Amit Sharma is VP, Product Management at Gen, a cybersecurity company owning brands such as Norton, Avast, AVG, Avira, Lifelock, etc. He began his career in software engineering at Infosys before pivoting to project and product management in his tenure there. Amit then spent 10 years working at Symantec in various roles, including program and product management. Before his current role at Gen, he served as Senior Director of Product Management at NortonLifeLock.
In our conversation, Amit talks about the differences between managing cybersecurity products for enterprises versus end consumers. He shares how he aims to balance security, compliance, and user experience, as well as how he’s successfully transitioned to working on new product lines and verticals within a company.
The enterprise cybersecurity markets have multiple areas. Cybersecurity is made up of layered technologies that work together to provide full protection. However, if you look at the enterprise market alone, there are various options: endpoint solutions, network protection solutions, and data protection solutions, all of which can have cloud components to them.
With an enterprise product, every single employee’s device needs protection. There’s also an administration console that can be used based on different roles within the organization. All of these products need to be integrated with each other and provide role-based access to the administration console. For this reason, enterprises require scale — the solutions need to address policy management, updates, patches, and more. Further, we can either sell directly to the enterprise customers or through a partner network.
Consumers, on the other hand, can buy products directly from our website or through our retail partners like Amazon, Best Buy, Staples, etc. Our products are sold pre-installed on devices, and they can also come from telecom operators like Verizon or AT&T. We’ve also added an employee benefit channel to our portfolio, which includes companies like AAA, AARP, Visa, MasterCard, etc., that reward employees for protecting their devices. In terms of usage, consumers can protect their own devices, their family or children’s devices, etc.
Lastly, a consumer expects to have all of their subscriptions managed in a single invoice or grouped together in their account details. They want access to all of their subscriptions so they can manage them at any time. That’s another key difference, as well as the regulatory environment consumers operate in.
From a strategy perspective, we need to look at how the attack surface is evolving. 20 years ago, we started out with basic malware affecting devices, which then evolved into trojans, spyware, adware, rootkits, etc. From there, attackers started using advanced techniques such as scripting to create fileless attacks, encryption to create ransomware, social engineering to create phishing attacks, etc. Now, AI has changed the game. 90 percent of consumer attacks are scams from AI bots and new privacy and identity threats are emerging. All this to say, our strategy cannot be static — it has to evolve.
Second, the operating environment is changing. Before, software vendors dealt with attackers and adversaries, but now, the operating system themselves have realized that their devices need to be secure. So, Microsoft has started providing Defender as a default endpoint protection mechanism, for example.
Also, our strategy has to look at changes in consumer needs. If they feel that their devices are automatically secure, what else can we provide to them? Microsoft, Apple, and Google are all making an effort to keep their devices secure, so our job as a software vendor within this ecosystem is to create additional value for the customer to protect them from emerging threats on and beyond their devices.
Last is the regulatory environment. We have seen an evolution of privacy laws. For example, the EU came up with GDPR, California has CCPA, etc. These entities have all added requirements for us. And the regulatory environment of the different countries that we operate in is always changing. We always consider this when looking at our strategy.
Products should be built with user privacy in mind. Nearly every vendor operating in our industry now works with this design principle in mind to respect users’ privacy. Also, most of the products should be accessibility compliant. We need to think about how our products can be used by people with various disabilities. Second, how do we protect the user without collecting data from the machine as much as possible? And if we do collect the data from the machine, how can that data be anonymized?
Third, when we build cryptography within our products, we need to start with it already adhering to export standards. Likewise, when we’re looking at the URLs the customer is browsing or building a VPN product, cryptography should be built in. Lastly, products need to be certified and tested by third-party agencies to get the certification to sell in specific countries. All of these elements need to be considered when we figure out design and strategy.
Cybersecurity is complex and hard for people to understand. With enterprises, we’re working with administrators who understand how they need to manage a security product. The teams that sell our products need to have a good understanding of the security landscape. The expectation from an enterprise product is very different, because even though we adhere to some of the design principles I mentioned, the teams we work with have a default understanding of cybersecurity layers.
Consumers, on the other hand, are the exact opposite. They do not want to deal with cybersecurity. They buy cybersecurity products as assurance that somebody has their back. They want them to work in the background — it’s not like a social media product where you’d expect to open it 10 times a day for new messages.
To balance this, we first focus on the product being intuitive enough to install and get working quickly. That means the product should come pre-configured. We cannot expect the user to understand everything to set up the product for their needs. We assume they don’t know anything about security and apply our own judgment to create the best possible configuration for the average user.
The second principle we follow relates to engagement. Some cases require the user to act. For example, if we want the user to use a password manager, they have to install one and get used to using it. So, how do we do that? The best way is to create motivation for the user to use a password manager. Gamification is one of these tactics, as well as using visual cues that create awareness and motivate the user to adopt features. We apply the same idea for having users create a backup — we have risk scores, dials, and badges to motivate them to do these actions.
Third is automation. We don’t expect customers to manually update our software every time, so the AI models that we use send these to devices automatically. It should all happen in the background. The last principle is personalization. To do this well, we need to understand the behavior of the user. For example, we’ll wait for a user’s usual idle time to do some processing so that we don’t interrupt the activity on their device. We look at this personal behavior and customize our product to tune itself up to the customer’s expectations.
I spent nine and a half years in my first company and more than 15 years in this one. Three things helped me stay motivated in the same organization while continuing to grow and learn new things.
First, I tried different roles to get exposure to different aspects of the company. This gave me a greater respect for every group in the business because I saw how different roles delivered against the business objectives. That was really beneficial — I understood the importance of everyone in the organization, as well as how we could work together effectively.
Also, I got experience in different geographies — I worked in India, Europe, and the US. Different cultures and backgrounds helped me learn the way of working within each geography, as well as the expectations from consumers in each location. Overall, this informed product strategy for each region.
Lastly, I changed product lines. I started my career in mobile application development and then moved into the telecom sector before taking on a full-time role managing the London Olympics rollout for fiber. And when I moved into Symantec, I was on the enterprise side for the first nine years and changed product lines three times. That helped me not only move up the ladder, but get a horizontal view of the entire organization.
My default posture is that it doesn’t matter whether you are in an enterprise environment or in a consumer environment. Any company exists to solve a key customer problem, and your company either solves it differently compared to competitors or you’re the first one to solve it altogether. So, you need to learn and understand the key customer problem you’re solving for and how you’re solving it uniquely in the market. That’s the first thing.
The second thing is understanding the market you’re in. You need to do your own research about the market itself, who the key players are, what the regulatory and compliance environments look like, and who the stakeholders are. What is the total addressable market? What is your market share and what areas are you winning in? How are you playing on our strengths? How are you hiding weaknesses? Those are key areas that you should learn whenever you get into a new product line or a vertical.
Also, you need to look at corporate strategy. Is the new vertical or product line aligned with the strategy the overall business has in place? And if it is not aligned, how can you create that alignment? Unless there is a synergy between the corporate strategy and the product line strategy, you will not be able to win in the environment that you’re operating in.
My team members need to understand a few core things about their product. One is financials. They need to understand the P&L of the product. People often say that PMs are the mini CEOs of the product line, and as a CEO, they need to understand where the money is coming from and going. Which geographies and customer profiles support your product the most? How is the product distributed?
I also advocate for PMs to thoroughly understand how the product functions. PMs should use the product themselves every day, if possible, and have a good understanding of key metrics. Data is the new gold.
Specifically, when PMs are moving product lines, they need to understand their listening posts. In the enterprise environment, this could be a direct customer, and you usually always have someone within that organization to talk to. On the consumer side, however, you don’t have direct interactions, which means you need to rely heavily on product telemetry. You can also collect NPS feedback from the customer when they buy the product, mid-cycle, and when they renew. Those touch points are all really important in gauging how customers feel about your products.
I tell my team that if they take care of these aspects, they’ll be able to get a holistic view of the product. They can then help define strategy and deliver on these areas.
LogRocket identifies friction points in the user experience so you can make informed decisions about product and design changes that must happen to hit your goals.
With LogRocket, you can understand the scope of the issues affecting your product and prioritize the changes that need to be made. LogRocket simplifies workflows by allowing Engineering, Product, UX, and Design teams to work from the same data as you, eliminating any confusion about what needs to be done.
Get your teams on the same page — try LogRocket today.
Want to get sent new PM Leadership Spotlights when they come out?
As a PM, you shape the direction your team takes to develop, adapt, and deliver successful products to your customers
Michelle Dunivan talks about the importance of creating authentic, trusting relationships with your manager, team, and coworkers
Use cases help product managers define how users interact with systems. This guide gives you everything you need — key elements, a clear build process, and a free downloadable template!
This guide covers the biggest sources of stakeholder conflicts, explains how to fix them, and explores ways to build trust.