Product Management in Cyber Security

Liza Mash Levin
6 min readJul 14, 2018

The Cyber security world has evolved tremendously in the past decade. Being part of this industry for 12 years, I wanted to share a few baselines that I believe will help understand this world and my guidelines in being a product in Cyber security.

(taken from

Cyber Kill Chain

In order to understand the industry, you must first understand what is it and what is it protecting. The Cyber Kill chain is a terminology to describe a phase-based model of steps required from an attacker to infiltrate to the organization. the model logic is simple, the earlier in the kill chain you stop the attack, the more likely you stop the attacker from breaching to your organization.

(Taken from

Reconnaissance — to increase the chances for a successful attack, the attacker must gain as much information as possible on the targeted organization, such as, network structure, users mapping — with focus on privileged users and more.

Weaponization — usage of tools to find and exploit vulnerabilities, in order to infiltrate the organization.

Delivery — delivering a malicious payload to the targeted victim by means such as email (spear phishing), exploited websites, USB, etc.

Exploitation — the attacker exploits a vulnerability in the organization’s system (can be based on the data collected in the Reconnaissance phase) in order to carry out the attack — execution of the malicious payload.

Installation — install malware on the targeted device.

Command and Control — usually, the first installation of the malicious payload opens a connection to a remote service to carry on the main attack — opens a command channel for the attacker to connect remotely.

Actions — the actual actions the attacker performs on the device based on the goal of the attack.

The goal of cyber security is to stop the attacker in different phases of the cyber kill chain. The main areas that security companies focus on —

Prevention — prevent the attacker from infiltrating the organization in the first place.

Detection — based on the assumption that the attacker has managed to infiltrate the organization, detect and alert on intrusion and scope of breach.

Remediation — once a breach was detected, remediate the threat in the entire breached scope.

now that we’ve covered all the basics, here are my guidelines for a product manager in the cyber security industry —

Know your Basics

(Taken from

Know the fields your product is focusing on, what part of the kill chain it’s trying to prevent and it’s core capabilities. this is indeed basic but very important to understand when you think of the features that you’re creating. you should always ask yourself if the feature will strengthen your product in the category that it belongs. there are many security products that try to do it all — focus is the key to success.

Analysts are your friend

Gartner is a leading research and advisory company that provides technology-related insight about the many markets, among them is the Cyber security market.

Gartner identifies several major markets and the cyber security companies fall into these categories. example markets are —

EPP (Endpoint Protection Platfrom) — a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.

EDR (Endpoint Detection and Response) — a solution that records endpoint-system-level behaviors and events (for example user, file, process, registry, memory and network events and store this information either locally on the endpoint or in a centralized database.

UEBA (User and Entity Behavior Analytics) — a solution that uses analytics to build the standard profiles and behaviors of users and entities (devices, users, applications, network traffic and data repositories)

CWPP (Cloud Workload Protection Pltafrom) — a solution for modernized workload protection in the cloud or in hybrid mode. This covers configuration and vulnerability management, Network visibility and segmentation, System integrity measurement, attestation and monitoring.

CASB (Cloud Access Security Broker) — a solution to provide visibility and policy enforcement to cloud applications.

Each cyber security company is placed in one of Gartner’s markets. As a Product Manager, you must be aware of how Gartner defines the market you’re company is associated with and what capabilities your product should have (and doesn’t need to have!) in order to lead in the category. More importantly, your customers will review your product according to the Gartner market guidelines.

Know your competitors

(taken from

Once you understand the market, you must understand the players who are playing in that market. As a Product Manager, you must always know what does the competitors have to offer and what are their successful features. This will help you in several ways —

  1. Focus, focus, focus — you must always strive to create capabilities that are relevant to the customer and differentiate your product from the competitors.
  2. Professionalism and customer oriented — as a PM, you will meet many customers, all of them heard or even used your competitors’ products. You must be aware to that and have an answer prepared to the pros and cons of using the competitor’s product. When I talk to customers and I know what they like and dislike in the competitors products, it helps me with presenting the capabilities of my product and focus on areas that I know mine is better and will provide the desired solution for the customer.

Be customer obsessed

Our customers can be our greatest help for the product to evolve. Always seek customer feedback and act on it. I have close relationships with customers who I have worked with for years. Creating a close customer relationship will help you in several ways —

  1. Feedback — we as PMs always strive to know what the customer needs and this is how we plan our features. What can be better than a customer feedback on the capabilities you’ve created? It is also important to show the customer ideas of features (even mocks) that are not yet developed. This can help in discovering usability and UX issues very quickly.
  2. Customers are your best advocates — a happy customer that has a close relationship with the product team, will be your best advocate. they can talk in conventions and with other organizations on your behalf. This is a great way to build your company’s brand.

Be technical and detail oriented

This industry requires expertise. in order to understand what to create in the product, you must understand what you’re product is doing and how are you protecting your customer. Working with customers in this industry will require you to meet often with people with an extensive technical background (CISO, CIO, IT managers, etc.), understanding how the product works will help you answer their questions and gain trust.

Few final words

The Cyber Security world is ever growing and fast changing. This is fascinating to watch and be a part of. The PM role in this industry is exciting and has a lot of responsibility, I’ve gained these insights over the years and wanted to share them with you.

I will be happy to hear your feedback and additional guidelines you’ve learned about being a PM in the cyber security industry.