[PM Talks] The Importance of Security for SaaS Companies in the World of Rising Cyberattacks

‍

There were 2,365 cyberattacks with 343,338,964 victims in 2023, according to the ITRC Annual Data Breach Report. Security has become a key topic that every software company should consider when building new products or innovating existing ones. How should companies prioritize security features versus core product-related requests from customers? What are the security must-haves? Which threats should they stay protected against the most?

These are some of the topics we discussed with Nejib Jemli, Chief Product Officer at UBIKA. Let's dive in and get all those answers!

About Nejib Jemli:

• 20+ years leading software product & engineering teams
• MBA (Management) from Université Paris Dauphine - PSL
• Currently CPO at UBIKA
• Follow Nejib on LinkedIn

What security measures should software companies consider when building a new product or innovating an existing one? What are the must-haves?

Nowadays, there are many factors to keep in mind. The first problem is that half of the internet traffic comes from bots, not humans, and more than a third of these are bad bots (good bots include search engine crawlers, for instance). This is certainly something that software companies need to take into account.

Second, in a world of many open-source software products and companies using them as building blocks for their product offerings, it's crucial to think about zero-day vulnerabilities—a vulnerability that is typically unknown to the vendor and for which no patch or other fix is available [Wikipedia].

Third, and a very important point, is the increasing number of cyberattacks. According to Gartner, there was an increase of 53% between 2021 and 2022. This comes as no surprise. As we go through digital transformation, we expose more and more web applications and APIs on the internet, increasing the attack surface for cybercriminals.

Lastly, it's essential to address misconfiguration breaches that can occur unintentionally.

Given all these factors, software companies should consider security from the very beginning.

How should companies prioritize their product development? How should they choose between what the company should build (security-wise) and what customers truly want?

It's completely understandable that entrepreneurs strive to build their product and bring their idea to market as soon as possible, and security can often be seen as an add-on. The 'once I get the first few customers, I'll start to care about the security aspect' approach is risky. Following this path can still make companies succeed (if no security incidents occur), but it can also make them disappear sooner than they can imagine. Having said that, companies have to find the balance and always assess the risk.

What are the most common cyberattacks companies should be prepared for?

The most common cyberattacks are listed in the OWASP Top 10, including SQL injection, cross-site scripting (XSS), and others. These attacks can have various impacts on companies, such as data theft, sabotage, or service unavailability. For SaaS companies, unavailability is particularly crucial as it directly affects their customers.

How does AI influence cybersecurity? Are there any effective uses of AI?

AI represents a tremendous opportunity to shift from reactive to proactive security. This means AI could help spot signals of cyberattacks before today's security engines can detect them.

In the case of UBIKA, the company's mission hasn't changed for the past twenty years. We have been helping companies protect their web applications and APIs. What has changed is the ecosystem, and AI, as mentioned above, can assist UBIKA and our customers in enhancing security measures.

Is UBIKA preparing something related to AI?

At UBIKA, we believe that AI-related features, like all other features on our roadmap, should be planned together with our customers. Currently, we are working with a dedicated group of customers to define our common vision for AI. This collaborative approach ensures that the AI features we develop align with our customers' needs and expectations.

Let's get to our favorite fives: questions we ask every product manager who joins us on this podcast. First, what is your biggest challenge as a product manager?

Unsurprisingly, the biggest challenge for me as a product manager, and for product management in general, is customer satisfaction. The challenge is to constantly make as many customers happy as possible within an environment of limited resources. The thought of 'how do I prioritize my backlog to satisfy the majority of my customers' is what I wake up with every day.

If you could choose one key metric, your North Star, to define your success as a product leader, what would that be?

It's certainly customer attrition (churn) that I focus on the most, along with customer satisfaction, which can be measured using metrics like NPS (Net Promoter Score) or CSAT (Customer Satisfaction) scores.

How do you collect feedback from your customers? What processes or tools do you use?

At UBIKA, we build things with our customers for our customers. This is a very important dogma at our company. One of the tactics we use is building a working group—a group of customers who cooperate with us in defining and planning new features. This allows us to deliver what the customer truly expects, not some made-up representation of their needs. The working group process includes questionnaires, face-to-face meetings, and on-site workshops, helping us fully understand how they use our software and how it aligns with their ecosystem.

When it comes to 'build versus buy', how do you decide?

This is a very strategic topic, of course. For core competencies or key differentiators in the market, it's probably wiser to consider the 'build' option. However, if time to market is the primary objective, purchasing and assembling the components could be more efficient.

What role do integrations with third-party products play for UBIKA? Is this an area you would consider building in-house or outsourcing to an external platform?

Our customers seek a holistic approach to protecting their digital assets. Instead of protecting a single application, they need to secure applications, APIs, and databases across their entire ecosystem. Therefore, our approach to integrations is to build partnerships with critical players in our customers' ecosystems. We developed our WAAP Gateway to interact with third-party solutions that are important in our customers' environments.

In what forms can customers integrate your solution with others? Do they manage integrations from within your product or do they use some external integration platforms?

There are multiple layers when it comes to integration. Of course, we offer an API, but we go the extra mile and offer something we consider one of our key differentiators: a drag-and-drop workflow builder. Using this tool, our customers can model a security policy that includes decision-making and also helps them incorporate other solutions as part of the process.

For example, if the customer faces many attacks from bots, they can use the UBIKA API to blacklist the IP in an external system. Similarly, UBIKA can send signals to other solutions, like anti-malware, to check if a file is malicious or not.

Closing remarks

We've spent around 40 minutes with Nejib and learned plenty of useful information about the importance of cybersecurity for SaaS companies in the world of rising cyberattacks. You can look forward to more interviews with inspirational product leaders and contribute questions you're most interested in. We'll ask them in our next episodes, and our brilliant guests will provide answers.

You’ve just read an interview from our podcast, where we speak with product leaders who share their experiences. Follow us on Spotify or YouTube for more episodes.