Tech giants still not doing enough to fight fakes, says European Commission

It’s a year since the European Commission got a bunch of adtech giants together to spill ink on a voluntary Code of Practice to do something — albeit, nothing very quantifiable — as a first step to stop the spread of disinformation online.

Its latest report card on this voluntary effort sums to the platforms could do better.

The Commission said the same in January. And will doubtless say it again. Unless or until regulators grasp the nettle of online business models that profit by maximizing engagement. As the saying goes, lies fly while the truth comes stumbling after. So attempts to shrink disinformation without fixing the economic incentives to spread BS in the first place are mostly dealing in cosmetic tweaks and optics.

Signatories to the Commission’s EU Code of Practice on Disinformation are: Facebook, Google, Twitter, Mozilla, Microsoft and several trade associations representing online platforms, the advertising industry, and advertisers — including the Internet Advertising Bureau (IAB) and World Federation of Advertisers (WFA).

In a press release assessing today’s annual reports, compiled by signatories, the Commission expresses disappointment that no other Internet platforms or advertising companies have signed up since Microsoft joined as a late addition to the Code this year.

“We commend the commitment of the online platforms to become more transparent about their policies and to establish closer cooperation with researchers, fact-checkers and Member States. However, progress varies a lot between signatories and the reports provide little insight on the actual impact of the self-regulatory measures taken over the past year as well as mechanisms for independent scrutiny,” write commissioners Věra Jourová, Julian King, and Mariya Gabriel said in a joint statement. [emphasis ours]

“While the 2019 European Parliament elections in May were clearly not free from disinformation, the actions and the monthly reporting ahead of the elections contributed to limiting the space for interference and improving the integrity of services, to disrupting economic incentives for disinformation, and to ensuring greater transparency of political and issue-based advertising. Still, large-scale automated propaganda and disinformation persist and there is more work to be done under all areas of the Code. We cannot accept this as a new normal,” they add.

The risk, of course, is that the Commission’s limp-wristed code risks rapidly cementing a milky jelly of self-regulation in the fuzzy zone of disinformation as the new normal, as we warned when the Code launched last year.

The Commission continues to leave the door open (a crack) to doing something platforms can’t (mostly) ignore — i.e. actual regulation — saying it’s assessment of the effectiveness of the Code remains ongoing.

But that’s just a dangled stick. At this transitionary point between outgoing and incoming Commissions, it seems content to stay in a ‘must do better’ holding pattern. (Or: “It’s what the Commission says when it has other priorities,” as one source inside the institution put it.)

A comprehensive assessment of how the Code is working is slated as coming in early 2020 — i.e. after the new Commission has taken up its mandate. So, yes, that’s the sound of the can being kicked a few more months on.

Summing up its main findings from signatories’ self-marked ‘progress’ reports, the outgoing Commission says they have reported improved transparency between themselves vs a year ago on discussing their respective policies against disinformation. 

But it flags poor progress on implementing commitments to empower consumers and the research community.

“The provision of data and search tools is still episodic and arbitrary and does not respond to the needs of researchers for independent scrutiny,” it warns. 

This is ironically an issue that one of the signatories, Mozilla, has been an active critic of others over — including Facebook, whose political ad API it reviewed damningly this year, finding it not fit for purpose and “designed in ways that hinders the important work of researchers, who inform the public and policymakers about the nature and consequences of misinformation”. So, er, ouch.

The Commission is also critical of what it says are “significant” variations in the scope of actions undertaken by platforms to implement “commitments” under the Code, noting also differences in implementation of platform policy; cooperation with stakeholders; and sensitivity to electoral contexts persist across Member States; as well as differences in EU-specific metrics provided.

But given the Code only ever asked for fairly vague action in some pretty broad areas, without prescribing exactly what platforms were committing themselves to doing, nor setting benchmarks for action to be measured against, inconsistency and variety is really what you’d expect. That and the can being kicked down the road. 

The Code did extract one quasi-firm commitment from signatories — on the issue of bot detection and identification — by getting platforms to promise to “establish clear marking systems and rules for bots to ensure their activities cannot be confused with human interactions”.

A year later it’s hard to see clear sign of progress on that goal. Although platforms might argue that what they claim is increased effort toward catching and killing malicious bot accounts before they have a chance to spread any fakes is where most of their sweat is going on that front.

Twitter’s annual report, for instance, talks about what it’s doing to fight “spam and malicious automation strategically and at scale” on its platform — saying its focus is “increasingly on proactively identifying problematic accounts and behaviour rather than waiting until we receive a report”; after which it says it aims to “challenge… accounts engaging in spammy or manipulative behavior before users are ​exposed to ​misleading, inauthentic, or distracting content”.

So, in other words, if Twitter does this perfectly — and catches every malicious bot before it has a chance to tweet — it might plausibly argue that bot labels are redundant. Though it’s clearly not in a position to claim it’s won the spam/malicious bot war yet. Ergo, its users remain at risk of consuming inauthentic tweets that aren’t clearly labeled as such (or even as ‘potentially suspect’ by Twitter). Presumably because these are the accounts that continue slipping under its bot-detection radar.

There’s also nothing in Twitter’s report about it labelling even (non-malicious) bot accounts as bots — for the purpose of preventing accidental confusion (after all satire misinterpreted as truth can also result in disinformation). And this despite the company suggesting a year ago that it was toying with adding contextual labels to bot accounts, at least where it could detect them.

In the event it’s resisted adding any more badges to accounts. While an internal reform of its verification policy for verified account badges was put on pause last year.

Facebook’s report also only makes a passing mention of bots, under a section sub-headed “spam” — where it writes circularly: “Content actioned for spam has increased considerably, since we found and took action on more content that goes against our standards.”

It includes some data-points to back up this claim of more spam squashed — citing a May 2019 Community Standards Enforcement report — where it states that in Q4 2018 and Q1 2019 it acted on 1.8 billion pieces of spam in each of the quarters vs 737 million in Q4 2017; 836 million in Q1 2018; 957 million in Q2 2018; and 1.2 billion in Q3 2018. 

Though it’s lagging on publishing more up-to-date spam data now, noting in the report submitted to the EC that: “Updated spam metrics are expected to be available in November 2019 for Q2 and Q3 2019″ — i.e. conveniently late for inclusion in this report.

Facebook’s report notes ongoing efforts to put contextual labels on certain types of suspect/partisan content, such as labelling photos and videos which have been independently fact-checked as misleading; labelling state-controlled media; and labelling political ads.

Labelling bots is not discussed in the report — presumably because Facebook prefers to focus attention on self-defined spam-removal metrics vs muddying the water with discussion of how much suspect activity it continues to host on its platform, either through incompetence, lack of resources or because it’s politically expedient for its business to do so.

Labelling all these bots would mean Facebook signposting inconsistencies in how it applies its own policies –in a way that might foreground its own political bias. And there’s no self-regulatory mechanism under the sun that will make Facebook fess up to such double-standards.

For now, the Code’s requirement for signatories to publish an annual report on what they’re doing to tackle disinformation looks to be the biggest win so far. Albeit, it’s very loosely bound self-reporting. While some of these ‘reports’ don’t even run to a full page of A4-text — so set your expectations accordingly.

The Commission has published all the reports here. It has also produced its own summary and assessment of them (here).

“Overall, the reporting would benefit from more detailed and qualitative insights in some areas and from further big-picture context, such as trends,” it writes. “In addition, the metrics provided so far are mainly output indicators rather than impact indicators.”

Of the Code generally — as a “self-regulatory standard” — the Commission argues it has “provided an opportunity for greater transparency into the platforms’ policies on disinformation as well as a framework for structured dialogue to monitor, improve and effectively implement those policies”, adding: “This represents progress over the situation prevailing before the Code’s entry into force, while further serious steps by individual signatories and the community as a whole are still necessary.”

Waymo expands self-driving services to include B2B car parts delivery trial

Self-driving vehicle technology company Waymo has expanding its business relationship with automotive retail company AutoNation, the companies announced today. The new extension builds on the existing partnership between Waymo and AutoNation, which began as a way for Waymo to service its Phoenix, Arizona-based vehicles, and which grew last year into an arrangement wherein Waymo would provide autonomous transportation to AutoNation customers on their way to the dealerships.

Now, the partnership enters a new, third real of business: business-to-business goods transportation. Waymo vehicles in the Phoenix, Arizona area will now be used to move car parts between AutoNation’s Toyota Tempe locations and other repair shops in the area, including those run by independent third parties.

Waymo has been focused primarily on passenger transportation, launching and operating a pilot ride-hailing service using its autonomous cars in the Phoenix testing area where its vehicles are cleared to operate. The Alphabet-owned company’s CEO John Krafcik told a group of reporters on Sunday in Detroit that driverless delivery likely has a better chance of catching on early vs. passenger transportation, which could explain why this latest pilot sees Waymo look towards repeatable delivery routes for commonly transported goods.

The future of cybersecurity VC investing with Lightspeed’s Arif Janmohamed

There are two types of enterprise startups: those that create value and those that protect value. Cybersecurity is most definitely part of the latter group, and as a vertical, it has sprawled the past few years as the scale of attacks on companies, organizations, and governments has continuously expanded.

That may be a constant threat for the executives of major companies, but for cybersecurity VCs who pick the right startup targets for investment, it’s a potential gold mine. Here at Extra Crunch, we compiled a list of top VCs who have invested in cybersecurity and enterprise more broadly and asked them what’s interesting in the space these days. We compiled ten of their responses as part of our investor survey and you should definitely take a look for their interesting takes on the space.

But we wanted to go a bit deeper on the topic to learn more about what’s happening right now in cybersecurity. So today, we talk with Arif Janmohamed of Lightspeed Venture Partners, one of the leading investors at one of the top enterprise VC firms in the world. He’s invested in companies ranging from cloud-access security broker Netskope and search analytics platform ThoughtSpot to Qubole (big data analytics), Nutanix (hyper-converged infrastructure), and Arceo.ai (cyber risk management).

Arif head color web

Arif Janmohamed. Image via Lightspeed Venture Partners

TechCrunch’s security guru Zack Whittaker, managing editor Danny Crichton and operations editor Arman Tabatabai sat down with him to discuss what he’s seeing at the earliest stages in cybersecurity, which trends are being ignored by the industry and what he sees as the future of security in an always-changing present.

Introduction and Background

The following interview has been condensed and edited for clarity.

Danny Crichton: Let’s start with a bit of your background.

Arif Janmohamed: Sure. I’m on the early-stage side, so I have the most fun when I’m working with founders at the very earliest stages of company formation, where I can focus on company design, product and go-to-market and then find the right balance of teams to fill that out.

I’m on the board of Netskope, which is a cloud-security company. That one I did the Series B back in 2013. I’m on the board of TripActions, which is a corporate travel company, I did that one and then led the Series A and the Series B. I’m on the board of Moveworks, which is an AI engine for IT that was seeded by me and then I’ve supported them through their subsequent financing. I’m also on the board of a number of other companies.

Am I purely security-focused? The answer is no, I’m very much enterprise-focused. Security in my mind really fits within that rubric of the enterprise stack that’s getting rebuilt for a cloud-first world.

What’s snake oil and what has real value?

Zack Whittaker: So I’ve got a question that I just want to jump right in with. I’m always curious about this, especially when it comes to the very early stage, how do you go about distinguishing between potential snake oil and the things that seem really viable in the security world?

Where top VCs are investing in cybersecurity

Security is one of the toughest things to get right; a hacker only needs to win once, but businesses have to get it right every single time.

Not every company faces the same field of threats. That’s what makes security particularly difficult — there are no panaceas, and the cybersecurity startup field is crowded. So much so, some entrepreneurs complain that the vast number of solutions on the market are weighing down chief security officers with a deluge of data but not the clear visibility they need.

Or, as one of the cybersecurity-focused VCs we surveyed called it: “startup fatigue.”

Many of the rising cybersecurity startups focus on the same or overlapping problems could lead to a “cybersecurity consolidation,” one that’s dictated by customers and not necessarily the businesses themselves.

But there’s usually one element that feeds into everything — data.

As hacks and breaches become more common, companies and customers alike are reevaluating their relationships with data. Customers want more ownership of their data and the ability to give it out granularly, while an increasing number of businesses are shifting away from central banks of data and leaning towards a “zero data” approach.

By minimizing the amount of information companies store or collect, it’s validation that even some larger startups don’t even trust themselves to secure data properly.

Not only that, there’s as much mistrust inside their own networks. That’s where “zero trust” comes into play — where you don’t trust, but you certainly verify. The idea is that you get no extra special access inside a company’s four walls. Many big companies, like Google, treat all employees the as if they present the same level of security risk whether they’re in the office, at home, or in a coffee shop down the street.

“You should be able to run your whole business out of a Starbucks,” said Google security chief Heather Adkins at Disrupt SF.

Why the mistrust? Because security isn’t just a technology problem, it’s a people problem. And it’s not only people creating the solutions, it’s people with the solutions to create these startups to begin with.

We asked ten leading cybersecurity VCs who work at firms that span early to growth stages to share where they see opportunity in this sector:

In addition, we did a deep-dive interview with Arif Janmohamed at Lightspeed about how he and his firm are targeting the sector and what he sees as the next-generation of cybersecurity startups. Be sure to check it out.

Now, let’s get to the data.

Answers have been edited for clarity.

Amit Karp, Partner at Bessemer Venture Partners

In cybersecurity, what are you most interested in right now from an investment perspective?

Unfortunately, the cybersecurity landscape is overcrowded with many vendors that offer point solutions. I believe CISOs are tired of deploying additional security products which for the most part have overlapping functionality. So I am very cautious with additional tools that are deployed inside the enterprise perimeter (network, endpoint, etc.).  I am looking for companies that can be deployed quickly and demonstrate immediate value to CISOs, and do not overwhelm the CISO with many new alerts.

What are the most interesting trends in the space, particularly ones you think are under-appreciated by other investors?

I think there are still many opportunities to improve application security. The combination of every company becoming a software company on the one hand and development environments becoming more chaotic on the other hand, results in many new risks and opportunities in securing your software. This includes securing third-party APIs or open-source components which are outside your control and giving developers and devops engineers more security tools while not hindering the pace of development.

Another interesting trend is micro-segmentation and authorization — with the adoption of zero-trust frameworks and authentication becoming a solved problem — deciding who gets access to what has become increasingly important.

Are there any startups in cybersecurity you wish existed, but haven’t seen yet?

Sony to shut down PlayStation Vue on January 30, 2020

Sony’s live TV streaming service, PlayStation Vue, is shutting down. The service will no longer be available as of January 30, 2020, the company announced today. The news comes only days after rumors circulated which claimed Sony was in search of a new owner for the struggling service.

A report in The Information claimed Sony had talked to fuboTV about a possible deal which would include Vue’s subscriber base of some 500,000 users and its underlying technology. It also said Sony had tapped Bank of America Merrill Lynch to explore a sale several months ago.

The business was said to be valued in the tens of millions.

The news of Vue’s closure will likely disappoint a number of fans of the streaming service, who appreciated Vue’s user interface and unique features — like multi-view, which let you watch multiple live programs at once —  as well as its decent sports package.

It’s not surprising, however, that Vue didn’t pan out. The service initially faced challenges in consumer adoption, largely because of its branding. By calling it “PlayStation Vue” made many consumers thought it was limited to PlayStation consoles. In reality, the service was available across platforms just like Hulu Live TV, YouTube TV, Sling TV and others are. You didn’t even need to own a PlayStation to use it.

Sony has 100 million PlayStation 4s on the market, it says, which makes its inability to make Vue work even more disappointing. Not only was Vue one of the first live TV streaming services to arrive on the market, it had a built-in audience to advertise to. But the rising costs of programming make these live TV streaming services a thin margin business at best, and have forced price hikes across the industry, including all of Vue’s rivals.

In the end, Sony claimed market pressures are what led to Vue’s demise.

“Unfortunately, the highly competitive Pay TV industry, with expensive content and network deals, has been slower to change than we expected. Because of this, we have decided to remain focused on our core gaming business,” the Sony announcement stated.

The company directed PlayStation owners to its PlayStation Store on PS4 to continue to access movie and TV content going forward.

“We are very proud of what PlayStation Vue was able to accomplish. We had ambitious goals for how our service could change how people watch TV, showcasing PlayStation’s ability to innovate in a brand-new category within the Pay TV industry. We want to thank all of our customers, some of whom have been with us since PlayStation Vue’s launch in 2015,” the announcement read.

Samsung’s new laptops charge phones with their touchpad

Some features are the result of consumer demand. Others simply make sense. And then there are features like the Galaxy Book Flex and Ion’s Wireless PowerShare that appear to be more a product of a “because we can” approach to product design.

Wireless charging is, in and of itself, kind of a no-brainer in an era when many or most flagship smartphones support the technology. Samsung’s implementation, however, leaves a lot to be desired here. It’s true, of course, that Wireless PowerShare’s implementation is less than ideal, requiring one of two phones to be face-down, but I can certainly see applications for the tech.

DSCF8374

On the new laptops, however, charging the phone requires that it occupy all of the trackpad. In the case of the Flex, I suppose you can still use the touchscreen (there isn’t one on the Ion), but even so, there’s no scenario in which having a phone sitting on the trackpad doesn’t seriously dampen one’s ability to get some serious work done.

Between the issues and the fact that you can charge your phone the old-fashioned way with the laptops, it’s hard to find a scenario in which the feature is anything but a gimmick. Samsung says the trackpad offered the easiest implementation of the tech — versus, I suppose the palm rest or the top of the device. I’m not sure there’s a great implementation for a feature that might have better been left on the drawing board.

DSCF8369

It’s a silly feature on what are otherwise very solid additions to Samsung’s laptop line. The Flex is the more premium of the two, featuring a touchscreen and the 360-degree hinge that gives the device its name. The laptop has an aluminum body with a “royal blue” finish and a built-in slot for the included S Pen. It comes in both 13 and 15-inch varieties, with a 10th-gen Intel processor, 16GB of RAM and up to a TB of storage.

Also available in 13 and 15-inch versions, the Ion ditches the touchscreen and 360 hinge, but maintains an ultra-thin, lightweight design.

DSCF8390

Samsung’s jumping the gun a little early on the announcement here. Both models will be available in the U.S. early next year, priced similarly to their predecessors. Asked why the company didn’t just wait for CES for the announcement, it noted models arrive at different times in different markets.

Based on past systems, it seems like a pretty safe bet that they’ll be hitting Korean shores earlier. Perhaps in time for the holidays.

Yext Answers helps businesses provide better site search

Yext helps businesses manage their presence on search and across the web; starting today, with the launch of Yext Answers, it’s also helping them provide a better experience on their own websites.

“It lets any company with a website answer a question about their own brand in a Google-like experience on their own site,” CEO Howard Lerman told me.

While Lerman is officially announcing Yext Answers onstage at the company’s Onward conference this afternoon, the issue is clearly one he’s been thinking about for a while — in an interview earlier this year, he described user-generated content as “tyranny,” and claimed the company’s “founding principle is that the ultimate authority on how many calories are in a Big Mac is McDonald’s.”

It’s a theme that Lerman returned to when he demonstrated the new product for me yesterday, running a number of Google searches — such as “student checking account” — where a brand might want to be relevant, but where the results mostly come from SEO-optimized advice and how-to articles from third-party sites.

“The world of search became pretty cluttered with all these self-declared experts,” he said.

Answers Comparison AnswersNotLinks 1

The goal with Yext Answers is to turn a brand’s website into the source that consumers turn to for information on these topics. Lerman said the big obstacle is the simple fact that most site search is pretty bad: “The algorithms that are there today are the algorithms of 1995. It’s keyword-based document search.”

So if you don’t enter exactly right keywords in exactly the right order, you don’t get useful results. Yext, on the other hand, has supposedly spent two years building its own search engine, with natural language processing technology.

As Lerman showed me, that means it can handle more complex, conversational queries like “broccoli cheese soup recipes in 10 minutes or less.” He also pointed out how Yext has tried to follow Google’s lead in presenting the results a variety of formats, whether that’s just a straightforward answer to a question, or maps if you’re searching for store locations.

In addition, Yext Answers customers will get analytics about what people are searching for on their site. If people are searching for a question that the site isn’t answering, businesses can then take advantage of their company’s knowledge base to publish something new — and that, in turn, could also help them show up in search results elsewhere.

BBVA LiveExample3 1

Yext Answers has been beta testing with companies like Three Mobile, BBVA USA, IHA and Healthcare Associates of Texas. You can also try it out for yourself on the Yext site.

“Yext Answers represents a level of sophistication that elevates our current search into a predictive, insightful tool that provides opportunities to better understand what our patient population is interested in finding on our site,” said Lori Gillen, marketing director at Healthcare Associates of Texas, in a statement. “It is intelligent enough to understand complex relationships between HCAT-specific facts, like doctors to procedures or specialties to locations, and give insights into what our patients want to know.”

Yext Answers is now available in English-speaking countries.

Fountain, a platform for recruiting gig and hourly workers, raises $23M

Contract, self-employed and temporary jobs are on the rise in developed markets, with some 85% of the global workforce, 2.7 billion people, estimated to be on some form of hourly wage rather than flat salary.

Today, a startup that helps companies source these kinds of candidates is announcing a round of funding to help meet that demand. Fountain, which has built a platform to find and screen candidates for field roles — not knowledge worker desk jobs, but hourly work that likely has you on your feet — has raised $23 million, money that it will be using to continue expanding its platform, the kinds of services it provides to its customers, and its geographical footprint.

Fountain already has some scale: the company currently sources and processes more than 1 million inbound candidate applications each month, filling some 150,000 jobs in the process, CEO and founder Keith Ryu said in an interview.

In addition to building engines to source candidates through a number of channels such as traditional job boards, social media channels, a company’s own site, and more, Fountain then helps with screening, interview scheduling, background checks (using third-party providers for this part), communicating with the candidate, handling the paperwork and finally onboarding.

Led by DCM, this latest round also included a potentially strategic backer, the Chinese recruitment site 51job, as well as Origin Ventures, Uncork Capital, and others that are not being named. This brings the total raised by Fountain, which previously was called OnboardIQ and had been incubated in Y Combinator, to $34 million.

Fountain’s business targets two main kinds of employers. First, ridesharing companies like Uber, delivery startups like Postmates and home services providers like Thumbtack all function by virtue of their pools of “gig” workers, self-employed people who choose their own working hours and dip into the platforms for assignments when they have time to fulfil them.

But the challenge of finding good people for field jobs is not venture-backed startups’ alone. The second big category that Fountain taps for business is the wider pool of retail and food industry businesses that have long relied on hourly workers also find it hard to source qualified and reliable people.

Between those two, Ryu said that customers cover big “gig economy” businesses like Uber Eats, Caviar and Cabify; large fast food franchises including Taco Bell, Burger King and KFC chains; and a number of other customers that use Fountain’s APIs for white-label services and prefer not to be named. (I think it’s interesting that Uber Eats is on Fountain’s customer list, but Uber is not.)

Fountain was founded in 2015, arguably at the peak of demand for recruiting gig economy workers. In the years since then, and especially in recent times, demands have moved away for these companies from aggressive expansion (bringing on, for example, lots of new drivers), and into more profitable operations. Ryu said that the knock on effect for Fountain has not been a reduction, but a change, in terms of the services required, with some companies opting to outsource where in the past they might have handled recruitment in house.

“There has been some attention to reducing operating costs per driver, including driver acquisition,” he said. “That is where we have been getting involved, using our size [and reach] to reduce the cost to the employer.”

This has also had the effect of also seeing Fountain change up its own strategy to make more of an effort to target more traditional businesses that are based around hourly employees: no longer contractors, but still very much in the field.

“As the unrivaled leader in gig hiring and recruiting, Fountain is already reshaping the way billions of job seekers interact with employers,” says David Chao, co-founder & Partner at DCM, in a statement. “Fountain has been exceptionally capital efficient and has best-in-class customer retention,” adds Kyle Lui, Partner at DCM.

Fountain is not disclosing its valuation with this round. In its last round, back in 2017, it had a very modest $40 million price on it, although given its growth since then (it had sourced 5 million candidates in two years in 2017; now it sources 1 million each month) this is likely to be significantly higher.

The City as Weakly-Escaped Reality

In this talk, Drew Austin revisits the thesis he developed in his old ribbonfarm post The Holey Plane, looking in particular at the Los Angeles built environment, and arguing that the Philip K. Dick definition of reality as “that which does not go away when you stop believing in it” does not actually hold as […]

Building Your Roadmap with Cybersecurity in Mind

Security is someone else’s problem. It’s up to IT. The developers will handle it. We use AWS or Azure, so we’re cool. We use someone else’s payment gateway, so they’ve got it covered. We’re just a startup, who’s going to want to hack us? Sound familiar? Product managers don’t want to spend time worrying about security. Bolstering digital defenses doesn’t generate revenue. It doesn’t spur growth. It definitely doesn’t delight users or reduce friction. And yet, it’s still your problem. Yes, you, the product manager, you have to worry about cybersecurity, too.

Why is such a seemingly non-essential topic critical to your product’s success? Because getting it wrong could completely torpedo your entire business.

Read the agile product manager's guide to building better products ➜

Why Cybersecurity Matters

Customers must trust their vendors. They’re handing over personal information, financial data, photos, term papers, contracts— all kinds of sensitive materials. There’s an expectation of privacy and protection. Moreover, there are plenty of laws and regulations to back that up.

Requiring users to agree to a set of terms and conditions might give some product managers a false sense of security. We may all joke that we’ve unknowingly signed over the rights to our firstborn when we click “accept” on the iTunes terms and conditions but new and existing laws go a long way in ensuring users haven’t handed over all their rights.

But beyond the legal implications, a well-publicized security breach or other faux pas can jeopardize the years and years of goodwill and trust products have built up with their users (will Equifax be able to bounce back?). When we talk about the customer journey, it, unfortunately, must include these kinds of unfortunate events.

Users will always blame your company and not the cybercriminals or subcontractors who might ultimately be responsible. Most often, it won’t matter if it’s not intentional or was initiated by a bad actor from outside the company,

If things go sideways, it could even result in a permanent shutdown. Code Spaces had to shutter their doors after they had massive amounts of data wiped out due to a hack, and more often than not, small businesses go under after major cyber attacks.

5 Things About Product Security You Should Be Aware Of

Security lapses come in all shapes and sizes. Here are some of the major areas that should be keeping you up at night:

1. Sloppiness, laziness, and cutting corners

In the go-go environment of Agile, continuous delivery, and SaaS, code is getting cranked out and deployed faster than ever. The increased speed creates plenty of incentives to take shortcuts in both the development and then testing phases of every release.

There simply isn’t the same rigor as there used to be. It’s neither’s as apparent as leaving passwords and payment info in plaintext, reusing open-source code that has known weaknesses, nor only testing for functionality and not the unexpected. Full, thorough code reviews rarely occur anymore. Testers don’t have the technical know-how to probe for potential problems fully.

Sometimes it’s not even the coder’s fault. They often don’t have proper education, coding examples, or guidelines to follow. Moreover, if the culture doesn’t actively value and preach good security, they’re unlikely to take those steps themselves.

2. Regulations and rights

There are plenty of acronyms in the security domain. If you’re dealing with medical information, HIPAA (Health Insurance Portability and Accountability Act) is top of mind, and if you’re in the payments space, PCI (Payment Card Industry) is something that is always a concern.

But the most important compliance issue for many SaaS companies are new and often misunderstood. The European Union General Data Protection Regulation (GDPR) went into effect in 2018 and has left many companies scrambling to comply. Already hefty fines have hit the likes of Google, Marriott, and British Airways as a result of data breaches.

But there’s another aspect beyond battening down the hatches, executing proper security protocols, documenting preventative measures, and dealing with the aftermath of a hack. This regulation also requires companies to get consent from users regarding retaining their personal information. It also requires them to share what personal data is stored upon request, and allows a user to request that all of their data is completely destroyed.

Typically, this was not a pre-existing capability for many products, so it will often take dedicated work to comply. Also, if you think that this doesn’t apply to you because you’re an American company, think again. If your product allows anyone in the EU to use it, you’re subject to comply with this regulation.

Looking ahead, similar regulations are on the horizon in the United States as the California Consumer Privacy Act goes into effect in January 2020, and Washington state isn’t far behind.

3. Patches and updates

Many security breaches are preventable by making sure any internal systems are running the latest-and-greatest version. Software companies are continually issuing security updates and patches that address weaknesses and holes that could be exploited by bad actors.

Taking a lackadaisical approach to this matter can leave your company unnecessarily exposed. Conduct a full audit of which products are being used in the technology stack and their current version can uncover several items that you can address easily.

4. Cybercrime

Cybercriminals are everywhere, testing your defenses, and devising new ways to steal data, hold it for ransom, or sell it on the black market. They’re searching the dark web for compromised credentials, running phishing scams, and are generally up to no good.

Don’t think that your scrappy startup isn’t a target. In fact, cybercriminals prefer going after smaller companies because they’re easier prey and more likely to pay up since they don’t have the same backup and recovery capabilities.

Making the case for cybersecurity on your roadmap

Now that you’re quaking in your boots, it’s time to make security a priority. But how can you bump features and functionality for things no one will ever see or benefit from?

1. Start with the opportunity cost

Yes, security takes time, money, and resources away from adding new stuff to the product or improving the experience. But none of those excellent features will matter if someone steals your user data and everyone abandons the product. Or if your entire budget takes a hit because you’re paying fines and hiring lawyers after a compliance issue arises.

2. Make security a selling point

If you’re investing in security improvements and going the extra mile to keep user data safe, then let everyone know. It should be a standard part of your pitch, particularly in the B2B, B2E, and B2G markets. Backup and data recovery plans are a must and can now be part of service level agreements, too.

3. Get certified

If there’s an applicable standard for your product, then do the paperwork and go for that ISO 27001 or CSA STAR badge of approval. It will become something salespeople can discuss and something the tech team can rally around instead of relying on a vague understanding of what’s important.

Making Room for Cybersecurity on the Roadmap

What’s just the right amount of security initiatives to work into a roadmap that keeps user data safe and secure without completely derailing product growth and improvements?

Well, it depends. First, you need to do a full assessment of your current state. The assessment might be a task for an outside consultant than someone who’s been on the payroll.

If your team has made security somewhat of a priority all along, there may only be some minor items requiring attention. They should jump to the front of the line, get knocked out quickly, and then you can get back to the business of creating a great product.

If your product has been full speed ahead on other matters and your security profile is left wanting, you’ll need to spread things out. A big push to take care of the most significant holes or low-hanging fruit is a great start to your new commitment to security.

From there, it’s about finding a balance between new functionality and continuing to shore things up. Incremental improvements can be included in every release or sprinkled throughout the timeline. The product can’t get too stagnant during this security-focused backfill.

Don’t forget your product’s features can also improve security. Making users change passwords and relying on multi-factor authentication is an easy way to get weave security into your product.

Of course, you’re not done once you “catch up.” Security is a continually evolving landscape with additional requirements arising all the time. So the plan should be to anticipate that more time must be spent on those issues as they come up.

Next Steps for Your Cybersecurity Roadmap

Creating a culture that values security takes time and it extends far beyond the roadmap. For instance, we know the most common security breaches come from sloppy employees reusing credentials or utilizing sketchy public WiFi networks.

You need to cement security’s importance in your product by dedicating some valuable roadmap real estate to it. When cybersecurity is on your roadmap, it communicates to stakeholders and the technical team that this is a business priority and not just an IT issue.

With the right amount of attention, products can make vast improvements in their security profile. Make sure your definition of done includes proper cybersecurity testing and defenses.

Ready to build your own roadmap? Read Your Guide to Product Roadmaps

The post Building Your Roadmap with Cybersecurity in Mind appeared first on .