The Problem
Your feature stores user data. In week 3 of development, security asks: "Is this PII?" "Do we need encryption?" "What's the retention policy?"
You don't know. You didn't think about security. Now you're 3 weeks in and re-spec'ing.
The Trap
Many PMs treat security like compliance—a checkbox, a thing security handles. "Let them do their job; I'll do mine."
This is dangerous. Security considerations affect the entire product.
The Shift
Think of security as "what can users trust us with, and how do we protect it?"
Security doesn't slow you down if you spec it upfront. It slows you down if you ignore it and find problems mid-development.
Actionable Steps
1. Identify Data Types
For every data collection in your feature:
| Data | Sensitivity | Retention | Access |
|---|---|---|---|
| High (PII) | Indefinite until deletion | Auth team only | |
| Usage metadata | Medium | 90 days | Product analytics, exportable by customer |
| Payment info | Critical | Until subscription ends | Third-party processor, never our servers |
2. Spec Encryption & Access
Data Security for [Feature]:
- Email stored: Encrypted at rest (AES-256)
- Email in transit: HTTPS only, TLS 1.2+
- Access: Only authenticated users accessing their own data
- Audit log: All access logged, monthly review
- Third-party access: None (data processors sign DPA)
3. Define Retention & Deletion
Data Retention:
- We store event logs for 90 days
- User can export anytime
- User can request deletion (soft-delete after 30-day hold, hard-delete after)
- On account closure: All data deleted within 30 days
4. Plan for Threat Scenarios
Ask security: "What's the realistic threat?"
Example:
- Threat: Unauthorized access to user emails
- Mitigation: Encryption + access controls + audit logs
- Detection: Monthly audit of access logs
- Response: Incident playbook exists before launch
5. Compliance Callouts
If you're targeting regulated regions:
Compliance for [Feature]:
- GDPR (EU): Personal data processing, user consent, export/delete rights
- CCPA (CA): User data access, opt-out, no sale of data
- SOC 2 (Enterprise sales): Encryption, access controls, audit logs
Key Takeaways
- Security in the PRD prevents late-stage rewrites. 30 min upfront saves 3 weeks of rework.
- Encryption and retention are product decisions. Spec them like you spec features.
- Trust is the product. Users choose you partly because they believe you won't lose/leak their data. Bake security into the PRD and you deliver on that promise.