Do true security product managers exist? This is the question I began asking myself a few years now since I started to move from a pure security role into leading the effort with a team to build a product. After a few years, I transitioned into product management and then transitioned back into full engineering. During this time, I realized there are very few true security product managers. Many product managers have never really penetration tested, conducted a risk assessment, taken formal security training or even attended a defcon conference. I found it very interesting that these were the people prioritizing the solution to protect organizations. Over the past two years I’ve searched to see are there any true security product managers and the result is not really.
The security industry is struggling to find real security people to drive the right priorities into our products. We need people that live and breathe security. Without the right skills building our products we will not only be 1 step behind the attackers and accidental breaches we will be several.