To Drive Trust, Minimum Viable Product Needs Minimum Viable Security
During the early stages of new product development, product management teams have long used minimum viable product (MVP) to test concepts with their prospective customers. The MVP term has been misused over the years, sometimes being associated with buggy or incomplete releases that “we’ll fix later,” but a true MVP is an opportunity to learn about your customer needs and quickly test a product concept. MVPs are not final releases — they are low-effort concepts that test a hypothesis and help the product team learn about their customer.
While we may not think about MVP as core to building customer trust, there are several aspects to the process that align with Forrester’s Trust Imperative. The act of reaching out to customers to test concepts and solicit feedback enhances a firm’s transparency, while the customer understanding that comes from concept testing can build empathy. Of course, using MVP to test hypotheses ultimately results in a better product, improving perception of a firm’s competence.
So where does security fit in to MVP? Because MVP is meant to be low-effort, quick-turnaround to test hypotheses, we would never advocate a weighty security process that will slow innovation. Ignoring security during these early stages, however, can damage customer trust in two ways:
- Security choices made (or not made) during MVP that persist to final product. While many security controls can be added after MVP, it’s hard to retrofit privacy. Help the product team clarify privacy requirements, and design the data architecture to meet those requirements.
- Security flaws in the MVP itself. While customers may not expect an MVP to be perfect, if the MVP leaks their personal data, that’s a trust-breaker. Security must help the product team think about how the MVP collects and stores customer data, how it uses existing customer data, and how the MVP interacts with other applications or systems.
As security leaders expand their mandate into the revenue side of the business and help firms secure what they sell, it’s time to adopt minimum viable security, the minimum posture required to test an MVP.
I hope you will join me at the Forrester Security & Risk 2022 event in Washington, DC (and virtually) on November 8–9 for a deeper discussion on minimum viable security and product innovation at my session, “Adopt Minimum Viable Security To Drive Trust.” Learn more about the Security & Risk event agenda and register here.