Category Archives: requirements management

Product Management and SaaS Security Issues

Earlier this week Scott Wright of Streetwise Security Zone and I got together and created a podcast exploring security issues that product managers wrestle with when they transition to a SaaS model to deliver their product. Scott in this podcast offers some great tips and advice on the following topics:

  1. Moving from isolated software products to offering them as a service
  2. Basic considerations for securing services, assurance for customers
  3. Separating data between clients who could be competing with each other
  4. User login security considerations
  5. Who administers users, and who administers the system?
  6. The big picture – communicating new kinds of risks to senior management

I highly recommend product managers visit Scott’s website and blog to expand their knowledge in security. Thanks Scott!

Iterative Requirements Management

Your release plan is done (or as done as it’s going to be at this stage). Your best estimates indicate that the development team can probably implement the top 10 to 15 items to meet an acceptable window of opportunity. The team has committed to implementing the top 3 or 4 items in the backlog in the first iteration. So now what? Well, open Word with your trusty, well-used, highly refined requirements specification template and begin writing requirements. Right? WRONG! This template probably started with great lean-ness to it; but over time more sections were added to make it “complete” … until the next new section is added. I see this so often that I wonder why we do this. We essentially are asking our product management team to write full requirements specifications within a short period of time. If you have a small PM team, then it’s virtually an impossible request. The result is that requirements are late, incomplete, not at the right level of depth, maybe even all of the above. Which means that the development team will usually “wing” it, and the PM task turns into a retro-specing exercise. Whether using an Agile methodology or a Unified Process methodology, our development teams develop iteratively (at least they should). They focus in on the next iteration and “grow” the release as they move from iteration to iteration. They tackle the high risk items early in the project. Etc. Etc. So why are requirements managed differently? Maybe because the template was approved some time ago in response to some botched feature and no one took a step back and asked how this can be better performed.

The goal of documenting requirements is to record the needs of the users in terms that development can build from. In other words the spec translates what the user needs to solve one or more of their problems into a format that development can use to design and build from. The underlying goal is that the development team needs to understand what it is that needs to be built so that they can come up with a design and an estimate for effort and risk. Collaboration between product management (representatives of the customers) and product development is essential … throwing a fully-baked requirements spec over the wall does not constitute collaboration. Presenting the requirements in layers is a better approach to achieving the goal.

So let’s break this process down into three essential layers where we present information in ever increasing depth and amount until development understands what they need to do … and no further!

  1. Key Requirements. The first layer is an identification of the essential requirements – those that drive / shape the feature or capability. These are the requirements that are non-negotiable, i.e. you can not go to market without these being met. The first step is to make sure that these key requirements are captured. I recommend no more than 5 requirements, expressed as user stories or high-level use cases or declarative statements – the point is that you capture them so that the development team understands them. Present them to the team (or a subset of the team) as soon as you have them, from which they should begin thinking of the design and effort and risk.
  2. One-page Requirements Document. If step 1 is not sufficient enough, i.e. the development team does not have enough information to come up with estimates for effort and risk, then the next layer is to create a single page requirements specification. Add detail such as usage scenario, actor/persona, problem solved and more depth to the key requirements and possibly even more requirements. Remember that the goal does not change – development needs to get to a level of understanding where they can come up with a design and effort and risk estimates.
  3. Requirements Specification. If the previous steps are not sufficient, then the full-blown requirements spec is the last layer. In these cases the feature / capability is possibly something brand new being added to the product. You should consider maybe dividing this into smaller chunks; in some cases that may not be possible.

By managing your requirements iteratively you can put the appropriate amount of effort into your requirements that’s needed to achieve the goal (i.e. develpoment understands what’s needed from them). Do not waste your time writing requirements that do not add value to achieving this goal. In other words, once you have reached your goal, stop and move on to the next item.

Conveying Requirements to Development

Quick survey, show of hands … How many reading this post use email? 1, 2, 3, 10, 100 – ok everyone! Question #2 … How many use email for sending documents? 1, 2, 3, 10, 100 – ok everyone! How often have we seen email used as a means of sending a document over the wall – far too often. I’m sure you are thinking the same thing. Your email goes bing; you read it and think where did this come from. Email is supposed to be a communication tool; but it sometimes just doesn’t work.

What happens when product managers send their requirements document over the wall to the development team? In some cases, the designer interprets the document properly and the resulting design document properly reflects those requirements. However, in more cases than we’d like to admit to, the design does not even come close to aligning with the requirements. What happened? The product manager wrote everything correctly, but the designer didn’t interpret it the way the product manager intended. Something was lost in the translation.

The goal of a requirements document is to convey what the feature or capability must do. When things go awry, it’s most likely caused by misinterpretations. In other words, the product manager and the designer (or developer or analyst) need to be on the same page. The product manager must convey his thoughts and knowledge to the designer. In many cases a document attached to an email does not do this.

Here’s what I suggest …

  1. After you understand what the key requirements are and who the key users are, arrange a meeting with the development group to present your findings. Don’t wait until you have everything and certainly don’t wait until everything is written down.
  2. Put together a 30 minute presentation (10 slides or so) that contains: your vision of the feature, what problems it solves,  and who it solves them for; the typical scenarios in which this feature will be used; and the top 5 functional requirements (expressed as use-case summaries) and top 5 non-functional requirements (expressed as declarative statements).
  3. During the presentation ask the audience to parrot back what you just presented, but in their language. This is the most critical part. They have to understand what your intentions are right from the get-go – it will set the tone for the design efforts that will begin as soon as everyone heads to their desks.
  4. After the meeting send your presentation to the development team and set a follow-up meeting to review additional requirements and the initial design. This is where the iteration process starts. Don’t wait for everything to be completed … iterate your way to completion. While you are waiting for the next meeting, write your requirements document based on the contents of the presentation.
  5. During the days leading up to the next meeting, walk over or phone the development lead to see where they are at. Make sure that they are moving down the right path; listen for hints that they are not following one of the key requirements or have made assumptions about what you presented (remember that people only retain 10% to 25% of what they hear during presentations).

Try it … I think it will help you to ensure that your development team truly understands what you want them to build. And please, don’t throw the document over the wall.