In most product organisations, security is treated as a non-functional requirement: something the engineering team handles, something that gets tested before release, and something that product managers do not need to think about deeply. Nick Boucart from Sirris argues that this mindset is not just outdated. It is actively dangerous.

At PR_D_CT DAY 2025 in Ghent, Nick presented a compelling case for reframing security as a core product feature rather than a technical checkbox. Drawing on his experience advising European technology companies, Nick showed how security-by-design thinking changes the way product managers approach discovery, prioritisation, and competitive positioning, and why the companies that embrace it now will have a significant advantage over those that do not.

For an audience of product managers who often defer security decisions to their engineering counterparts, the talk was a wake-up call about the strategic implications of security and the product manager's responsibility in driving it.

slideshow

Original Presentation Slides

Download the slides from this talk as presented at the gathering.

Security as a Product Differentiator

Nick opens by presenting data on how buyer behaviour has shifted. In enterprise and B2B markets, security questionnaires are now a standard part of the procurement process. Companies that cannot demonstrate strong security posture are eliminated from consideration before the product is even evaluated on its functional merits. Security has moved from a back-office concern to a front-office competitive factor.

He argues that this shift creates an opportunity for product managers who recognise it early. Rather than treating security compliance as a tax, they can position security as a feature, something the product does well that creates tangible value for the buyer. In markets where every competitor offers similar functionality, security can be the differentiator that tips the buying decision.

“Your competitors are adding the same features you are. Your competitors are copying your UX patterns. Your competitors can match your pricing. What they cannot easily copy is a deep, embedded security architecture that was designed in from the start. That takes years to build, and it shows.”

- Nick Boucart

infoThe European regulatory advantage

Nick points out that European companies, particularly those operating under GDPR, NIS2, and the Cyber Resilience Act, already have a head start on security thinking compared to many international competitors. Product managers who lean into this regulatory context rather than resisting it can turn compliance into a competitive moat.

Embedding Security in Product Discovery

The practical core of Nick's talk focuses on how product managers can incorporate security thinking into their existing workflows without becoming security experts. The key insight is that security-by-design does not mean product managers need to understand cryptography or network architecture. It means they need to ask the right questions at the right time.

Threat modelling in discovery: during the discovery phase, ask what could go wrong if this feature is misused or compromised. This surfaces security considerations before design decisions are locked in

Data sensitivity mapping: for every feature, identify what data it touches, how sensitive that data is, and who should have access. This becomes a design constraint rather than an afterthought

Abuse case scenarios: alongside user stories, write abuse stories that describe how a malicious actor could exploit the feature. This shifts security thinking from defensive to proactive

Compliance-aware design: understand which regulations apply to your product and incorporate their requirements as design inputs rather than post-development audits

Nick emphasises that these activities add minimal time to the discovery process (perhaps thirty minutes per feature) but they prevent security issues that would take weeks to remediate if discovered later. The return on investment is overwhelmingly positive.

The Intersection of Security and User Experience

One of the most engaging sections of the talk addresses the perceived tension between security and user experience. The traditional view is that security makes products harder to use: more passwords, more verification steps, more friction. Nick argues that this is a false trade-off driven by lazy security design.

Invisible security

Nick presents the concept of invisible security: security measures that protect the user without requiring them to take action. Examples include anomaly detection that flags suspicious activity without requiring additional authentication for normal behaviour, encryption at rest and in transit that happens transparently, and intelligent session management that balances security with convenience. The product manager's job is to push for security implementations that protect without interrupting, rather than accepting the default approach of adding friction.

He shares examples of products that have made security a positive user experience: password managers that make authentication easier rather than harder, privacy dashboards that give users visibility and control, and security notifications that inform without alarming. These examples show that security and UX are not opposing forces. They are complementary design challenges.

lightbulbThe trust multiplier

Nick observes that visible security features (privacy controls, data export tools, transparency reports) actually increase user trust and willingness to engage with the product. Users who feel secure are more willing to share data, adopt new features, and recommend the product. Security, done well, is a growth driver.

Where Product Managers Should Start

Nick closes with a practical starting point for product managers who want to incorporate security thinking into their practice but feel unqualified to do so.

check_circleSchedule a thirty-minute session with your security or engineering lead to understand the current security architecture. You do not need to understand everything, just enough to ask informed questions

check_circleAdd a security consideration section to your PRD template. Even a simple prompt to think about data sensitivity and potential misuse can prevent major issues

check_circleInclude security-related questions in customer interviews. Ask enterprise buyers what their security evaluation process looks like and what would make them confident in your product

check_circleFamiliarise yourself with the regulations that apply to your product. GDPR, NIS2, and the Cyber Resilience Act are the most relevant for European product managers

The talk concludes with a message that brings the conversation full circle: security-by-design is not about product managers becoming security experts. It is about product managers recognising that security is a product concern, not just a technical concern, and taking responsibility for ensuring it is addressed at the design level. For the Belgian and European product community, where regulatory pressure is increasing and enterprise buyers are becoming more security-conscious, this shift in mindset is not optional. It is urgent.

Security-by-Design: Making Security a Product Feature

Original Presentation Slides

Security as a Product Differentiator

infoThe European regulatory advantage

Embedding Security in Product Discovery

The Intersection of Security and User Experience

Invisible security

lightbulbThe trust multiplier

Where Product Managers Should Start

This article is for Consortium members

Key Takeaways

Related Editorials

Product Management in the Maturity Stage

Navigating the AI Bubble