I vividly remember how shocked I was after reading a research paper on how freelance developers handle data security of their solutions (hint: they really don’t). Turns out, unless you explicitly state you want your application data (such as username and password) to be stored securely, you won’t get it, even if your main requirement is to create a user registration page. For me, as a user of many web apps, it was horrifying. Of course I want my personal data secure! This should go without saying!
What gave me an even bigger pause was thinking back to my years as a Product Manager. I remember how it was working with deadlines. Data privacy, if mentioned at all, would be one of the topics you work on last. That’s just how it is when you’re developing a new product. You focus a lot on core features, the ones that can set you apart from your competition. And if you’re like me, you’ve hired smart experienced developers whom you trust to do the right thing. Of course the data has to be secured, it goes without saying! Turns out, if you don’t say it, it won’t get done unless you’re extremely lucky.
In a way, it makes sense. No one picks one application over the other because this one protects user data better. As a user, you look at the core features first, and only when two products are roughly the same you may look at security as a deciding factor. Businesses know that. Keeping user data private is a cost, it’s not what brings money.
So we end up in situations like Google accidentally sending your private photos to a random stranger after you requested a download (this was luckily fixed in the meantime). Zoombombing is still a thing.
It’s not like these are small or underfunded companies. It’s also not like they don’t care about security or user data privacy. So why do we see such scandals? Well, data privacy means you need to manage who should have access to what at what time. It’s hard to get it right. What’s more, security isn’t usually a core competence of companies making software products. User data privacy is rarely a fundamental feature. Therefore, securing your users’ data always ends up as an afterthought. Even if you create a dedicated team with sole focus on the topic, they will have to compete for resources with teams who deliver actual business value. Guess who wins?
When your data privacy is only a cost center, you won’t do it right. It’s hard to get it right. It’s even harder to get it right without affecting your software’s performance. When your core competency lies elsewhere, it will always be a better investment for you to work on new features to wow your users and set your product apart from competition.
That’s why, if you have an opportunity to let someone else take care of securing your app, you should. And I don’t mean you should leave this task to contractors (based on the research I mentioned earlier, that should be the last thing anyone does). I mean search for an actual off the shelf solution, where some other company made data privacy and cyber-security their core competencies.
It may feel scary at first - if user privacy is your concern and you know it’s difficult to get it right, why should you let another company do it for you? Wouldn’t they make a mess of it? Possibly. But there is a high chance that a company providing app security as a service optimized the heck out of their solution. They likely use the most efficient technology. They most certainly are squashing bugs as soon as they’re discovered. They can offer you support and SLAs that your internal team could never match. That is because for those companies, data privacy is precisely what brings them money. Can you say the same?
I bet you’re not producing your own electricity, even though your company couldn’t exist without it. You also probably aren’t producing your own CPUs to run the software you’re building. Security of your application isn’t all that different.