The Problem

Your feature stores user data. In week 3 of development, security asks: "Is this PII?" "Do we need encryption?" "What's the retention policy?"

You don't know. You didn't think about security. Now you're 3 weeks in and re-spec'ing.

The Trap

Many PMs treat security like compliance—a checkbox, a thing security handles. "Let them do their job; I'll do mine."

This is dangerous. Security considerations affect the entire product.

The Shift

Think of security as "what can users trust us with, and how do we protect it?"

Security doesn't slow you down if you spec it upfront. It slows you down if you ignore it and find problems mid-development.

Actionable Steps

1. Identify Data Types

For every data collection in your feature:

DataSensitivityRetentionAccess
EmailHigh (PII)Indefinite until deletionAuth team only
Usage metadataMedium90 daysProduct analytics, exportable by customer
Payment infoCriticalUntil subscription endsThird-party processor, never our servers

2. Spec Encryption & Access

Data Security for [Feature]:
- Email stored: Encrypted at rest (AES-256)
- Email in transit: HTTPS only, TLS 1.2+
- Access: Only authenticated users accessing their own data
- Audit log: All access logged, monthly review
- Third-party access: None (data processors sign DPA)

3. Define Retention & Deletion

Data Retention:
- We store event logs for 90 days
- User can export anytime
- User can request deletion (soft-delete after 30-day hold, hard-delete after)
- On account closure: All data deleted within 30 days

4. Plan for Threat Scenarios

Ask security: "What's the realistic threat?"

Example:

  • Threat: Unauthorized access to user emails
  • Mitigation: Encryption + access controls + audit logs
  • Detection: Monthly audit of access logs
  • Response: Incident playbook exists before launch

5. Compliance Callouts

If you're targeting regulated regions:

Compliance for [Feature]:
- GDPR (EU): Personal data processing, user consent, export/delete rights
- CCPA (CA): User data access, opt-out, no sale of data
- SOC 2 (Enterprise sales): Encryption, access controls, audit logs

Key Takeaways

  • Security in the PRD prevents late-stage rewrites. 30 min upfront saves 3 weeks of rework.
  • Encryption and retention are product decisions. Spec them like you spec features.
  • Trust is the product. Users choose you partly because they believe you won't lose/leak their data. Bake security into the PRD and you deliver on that promise.