Discover the Security Bill Format for Product Management

Security bill format for Product Management

hello everyone and welcome to enterprise privacy product management i'm karthik ramon a senior product manager at adobe focused on building privacy products and services i've been at adobe nearly 10 years and was the lead product manager behind adobe experience cloud business units gdpr product offering as most people know the general data protection regulation or gdpr became effective in 2018 i went to work one day in 2017 and my manager at the time said to me how would you feel about dropping everything you're working on and jumping on the gdpr project well i want to share some of the lessons i learned from that journey and other sins for similar product managers who may go through a similar kind of assignment please note that the views and opinions i express here are my own and do not necessarily reflect the views or opinions of my employer privacy regulations are sweeping the world consumer expectations regarding their privacy is rising and brands have to contend with requirements from both regulators and consumers now gdpr and e-privacy have been around for a couple years now in europe the california consumer privacy act and other privacy regulation for california has been effective since january 1st of 2020 and the brazilian privacy regulation lgpd was effective as of august 26 2020. also we know that hipaa a healthcare related regulation requires readiness in a number of different security and privacy product areas whether you're a b2b or a b2c product manager chances are that given this framework of regulations popping up all over the world that you have to think about how privacy and these regulations impacts your product and how you will respond to it so this talk is going to be effective or helpful for many such product managers so what's this talk about why this talk and who is it for a privacy framework is a product or service that lets your company handle privacy data processing requests at the scale of nearly all of your company's products so let's say that you work for a company called acme and acme has 10 different products the idea of a privacy framework is that there'd be a single framework to handle gdpr processing requests for access deletion or opt-out for all of those 10 products of your employer companies care about this because building frameworks is efficient right if you build a bunch of frameworks for every single regulation that comes around that's not very efficient but if you can build a single one that nails it for not only the current regulation but all the others that are coming down the pike soon that's a lot better investment of company resources and time another reason this space matters is that there's a ton of demand for experts including product managers who have operated in the regulatory and privacy space and would do good work for companies so this talk is geared towards product managers who are building frameworks and it's also for product managers who are interested in learning a few new general product management techniques uh specifically one around cultural transformation so this talk isn't just about privacy by design right how to build privacy features into non-privacy products and services right it's about how to build company-wide privacy security compliance or other types of frameworks so as i was saying before you the listener could be a product manager responsible for building such a privacy framework across your company to respond to gdpr or ccpa or just as well you could be a product manager who's building privacy security compliance or another kind of framework spanning all of your company's products and services however if you're a product manager who doesn't work in privacy security or compliance but you have an innovation that you wish to spread across your organization then this talk is also for you the talk is structured ing to the journey a product manager may take while building an enterprise privacy framework what world you find yourself in in the beginning of this journey as you develop requirements what's the experience in the middle while you're building product what does the release look like and what do you expect next we're going to examine situations stories and lessons learned for every step of the journey building enterprise privacy frameworks okay so you've got the job congratulations now requirements are coming in from every direction starting with privacy legal so where do you begin you should start with the basics do you know your customers and their problems for example in the lingo of gdpr if you're solving for gdpr requirements there are the roles of the data controller the company their entity that's processing data the data processor and the data subject do you know what role your organization plays right are you the data controller or the data processor if you're the data processor do you know how your customers the data controllers interact with their data subjects for b2b businesses very often your customers will have multiple stakeholders working on privacy very commonly this is a mixture of i.t privacy and marketing teams as a product manager have you interviewed all those different stakeholders at your customers each with its own interests do you know who holds the power how do they influence each other who are the decision makers are to drive change and how do you know that the solutions you propose are going to solve for interest align interest across all the groups you're trying to engage based on what you've learned about the businesses and customer personas how would your products solve the privacy concerns that all those stakeholders have regarding your product can you paint the compelling vision for them and start to validate your product hypotheses with them so you start by talking to privacy legal and you start by talking to customers and now it's time to turn legal requirements and jargon customer interviews into product requirements so you want to turn a bunch of moving targets into a target that's stable enough that you can take aim at write it down create decks create mock-ups evangelize those artifacts with product themes you're trying to influence and coordinate work across it's okay for these artifacts to be imperfect or incorrect what's more important is to be clear and precise in the definition of the what you're trying to build iterate with these artifacts and requirements by testing them with customers and with privacy legal over time your large requirement which spans the entire business should stabilize and what that frees you up to do is focus on smaller pieces sub requirements so you shift into requirements for smaller products or services and you have the ability to delegate those smaller requirements to product owners over those products or services and have them reference the central document that you've created or the artifacts that you've created now as you work across various product teams you may soon run into despair data models diverging development philosophies code bases that are siloed and workflows that were never meant to work with each other you need first principles to build something simple that you can grow into something more complex over time and you'll need to collaborate with architects to develop these right but don't get too much into the how see if you can get one primary architecture owner assigned you'll find that in building enterprise privacy frameworks enterprise-wide frameworks driving architecture requirements is almost as important as driving product requirements themselves now two commonly used privacy principles could be what i'm going to share and for example if you have a requirement to delete data the first thing is to find it so the principle there would be follow the data if data originated from a consumer can you follow it to determine all the different places where it ends up those are all the different places the data would have to be deleted from if you're processing a gdpr deletion request or a ccpa deletion request the next principle is garbage in garbage this is kind of out of computer science 101 but just like in a search engine you're building a system to find consumer data in your data warehouses right and your search engine is only as good as the input you supply to it so what's the type of consumer identity you're supplying to it in order to find the right data product managers realize play a very important role in translating privacy requirements into engineering rules and it's critical to continually collaborate with engineering and legal during this process now designing your framework for scale and to scale is essential so think about your enterprises long-term privacy needs for each product or service that you launch you're serving one regulation today but you know that multiple regulations are coming down the pike and you'll need to support them in the same fashion so in somewhat contrary fashion to the peter thiel piece of advice of don't go going from zero to one as a pm building frameworks you wanna go zero to one the first time but then go from n to n plus one uh you know sitting on top of the initial framework that you've created regulations are here to stay and more of them are becoming effective the world over with time so as you think about long-term needs look for efficiencies take the side of the customer so for example if you know that your company has 10 products all of which must be ready for say gdpr or ccpa take the side of the customer and say you know what consolidating work will mean that the customer uses a single entry point for sending gdpr requests or a single entry point for ccpa deletions and their user experience will be the same or consistent regardless of which of the 10 products of your companies their provision with there may be an exception here for example if one of your company's products out of the 10 is going to be decommissioned soon it may be okay for the customer to interact with that product directly but use your judgment in cases like that experienced product managers know this for any product to be successful you need an executive sponsor but executive sponsor seeds the project they build visibility at the executive level so that the project stays top of mind for all other executives your sponsor meets the sponsor would lobby for resources from across the organization help resolve blockers and liaise with customer executives in case of high profile customers and in addition liaise with these customer executives in case of product escalations at this stage your product requirements are stable the project has been commissioned and engineering is executing so what are some of the challenges you might face in the following phase of the project while you're executing and how might you solve them one challenge you will face many a time is that you're up against deadline that will not move for example gdpr was going to become effective in may of 2018 no matter what but you start to realize despite the deadline that won't move you start to get your project off course so what do you do with teams and executives whose direction isn't completely aligned with your project's direction i offer that you should start by aligning on purpose with your stakeholders is there a company value or set of values that may resonate with privacy compliance or ethics as you build these frameworks how about integrity ethics or putting the consumer first there's usually a deadline and getting off schedule could be catastrophic and one of the tools you'll need to employ in this space is urgency so i'm flashing here three example phrases you could use to drive urgency with stakeholders in your organization your mileage may vary based on your personal style and your corporate culture another challenge you might face is building a product that customers will actually use right the fact that you're rushing to meet a regulatory deadline but end up building a product that is unusable will leave your customers and your executives fuming in the beginning you're swamped with legal requirements but you actually realize that many customers are moving much more slowly than you are in interpreting the same regulations for themselves and getting to a point of contention that i know what i want from you the product manager for this business so in a situation like that validate your requirements go to your customer take your design to the customer here's a picture of me presenting my product designs to customers in munich in a product road show paint division for your product share the current state of requirements interview customers to learn how to refine your requirements further now you may definitely run into situations where your release timelines don't line up with your customers release timeline so in other words your customer wants the product in their hands yesterday and you simply can't achieve that for them instead of clashing with your customer try to take their side it's possible you could recruit their energy or anxiety into an alpha or beta participation and feedback if your customer wants access to your product in advance maybe you can negotiate their inclusion in an alpha program so they understand that for participation they'll get a bicycle from you instead of a car and that you're looking for their feedback to design the right car and deliver that right card to them so they can actually use it the next challenge is an interdependence a constant one on privacy legal now as you know you start with interpreting regulations and you turn those regulations and interpretations into a set of product requirements working hand in hand with privacy legal indeed they are your best friends through a journey like this but building on that in the space of privacy frameworks nearly every other sub requirement will require input from privacy legal or require approval from them so solid relationships with friends and legal can help you move product related development and release more quickly i also want to offer that you could turn this kind of dependence or interdependence into an opportunity and that opportunity is to leverage that relationship with privacy legal to help your fellow product managers who don't work as closely with privacy legal so serve as an ambassador for product into privacy legal bring product design concerns or requirements gaps from fellow product managers to privacy legal now as you become known as a facilitator of product work as a broker of that important relationship you win points with both sides both the business and privacy legal the next challenge is a proactive one are you taking enough product risk we just referenced a minute ago product managers work with privacy legal but usually they're part of the business not part of the legal team part of what product managers are paid to do is take on the right amount of product risk in what you design and build experienced product managers know that perfect designs may cost too much and take too long to build there's a real cost and a timeline sacrifice in over engineering products it's no use building a perfect product if you've built it past the regulatory deadline and released it past the regulatory deadline also good product managers know that they are trading off speed and quality with the risk of imperfect design next challenge is to keep up momentum while you're executing sorting through unexpected turns new requirements obstacles or keeping multiple executing teams aligned is crucial now this isn't a summary of pm hustle techniques by any stretch of the imagination but here are two techniques that have worked for me your mileage may vary depending on your personal style and the way your organization's culture is set up but i've tried to set up an agenda for every meeting and set clear next steps and owners in addition i've tried to follow up on unanswered emails every two days and both of these techniques have helped me and my projects keep momentum up you're going to discover several challenges as you do this work espousing an entrepreneur entrepreneurial mindset is crucial you discover that you're working in a volatile uncertain complex and ambiguous environment and every complex project despite of its stakes will have setbacks take a step back when that happens take on the optimist mantra it's a setback but a temporary one this is loosely from martin seligman's book learned optimism beyond that as you run into technical challenges or conflicts stay focused on shared purpose and values for example you could state your internal stakeholders you know we're working together to help our common customers meet obligations to regulators and serve their consumers if you're building an innovation with limited resources what is your learning objective are you staying continually curious about your customer and then last but not least right as i mentioned you're operating in an ambiguous and complex environment noting down your observations day over day can lead to valuable insights over time and as the product matures your notes whatever shape or form they're in can see the product collateral that you can hand off to product marketers so write to make sense and rationalize the day-to-day hustle okay so you've got an executive sponsor but what you're finding is that that's not enough to drive product work across your company across different silos you've got a limited pool of resources and you need input and engagement from various teams in order to deliver your product in the right time but you're getting ignored by several teams executives individual stakeholders now the nature of a framework is that it touches the entire company and for something that touches the entire company you'll need to transform the culture of your organization in order to get traction and get results because the strict pool of resources at your disposal isn't going to cut it so what you realize in that moment is that you are actually leading a cultural transformation this is where i'll reference leadership thinker simon sinek and his 10-minute video on the law of diffusion of innovation now you're welcome to check out that talk but let's apply it quickly to building privacy frameworks all populations fit across normal distributions for privacy there are those who care a lot about privacy on the one hand and on the other end of the distribution there are those who couldn't be bothered the first 2.5 percent they want to be part of privacy no matter what they are your champions the next 12.5 percent the folks who sacrifice time and energy to test out your product and collaborate with you early they are your early adopters the question is how do you influence the next 68 percent that is to say the majority they're not empty privacy they're just cynical and practical they're asking you know is the business headed in this direction of adopting this framework or privacy or security more broadly i have other pressing things to deliver on this quarter and frankly this is in the way the advice here is the council here is that don't focus on anyone beyond the first 15 percent of your organization that is the champions and the early adopters right as you focus on the early adopters you'll find that change diffuses through the organization in my own example my team and i created a group for motivated and interested folks to join these folks would meet like once a week and they'd take product directions from this core group and go and diffuse it within their own products and what they bring back in exchange is edge cases and best practices back to the central group soon executives and other influential stakeholders across the company had heard about this group and they had no choice but to join in because their own people were asking to be a part of it so you're building a grassroots movement congratulations you're executing on your project and you're actually getting close to launching your framework now what it's very often that you're going to encounter conflicts between two or three or whatever different groups and these may betray long-held misgivings across these different organizations so what's the right attitude in a situation like this i want to offer that perhaps the right attitude here is one of indifference as long as there are two conditions that are held one is regardless of who wins this particular conflict are you headed in the right direction of releasing this product further are you headed in the direction of releasing this product within the specified time the path through a complex system such as building a privacy framework doesn't matter as long as you're continually optimizing to reach the end state within the desired time you've launched your product and now it's time to say thank you and it turns out there's an art to it this comes from scott belski adobe's chief product officer in his book the messy middle belski says that in a time like this when you're close to launching a product it's essential to recognize those individuals who stuck their neck out for the cause when rewards were unclear and the risks were high empower your champions and early adopters so that you have their influence available for the next wave of work so you've delivered your product now what if you're lucky you'll get recognition and more resources you should recognize for a silver second that in the long run all resource allocation is variable however if you're unlucky paradoxically the reward for success may be that you have fewer resources available for the next lap this is one reason why building a framework in the space is crucial is that in a self-serving way whether you have more or less resources you've done the work you've laid the foundations in order to adopt the next regulation or build the next product using that foundation of the framework now product managers know that the job isn't over with the product launch through conception building execution testing and release you are capturing technical debt in the product because especially in a space like this you know that this technical debt if unaddressed could be a source of customer escalations and it could trigger the next product crisis but no one is better suited than you to tackle the next crisis so you may actually need to run another lap with your same product the good news is that you have some tools at your disposal that you know you have they have worked for you for example you know how to build crisis to get past those initial obstacles so let's say you've launched your product successfully and you've gone through escalations how do you self-evaluate how do you evaluate your performance as a product manager if your goal is to build enterprise privacy frameworks i want to offer that if you were to adopt the next regulation how much more quickly and efficiently can you get your business to adopt it that is to say can you actually go n to n plus one instead of going back to scratch and building a new framework or a new product to go from zero to one again a more advanced concept is one of considering have you been able to reframe the internal dialogue away from risk reduction into one of adding value to customers have you improved how your organization thinks about and manages risk thought leaders in this space product managers who are ahead of the game may encourage their business to think about privacy as a differentiator or think about technology ethics and how that bears on privacy where are the product leaders in this domain headed and can you point your business leaders into that vision we're actually at the end here so let's summarize privacy regulations are sweeping the world every product manager is going to be touched by one of these regulations in some way shape or form and your goal if you're one of the lucky product managers assigned to work in the space is to build a framework so that whether it's you or a different pm in the same company responding to the subsequent regulation you're going from n to n plus one instead of from zero to one all over again never waste a crisis because you'll have resources at their disposal to start this project and start this work however you'll always have setbacks so espouse an entrepreneurial mindset and say to yourself it's only a temporary setback and you'll get through it last but not least recognize that building privacy frameworks and other kinds of frameworks is a matter of diffusing innovation so privacy framework building is cultural transformation focus on your company's champions and privacy and focus on the early adopters and that's a crucial path to success i want to thank everyone for listening my name is karthik rahman you can get in touch with me through the email address on your screen and also connect with me on linkedin if you like i want to say a special thank you to my friend tim masterson who is the designer behind these slides and here are the references i mentioned through this talk thanks a lot everyone