Thinking that security is a feature is just as flawed as worrying about a business model later.
Microsoft never used to take security seriously.
It was commonly known Microsoft would always error on user ease of use instead of focusing on making sure their products were properly secured. Many could argue this mindset was one of the major reasons they became so successful and dominated whatever market they moved into during the 1990s and early 2000s.
Security is always a trade-off on ease of use and this is absolutely the case with software. Microsoft knew this and really only dealt with security when they absolutely had to, namely when their users demanded it and typically after something epically bad happened with Outlook, Internet Explorer, Windows or IIS, MSSQL, etc. Microsoft really just viewed security as a feature that could be added later down the road to products and services as needed or until they absolutely were forced to do it. A feature is typically something that is a add-on or “bolt-on” to the core product. They really did see security options as features instead of building in the hooks they needed to keep their products secured at their core.
After numerous security breaches with their products, Microsoft took on a massive effort a few years ago to really try and change this “security as feature” culture. I remember attending a security seminar at the Microsoft offices in downtown San Francisco and the Microsoft rep mentioned to me the change in thought on security was akin to “turning around the Titanic.” Shortly after that seminar, Vista and UAC arrived along with the constant patches via Microsoft and Windows Updates. Microsoft has made tremendous progress in this area now but still suffers effects from the security flaws today as it remains baked into their brand reputation. They should have seen that security should be thought about and engineered along the way with development and not as an afterthought. It’s fundamental to the quality and success of the products they make. It must be a simultaneous process. It is not sequential (product first, then security.)
At a talk with Biz Stone over at the the JCCSF, it hit me. Recent web and social media entrepreneurs and the companies they startup are running into a problem not all that unlike Microsoft. In the rush to get a fun or cool product out there and get public mindshare, they focus on the user experience, traction and buzz. But, they forget about something critical >> the business model. To me, these companies are minimizing or delaying a problem they don’t want to deal with until they absolutely have to (just like Microsoft did with security.)
This is unfortunate. We have all seen the patterns with YouTube, Facebook, Twitter and other startups that are totally great and innovvative as they start to grow. The founders are energized, the investors are excited because people are using the service, but the hammer eventually falls when they are forced internally or externally to get to monetization.
During that JCCSF interview, Stone took the approach that you should make something of value first then look to see what you can do with it. This is not uncommon. It is actually pretty much the way most startups happen. You kick something around and see if it sticks. If it does, then you take it to the next level. This totally makes sense because there can be a lot of ideas and products that just aren’t worth pursuing, so having things live or die through some sort of natural attrition is pretty familiar. Yet, it was very clear to me that Stone didn’t feel a business model was all that critical first part of the whole evaluation and “sticking” process. This really struck me because the flip-side of this wonderful startup process, is that you can get something “sticky”with a userbase but not sustainable. Or, in order to make the company/product/idea sustainable, they will have to basically come in after and damage it with something that will mar/dilute the value of what they built probably in the form of injecting ads. Thinking about how to sustain that which you are building is fundamental to the quality and success of the products, it should not be an afterthought. Jamming ads in Facebook feeds or mandating promoted tweets forced into streams for users detracts from the overall user experience that was the reason they came to you to begin with. Users are not coming to your site to view ads.
Visitors are hopefully coming to use your product because it is great. But, the greatness is diminished because of the ads you have to have now due to not taking the time when you could have to protect your product from being mutated to get to monetization and sustainability. We have all seen websites and services always decline when they had to reach for the ad revenue because they had to go somewhere outside the product for cash. Business models must always be part of the product development. It’s not a feature. It’s not necessarily the fun part at the beginning and that is probably why people don’t want to deal with it at first. But, we are all seeing what happens when services and companies don’t think about how things are going to work for the longer-term right from the beginning and throughout their development. It will most likely come back to haunt them just as security continues to do with Microsoft.