As someone who has built product security programs from scratch across startups and public companies for the past eight years, I’ve developed several guiding principles that have consistently helped me drive successful security initiatives. These principles have not only shaped my approach but have also strengthened partnerships with stakeholders across organizations.

In this post, I’ll share three powerful principles your teams can implement immediately to transform your security culture and effectiveness.

Principle 1: Maximum Viable Security – Finding the Sweet Spot

In 2017, I coined the phrase “Maximum Viable Security,” which has resonated deeply with organizational stakeholders throughout my career. But what does this really mean in practice?

Maximum Viable Security centers around one critical question: “Do you understand the point of diminishing returns of what you’re proposing?”

Let me illustrate with a simple example that everyone can relate to: office key security.

Imagine you need to secure your company’s office keys. You have several options:

The bare minimum: Leave them in a cardboard box in the lobby. This approach is simple and convenient, but presents an obvious security risk that could lead to unauthorized access or theft.

The maximum security approach: Implement biometric scanners, constantly changing keycards, and hire 24/7 security guards. While this might seem ideal from a pure security perspective, it’s costly, disruptive, and creates significant friction for employees who just need to access their workspace.

The Maximum Viable Security approach: First, assess the actual risk based on your office location, value of assets, and threat landscape. Then implement security in stages:

• Immediate: Install a locked metal box for key storage
• Short-term: Add a sign-in sheet and camera for accountability
• Mid-term: Implement keypad access for high-risk areas
• Long-term: Develop a plan for advanced systems as the company grows

This graduated approach delivers substantial security improvements (perhaps 85-90% risk reduction compared to the cardboard box) without disrupting daily operations. Your employees maintain productivity while critical vulnerabilities are addressed.

Unfortunately, many security teams still fall into the trap of pushing for the absolute maximum security without truly understanding its impact on business velocity. They advocate for solutions based on security ideals rather than business realities, resulting in frustration and eroding trust between teams.

Remember: security teams exist to serve the business. As a product security professional, you must consider the overall business objectives and understand the trade-offs that arise when proposing any security control or guidance.

Taking a holistic approach through Maximum Viable Security builds trust with your stakeholders and ensures everyone operates on a level playing field. It emphasizes risk-based decisions over excessive, impractical measures, ensuring security enhances, rather than impedes, business growth.

Principle 2: Customer-Centric Security – Security That People Want to Use

The most effective security solutions consider the perspective of both internal customers (developers, partner teams) and external customers. By understanding their behaviors and challenges, you can create solutions that provide a positive, seamless user experience.

People naturally seek the path of least resistance when adopting solutions. Only by building customer-centric security can you create something they’ll actually want to use.

Ask yourself: “Am I building the right thing for my customer?”

Consider a development team implementing secure code practices. A customer-centric approach doesn’t simply mandate complex security requirements that slow down development. Instead, it provides:

• Security tools seamlessly integrated throughout the developer workflow – from IDE plugins that catch vulnerabilities during coding, to pre-commit hooks, automated scanning in CI/CD pipelines, and deployment security checks that require minimal developer intervention
• Clear, actionable feedback rather than vague warnings
• Templates and libraries that make secure coding the easiest option
• Training that focuses on real-world scenarios they encounter

This approach empowers your customers to focus on their core responsibilities while still maintaining proper security practices. When security becomes a natural part of the workflow rather than an obstacle, everyone wins.

Principle 3: Thinking Long-Term – Beyond Reactive Security

How often does your team fix a vulnerability only to see the same type of issue reappear in a different context months later? This pattern emerges when teams focus exclusively on short-term goals and reactive security measures.

Before delivering security solutions, ask: “Are we set up for success in the long term?”

For example, when addressing an SQL injection vulnerability, a short-term approach might patch that specific instance. A long-term strategy would:

1. Analyze the root cause (perhaps lack of parameterized queries)
2. Implement organization-wide secure database access patterns
3. Create developer training on secure data handling
4. Add automated scanning for similar issues across all applications
5. Establish governance processes to prevent recurrence

While addressing immediate issues is important, your solutions should solve problems holistically and at scale. This approach effectively mitigates risk across the organization and prevents recurring vulnerabilities.

Putting It All Together: The Strategic Security Advantage

By implementing these three principles—Maximum Viable Security, Customer-Centric Security, and Long-Term Thinking—your product security program can evolve from a series of reactive measures to a strategic asset that adds real value to your organization.

The most successful security professionals understand that security isn’t about preventing all risk at any cost. It’s about enabling the business to move forward confidently, with security controls that are proportionate to the actual risks faced.

When your security team becomes known for thoughtful, business-aligned solutions rather than rigid compliance demands, you’ll find stakeholders proactively seeking your input rather than trying to work around you.

What principles guide your security program? Have you found other approaches that help balance security with business needs? I’d love to hear your thoughts in the comments below.

Looking to strengthen your organization’s product security program? Contact me to learn how these principles can be applied to your specific challenges.

I would love to hear from you all!