A conversation with Dave Cole on successfully incorporating security into the product development lifecycle

At a time when security is increasingly recognized as important, the challenge remains: how do we incorporate security into the product (and solution) process? How do we get started earlier?

When I posed the question about how to get security incorporated earlier into the process, Dave explained, “One of the big lessons from spending time leading a consumer product is how an intense focus on usability can make a big impact on product usage, customer satisfaction and ultimately business results.”

He pointed out how challenging and difficult it is today for professionals to select, implement and maintain security solutions.

“Imagine if your product had to be setup and used by your grandparents, would you invest more time in making the installation simple and automate more of the tuning?”

Dave then posits, “What if you made the top measurement of a product leader’s performance KPIs for speed of successful install, support contact rates and positive customer engagement metrics rather than where you fit in the Magic Quadrant?”

That would be a change that would drive visible results. 

Dave comes by ideas like this as a result of an earlier experience as a product leader for Norton Antivirus and Internet Security in 2007. Dunned by many as bloated and slow, the person leading both product management and engineering made a bold move to change more than the perception of the product. He determined the objective for the team was to build the fastest and lightest product on the market.

As Dave recalls, “He established clear, incredibly challenging metrics so that we knew what we needed to accomplish. He also made it very clear that we were to add no new features for the release. Zero. As the new product leader, that was incredibly hard to swallow—no new features? Nothing I could proudly tout to journalists and our marketing team? Ouch.”

This simple goal, however, transformed the team.

It freed the team to make daring changes to the architecture. In fact, nothing was sacred. No part of the existing product was spared from scrutiny and revision. The same transformation spread to the marketing team, unleashing creativity around a single, easy-to-understand, updated product.

What Dave learned was the importance of a single focus with a clear definition of success. And the need to make sometimes painful trade-offs to reach that goal; else, as he reflects, “you’re probably compromising where you shouldn’t.”

One of the things that stands our during our conversation is how Dave measures success: by the growth of the people around him. Admittedly more challenging to measure people, Dave sums up a simple measuring stick with a series of questions:

• “Can they do something now that they couldn’t before?
• Are conversations that were difficult before now commonplace?
• As a leader, can you leave and return without problems piling up in your absence?”

In terms of incorporating security into the experience, one of Dave’s last projects with Symantec holds key insights. Charged with making the setup of a WiFi router an enjoyable experience, they started by understanding what the current process was like. They bought a bunch of routers, went through the setup, then recorded likes, dislikes, confusion points and other relevant information.

Then they brought in some extra design experience. In the process, they realize their task wasn’t to streamline or simplify — they needed to create a different way to think and act.

The team created a visual approach, creating a series of “spaces” that allowed for a seamless blend of drag-and-drop alongside the advanced view of precisely what was happening.

In the process, security was just incorporated. No extra pain. No fuss.

It seems the key to getting security integrated into product development is a combination of strong leadership, streamlined focus, and the ability to clearly measure the success — based on the way actual people use and understand it.

The Catalyst Questions

These are five questions asked during each conversation. The responses are as shared with me. 

1. What is your why?

I’m passionate about leading teams to solve big problems.

2. What still requires translation to be successful?

While Apple and others have made inroads, consumer authentication is still entirely too challenging. We still have not found an elegant replacement to the tired, dysfunctional password yet we keep adopting more cloud services and our lives are increasingly exposed… all on the balance of an 8 character string. Further, it’s entirely too hard to authenticate to one another online, to establish our identity such that we can transact with trust or anonymity as we choose. As an industry, we are going to solve this problem sooner or later and I hope to play role in cracking the code.

3. What was your biggest failure? How did you recover? What did you learn from it?

In a previous job, I reluctantly accepted responsibility for fixing a product line I knew would demand the bulk of my energy. It needed a new vision, a new strategy and a ton of effort to get the whole team aligned over many months.

I started out by doing all the usual things that worked well in the past, but then I was assigned a little more responsibility I felt like I couldn’t say no to. And shortly after that, I agreed to a lot more responsibility on top of my already excessive load.

I didn’t give myself permission to say “no” or otherwise negotiate the situation. Bad move. 

Needless to say, the situation imploded in fairly short order in spite of a lot of effort on my part and that of my increasingly frazzled team.

The lesson here is pretty clear—no matter how good you are, knowing your limits and proactively dealing with that inner voice that says you’ve reached them are fundamental to success.

4. How do you prioritize and justify your efforts?

I’ve been told that when I was a young child I would ask as soon as I woke up what we were going to do that day.

I feel roughly the same way now—I have to know what the vision is or long-term direction for any product or business. If you know where you’re headed, you can create a strategy to get there. If you can craft a strategy, you can make a plan that breaks it down into steps and measurable goals.

Then prioritizing can become relatively easy… how much does this further our strategy / learning? Are there a bunch of other things dependent on this? Do we need to adjust course and pivot? I’ve found most of the prioritization difficulties teams have are when they fundamentally don’t agree on where they’re going.

This of course is harder when you have a whole portfolio of products or projects to deal with and you have to make determinations of the value of one project or product to the business over a long-term period of time.

In those situations, I look at a variety of factors, including financial metrics for the market size, ability to open up new markets, impact on customer lifetime value and so on… however, there will always be an element of intuition in making calls across a large, complex portfolio. Making big decisions that are a blend of quantitative factors and qualitative gut instinct are some of the most gut-wrenching and rewarding moments as a leader.

5. Best piece of advice you ever got… and offer to others

One of the most provocative questions I was asked during a training session was “Who are the happiest people inside a company?” People guessed all the obvious answers, with many people offering that the Marketing team are clearly having the most fun. The answer is that on average the most satisfied people in an organization are on the Sales team.

The rationale for this is that they typically know exactly what a “win” looks like—making their number. And they have feedback every quarter on how they’re doing, as well as rewards for achieving their goals. The implications of this for leading any team can be profound— make sure they know what a win looks like, give them clear feedback and reward them for success and any team can be happier and more successful.

Connecting with Dave Cole

Who are you, how do you describe what you do?

Dave Cole– product leader, marketing hack, rooftop gardener, fitness geek and father of an increasingly opinionated toddler.

I build products, teams and occasionally new businesses. Some of them have been small, for example, we initially built the Foundstone product business based on little more than our growing dissatisfaction with the existing tools and an idea of how security assessment products should really work for enterprises. I also steered the big $2B product ship at Norton, with my initial mission being to fix the “fat and slow” reputation, and later to expand the brand beyond the PC. I’ve had the chance to do both consumer and enterprise, start-up and big company, and everything from products designed for embedded chipsets to cloud services.

Where and how do you work?

Where I work depends entirely on what I’m doing. When I’m writing, I usually disconnect and go to a park or coffee shop. Big thinking is usually done while running or at the gym. Email and catching up in general—home office. Learning new stuff is done by either hitting the road to meet people or listening to videos while cooking or cleaning up around the house.

Where can we connect with you?

Email works best—you can find me at dave at sourceclear dot com