What Cybersecurity Teams Can Learn From Product Management

Forbes

2 days ago

Dan DeCloss is the founder and CTO of PlexTrac and has over 20 years of experience in cybersecurity.
What does it take to be a successful entrepreneur? The most obvious answers are passion, determination and a clear vision. But humility and a willingness to listen and accept feedback are just as—if not more—important.
In fact, many successful entrepreneurs will tell you that there's nothing more important than customer feedback.
Getting a continuous flow of feedback is a great scenario; however, it presents a big challenge: What do you prioritize first?
This is the exact question that product teams ask every day. Just as entrepreneurs look to make the biggest impact on their product in the shortest amount of time, product teams want to maximize efforts.
The challenge is determining what is actually going to move the needle while also taking into account which customer requests must be addressed first, which bugs and defects are make-or-break and what new features will outweigh the cost of technical debt.
Other teams, like cybersecurity, can also learn a lot from product teams.
Prioritization challenges are common among product teams, which is why they've developed mature processes and frameworks to manage them effectively. If you take these same challenges and apply them to cybersecurity teams, the similarities are striking.
Both disciplines ultimately share the same mission: to enable the business to succeed and serve its customers.
This alignment means both product and cybersecurity teams must base their plans and priorities on how best to support business goals.
While cybersecurity program management is still maturing, product management (PM) offers a well-established playbook to learn from. By drawing these parallels, security teams can uncover valuable insights and adopt proven practices to advance and streamline their own operations.
Let's dive into some of the challenges in cybersecurity and identify ways that product management is solving them.
Cybersecurity teams are always responding to alerts, leaving them in a constant state of reaction. This can lead to a common sense of 'alert fatigue' and burnout. Security teams also tend to get inundated with vulnerabilities and findings from proactive scans and assessments.
This problem has a direct correlation to the prioritization challenges within product management. Product management teams manage this with a systematic approach, using sprints, capacity planning and backlog grooming to plan for work. Each sprint is loaded with work for the team and a dedicated buffer to allow for any unplanned work, such as critical bugs, etc.
Security teams can make great strides in their journey to accomplish more work and move to a proactive state by following similar principles. If a security team operates in a sprint model, they can load planned work while leaving room for unplanned work. This feeds directly into the prioritization discussion.
Establishing a clear process around planning work is the foundation for meaningful prioritization discussions. In cybersecurity, this is especially vital as teams are inundated with all kinds of vulnerabilities, compliance items, alerts, etc.
By taking a page from the PM playbook, security teams can build a roadmap of initiatives based on their priority. One effective method is scoring each initiative based on its relative importance and impact on the business. Applying this framework helps security teams assess risk and prioritize efforts in the context of broader business goals.
Of course, prioritization becomes challenging when urgent injections or alerts arise. That's where a defined escalation process—similar to an incident response plan—becomes essential, enabling teams to handle interruptions in a structured and consistent manner.
Once you have defined your roadmap and established your work cadences, you're fully operational. But are you successful? This is where metrics come into play. PM teams measure how long it takes to get a feature or product to market as well as the adoption rate of the features. They also measure the allocation of time within each sprint.
Security teams should adopt a similar mindset, dedicating 60% of sprint time to proactive security measures and 40% to reactive tasks. Additional metrics should be used to track mean time to resolution, meant time to detection and risk reduction over time. There are many other metrics to consider, but the goal is to ensure you're able to show progress in achieving KPIs and reducing risk exposure.
Prioritization remains one of the toughest challenges for nearly everyone, from entrepreneurs sifting through customer feedback to cybersecurity leaders triaging vulnerabilities, alerts, compliance requirements and managing risks.
Product teams have spent years refining their approaches to prioritization—turning feedback overload into focused roadmaps and aligning work with business goals. It's time for cybersecurity to steal from that playbook.
By borrowing the frameworks, mindset and strategic discipline of product management, security teams can navigate complexity with greater clarity, build more impactful programs and, ultimately, drive better outcomes for the business. The blueprint already exists—are you bold enough to use it?
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?