Being in Technology, Security has always been a critical part of whatever role I've had. Back in the early days it was simple stuff like adding security to certain parts of the stack or migrating security policies from one piece of infrastructure to another. As my career matured, I came to observe the interplay between security products and market needs. In a way, it reminds me of both good drugs (think Penicillin) and bad drugs (think Cocaine).

Prescription antibiotics are in a consistent cycle of adaptation. As antibiotics make their way in to the wild, bacteria evolve and antibiotics become less effective. Security products are much the same way. As they make their way in to the market, attackers find new ways to outsmart the latest innovations.

Drug education taught me that most illegal drugs involve a cycle of addiction in which the first time you take a drug, it gives you a certain high for a certain length of time. The second time you take a drug, the high is a bit lower and a bit shorter. So on and so forth until you are struggling to just maintain a sense of normal. It is this cycle which leads to the crazy and tragic life which becomes addiction.

Managing Security products sometimes feels a bit like both of the above. On the one hand you are keeping pace with general security trends and standards. This is pretty straight forward stuff - same as any work you do to keep your product up to date with the market. It is this second situation which is so interesting - the "Cocaine" type of security. I picked Cocaine for a specific reason - it is both recreational and not, it can be cut with all kinds of nasty stuff and it can lead you down a path which you can't come back from.

I've heard cocaine described as a recreational "just occassionally" kind of thing which shows up at certain parties or events. I compare this to the kind of strange security questions you sometimes receive from customers or CISOs. These are the kind of things which make you stop and say, "Seriously?" As you discuss the scenario with customers more and more, you begin to see the positives and negatives ... you get to a point where the pros or cons outweigh the other (or you just give in to commercial pressures) and your product now has a new security feature (or not).

What has been new for me in managing security products is the extreme world of security. As you start to work with customers that have billions of dollars on the line, their extreme positions make a lot of sense. Now, it takes awhile to understand their reasoning, but over time you begin to see the customer's aren't crazy - they are living in an extreme world and need extreme security in order to protect themselves. They are special forces soldiers and need special equipment.

Now, interspersed amongst the soldiers of this army are a few crazy nutjobs (the Cocaine addicts) who can, if you let them, ruin your life and your product. They live in a world in which there is never enough security, one in which we should worry about the .0001% chance. No amount of money or time matters - just that we solve for this extreme use case.

I wish I could tell you that it generally isn't that difficult to tell the difference between the security use cases which are extreme, but necessary, and those which are just crazy. The truth is, it is actually quite difficult for a Product Manager to be able to make these kinds of decisions without substantial consultation from 3rd parties.

The consultation starts with your Security Architect or CISO. Often it will need to extend to outside council as you look at items such as export controls, liability, marketing, sales, support, integrations and other aspects of these use cases. Decisions of this type can take significant amounts of time.

My general guidance on extreme security use cases is to ensure:

1. You have the right council available to make the right decisions. If you do not have the right council, then ensure you make arrangements to get it.

2. You can summarize and communicate the issue and reason for the investment to executives.

You need item 1 above to get to item 2. If you can summarize and explain the issue properly to executives, you can build consensus and ensure the organization makes the right decision on the most challenging security use cases.