There were 2,365 cyberattacks with 343,338,964 victims in 2023, according to the ITRC Annual Data Breach Report. Security has become a key topic that every software company should consider when building new products or innovating existing ones. How should companies prioritize security features versus core product-related requests from customers? What are the security must-haves? Which threats should they stay protected against the most?
These are some of the topics we discussed with Nejib Jemli, Chief Product Officer at UBIKA. Let's dive in and get all those answers!
Nowadays, there are many factors to keep in mind. The first problem is that half of the internet traffic comes from bots, not humans, and more than a third of these are bad bots (good bots include search engine crawlers, for instance). This is certainly something that software companies need to take into account.
Second, in a world of many open-source software products and companies using them as building blocks for their product offerings, it's crucial to think about zero-day vulnerabilities—a vulnerability that is typically unknown to the vendor and for which no patch or other fix is available [Wikipedia].
Third, and a very important point, is the increasing number of cyberattacks. According to Gartner, there was an increase of 53% between 2021 and 2022. This comes as no surprise. As we go through digital transformation, we expose more and more web applications and APIs on the internet, increasing the attack surface for cybercriminals.
Lastly, it's essential to address misconfiguration breaches that can occur unintentionally.
Given all these factors, software companies should consider security from the very beginning.
It's completely understandable that entrepreneurs strive to build their product and bring their idea to market as soon as possible, and security can often be seen as an add-on. The 'once I get the first few customers, I'll start to care about the security aspect' approach is risky. Following this path can still make companies succeed (if no security incidents occur), but it can also make them disappear sooner than they can imagine. Having said that, companies have to find the balance and always assess the risk.
The most common cyberattacks are listed in the OWASP Top 10, including SQL injection, cross-site scripting (XSS), and others. These attacks can have various impacts on companies, such as data theft, sabotage, or service unavailability. For SaaS companies, unavailability is particularly crucial as it directly affects their customers.
AI represents a tremendous opportunity to shift from reactive to proactive security. This means AI could help spot signals of cyberattacks before today's security engines can detect them.
In the case of UBIKA, the company's mission hasn't changed for the past twenty years. We have been helping companies protect their web applications and APIs. What has changed is the ecosystem, and AI, as mentioned above, can assist UBIKA and our customers in enhancing security measures.
At UBIKA, we believe that AI-related features, like all other features on our roadmap, should be planned together with our customers. Currently, we are working with a dedicated group of customers to define our common vision for AI. This collaborative approach ensures that the AI features we develop align with our customers' needs and expectations.
Unsurprisingly, the biggest challenge for me as a product manager, and for product management in general, is customer satisfaction. The challenge is to constantly make as many customers happy as possible within an environment of limited resources. The thought of 'how do I prioritize my backlog to satisfy the majority of my customers' is what I wake up with every day.
It's certainly customer attrition (churn) that I focus on the most, along with customer satisfaction, which can be measured using metrics like NPS (Net Promoter Score) or CSAT (Customer Satisfaction) scores.
At UBIKA, we build things with our customers for our customers. This is a very important dogma at our company. One of the tactics we use is building a working group—a group of customers who cooperate with us in defining and planning new features. This allows us to deliver what the customer truly expects, not some made-up representation of their needs. The working group process includes questionnaires, face-to-face meetings, and on-site workshops, helping us fully understand how they use our software and how it aligns with their ecosystem.
This is a very strategic topic, of course. For core competencies or key differentiators in the market, it's probably wiser to consider the 'build' option. However, if time to market is the primary objective, purchasing and assembling the components could be more efficient.
Our customers seek a holistic approach to protecting their digital assets. Instead of protecting a single application, they need to secure applications, APIs, and databases across their entire ecosystem. Therefore, our approach to integrations is to build partnerships with critical players in our customers' ecosystems. We developed our WAAP Gateway to interact with third-party solutions that are important in our customers' environments.
There are multiple layers when it comes to integration. Of course, we offer an API, but we go the extra mile and offer something we consider one of our key differentiators: a drag-and-drop workflow builder. Using this tool, our customers can model a security policy that includes decision-making and also helps them incorporate other solutions as part of the process.
For example, if the customer faces many attacks from bots, they can use the UBIKA API to blacklist the IP in an external system. Similarly, UBIKA can send signals to other solutions, like anti-malware, to check if a file is malicious or not.
We've spent around 40 minutes with Nejib and learned plenty of useful information about the importance of cybersecurity for SaaS companies in the world of rising cyberattacks. You can look forward to more interviews with inspirational product leaders and contribute questions you're most interested in. We'll ask them in our next episodes, and our brilliant guests will provide answers.
You’ve just read an interview from our podcast, where we speak with product leaders who share their experiences. Follow us on Spotify or YouTube for more episodes.