfouts.com/social-media-privacy/
Page 25 ©2010 280 Group LLC
26. A Different View of User Privacy
• Steve Jobs on privacy:
– “ … different view … than some of our colleagues
in the Valley. We take privacy very seriously.”
– “Privacy means people know what they’re signing
up for. In plain English. … repeatedly”
– “Let them know precisely what you’re going to do
with their data.”
– Wall Street Journal, Technology, Kara Swisher and Walt
Mossberg, June 7, 2010, p. R3.
Page 26 ©2010 280 Group LLC
27. More Consequences
• June, 2010 Consumers Reports
– Two out of three online U.S. households use social networks
such as Facebook and MySpace, nearly twice as many as a
year ago.
– But “millions … put themselves and their families at risk by
exposing very sensitive personal information,” … national
survey of 2,000 online households conducted in January.
Page 27 ©2010 280 Group LLC
28. Eric Schmidt calling for a “Young Adult
Witness Protection Program?”
• “[Schmidt ]predicts, apparently seriously, that every
young person one day will be entitled automatically to
change his or her name on reaching adulthood in
order to disown youthful hijinks stored on their
friends' social media sites.”
• Technical solution to
important policy
issue?
• Doesn’t Google have
any responsibility
here?
Page 28 ©2010 280 Group LLC
29. Brand Damage: Poor Opinion of
Social Media websites
• ForeSee Results, Annual E-Business Report for the
American Customer Satisfaction Index (ACSI), July
20, 2010 – http://www.foreseeresults.com/research-white-
papers/ACSI-e-business-report-2010.shtml
• “…interviews with approx. 70,000 customers …to
measure satisfaction with more than 200 companies
in 44 industries and 10 economic sectors”
• Key finding: “Social Media: Customer satisfaction
with social media sites is poor (70) … lowest industry
aggregate score of any of the e-business or e-retail
industries.”
– Better than only airlines and subscription TV (66)
Page 29 ©2010 280 Group LLC
30. “Social Insecurity”
"We're just at the beginning (italics added for
emphasis) of seeing what the implications are for so
much information being posted on social networks,"
Nicole Ozer, the technology and civil liberties policy
director .. ACLU, N Cal.
Page 30 ©2010 280 Group LLC
32. Privacy Issue Consequences
“Cookies' Cause Bitter Backlash” -- Wall
Street Journal, September 19,2010,
http://online.wsj.com/article_email/SB10001424052748704416904575502261335698370-
lMyQjAxMTAwMDIwMDEyNDAyWj.html
• Companies now using “Flash cookies” that can “re-
spawn” after being deleted by user
• Six lawsuits filed since July
• "There are some in the industry who do not believe
that users should be able to block tracking…," Chris
Hoofnagle, director, Berkeley Center for Law & Technology's
information-privacy programs
• Two bills introduced into Congress
• Federal Trade Commission expected to issue new
guidelines by December.
Page 32 ©2010 280 Group LLC
33. Twitter Settles Federal Trade
Commission Charges
• FTC charged Twitter deceived consumers and put
privacy at risk
• First case by FTC
against social
media site
• Complaint charged
poor security allowed
hackers to gain admin control, send phony tweets
• Twitter barred for 20 years from misleading consumers
about security, privacy, confidentiality, also must create
comprehensive security program, with outside auditing
Page 33 ©2010 280 Group LLC
34. A Legal Precedent for User
Privacy Legislation
• State privacy laws - California SB 1386
– Effective July 1, 2003
– Requires an agency, person or business that
conducts business in California …to disclose any
breach of security (to any resident).
– Similar laws now in force in 46 states in US
• What would be the impact if these laws were
extended to general privacy issues?
Page 34 ©2010 280 Group LLC
35. Market Requirements
• Well-researched Market Requirements
should cover both stated and unstated
(latent) needs
– Waterfall or Agile, both need Requirements
• Security needs not called out because they
are “universally understood” or perhaps not
understood
Page 35 ©2010 280 Group LLC
36. Market Requirements
• Who understands security (privacy) ?
– Almost all end users (business, consumer/home)
do not begin to understand security issues
– Most Line of Business owners prioritize time-to-
market, or won’t invest in effective security
– Most product managers don’t understand security
– Many software developers do not know how to
write secure code
– IT often deploys insecure websites and networks
Page 36 ©2010 280 Group LLC
37. Market Requirements
• Product manager must take leadership role to
articulate unspoken market requirements
– Protect your company’s brand and revenue
– Perhaps protect your career
• Security and Privacy Policy
– User privacy respected by web site owner
company and third parties, including advertisers
– User data protected from unauthorized access by
individuals and companies
Page 37 ©2010 280 Group LLC
38. Market Requirements
• User Education
– Educated about managing their data
– Educated about privacy implications of sharing
data
– Provided with effective and timely advice and
warnings about social engineering attacks
– Get effective help if they suspect security issue
Page 38 ©2010 280 Group LLC
39. Market Requirements
• Programing, Administration and Operations
– Test all changes to prevent exposure of user data
– Simplify data sharing options and default to NONE
– Ensure that user posted content is safe
– Detect and remove malware planted by hackers
– Work with security vendors on emerging threats
– Notify users proactively of security breaches, even
if not required by law
– Include partners in security programs
– Maintain ongoing programs and provide sufficient
resources, including outside help
Page 39 ©2010 280 Group LLC
40. Takeaway Ideas
• You must understand the business
consequences of poor security and privacy
– It’s only your company’s business model and
maybe your career
• As the product champion, you must articulate
the issues and document the requirements
inside your organization
• You do not have to be security expert
• Read my blog - www.280group.com/blog/
Page 40 ©2010 280 Group LLC
41. 280 Group Free Resources
• Free templates and white papers
• 2009 Product Management Survey Results
• PM Job listing sites
• 280 Group Product Management 2.0
Newsletter
• 280 LinkedIn Group
• Product Management 2.0 Blog
• Books
• PMA listings
Go to www.280group.com in the “Resources” section.
Page 41 ©2010 280 Group LLC
42. 280 Group
The Product Marketing & Product Management Experts™
• Consulting & Contractors
• Toolkits & PM Office™
(Product Manager’s, Roadmaps, Launches, Beta, Reviews)
• Training: public & private
– PM Fast Track™
– Agile Excellence for Product Managers
– Customer & Market Research
– Effective Decision Making
– Interactivity & Communication
– Market Value Pricing
– Personal Strategic Plans For PMs
– Time Management & Productivity
– GREAT Demos!
• Certifications:
• Self-Study & In-Person Courses
– Agile Certified Product Manager™
– Certified Product Manager™
– Certified Product Marketing Manager™
Page 42 ©2010 280 Group LLC
43. Closure
• Questions
• Contact me later
– phil@280group.com
– (650) 766 9970
– http://tungle.me/philburton to set up an
appointment
Page 43 ©2010 280 Group LLC