During the earliest stages of new product development, product teams iterate rapidly on product concepts to learn about customer requirements. Each iteration, commonly called minimum viable product (MVP), helps the product team answer a question about customer requirements, priorities, or usage scenarios. The goal: Build a product that best meets customer needs.
What should security teams do to support product management during this rapid iteration and early-stage concept testing? On the one hand, if the security team is not involved at all and early-stage concepts go to prospective customers with critical security defects, you risk losing the customer’s trust. On the other hand, if security insists upon a high-friction test and control process that slows down the prototyping, you’re stymieing learning, slowing down innovation, and losing the product team’s trust.
Enter minimum viable security.
Minimum viable security (MVS) is defined as “the minimum security posture required to test a given version of the product during the concept-testing or MVP stages of product development.” For those of you who might be uncomfortable with the word “minimum” applied to any aspect of security, pay close attention to that “concept-testing or MVP stages” language. MVS is about putting the appropriate controls in place for early-stage iterations that only reach a handful of customers, use more limited sets of data, and may be deployed in a separate environment. MVS is not final security, and once we get past a certain stage of product development, we stop talking about MVS — but adopting MVS helps security teams focus on early-stage iterations’ most critical security issues: securing innovation without delaying it.
Forrester has developed three reports that guide you through MVS, from understanding and selling it to your team through to the more structural aspects of incorporating it into your product security program:
- Build A Business Case For Minimum Viable Security will start you on your MVS journey by giving you the context to position security’s role during MVP and the early stages of product innovation. In this report, you will understand the risks and failures of legacy approaches and learn how MVS enables you to improve communication with product management, establish trust with early customers, support the business’s growth aspirations, and reduce security rework. You will also learn how to position MVS to the product management team and to members of your own security team.
- Best Practices For Applying Minimum Viable Security focuses on the key questions to ask at the two stages of minimum viable security: early-stage MVS and steady-state MVS. This report also provides guidance about when the product has advanced far enough in the lifecycle that MVS no longer applies.
- The Forrester Minimum Viable Security Checklist is a tool for the security and product teams to use collaboratively. The checklist is deliberately small, focusing only on the security practices necessary during MVP. For each product iteration, the security and product teams will complete the checklist and use it to identify gaps and prioritize mitigations.
Welcome to 2023! To learn more about minimum viable security, please check out our research and set up an inquiry to discuss further.