Leader Spotlight: Shaping product within the cybersecurity space, with Rumna Mishra
Rumna Mishra is VP, Product Management at Malwarebytes, bringing a wealth of experience to the cybersecurity industry. She began her career in software engineering before becoming a business analyst at Hewlett-Packard. From there, Rumna joined CSAA Insurance Group as a system analyst before transitioning to Symantec, where she worked her way up into a senior product manager position. She has been at Malwarebytes for the past nine years and has served in various roles leading product strategy and development.
In our conversation, Rumna talks about how the cybersecurity landscape is evolving — shifting from isolated point solutions to comprehensive platform solutions. She also shares her approach to developing product roadmaps that balance product efficacy, new product introductions, and features that harden an already strong platform.
A holistic approach to cybersecurity
At Malwarebytes, you’ve helped to define the company’s overall product vision. What key industry insights influenced your vision, and how did you prioritize long-term differentiation in the fast-evolving cybersecurity market?
The cybersecurity market is shifting from traditional antivirus software to a more holistic approach against evolving threats like ransomware, phishing, and identity theft. It’s not just about theft prevention anymore but is focusing more on being a business enabler. If something goes wrong in your environment, your entire business stops.
When talking about things that influence our long-term vision, the first thing to mention is that cybersecurity extends beyond the endpoint of laptops, mobile devices, etc. Many small, medium, and enterprise businesses are going from on-prem to cloud solutions. We need to protect that cloud too. It's not just about computers these days — we've got to make sure our network security is rock-solid everywhere because cyberthreats can pop up on any device that's connected to the internet. It's a whole new ballgame out there.
Second, there’s been a shift toward managed security. Especially since the pandemic, many businesses have gone remote. A lot of big companies now take a hybrid approach. Small and medium businesses don't have dedicated security and IT professionals to manage their environments, so managed security is more of a prominent option. That's where the market is going.
Automation plays a huge role too. IT and security admins just don't want to feel fatigued from so many alerts. AI is coming in to disrupt this. The last thing I’ll highlight is business model evolution. Right now, cybersecurity software is not just a one-time purchase — it often requires multiple vendors. People don’t want that anymore. At Malwarebytes, we’re differentiating by extending beyond our endpoint security solutions into MDR, identity protections, and other features in that area. We also want to be easy to use so that businesses of all sizes can seamlessly integrate with us.
The importance of customer feedback
You mentioned AI. With the growing complexities in the cybersecurity space, how do you balance innovation with security when incorporating new and evolving technologies like AI into your product strategy?
AI brings a lot of innovations, but at the same time, it's risky — we don't know what’s being used, how it’s being used, who’s using it, etc. As we all know, everything is starting to incorporate an element of AI. So, in talking about cybersecurity innovations, we need to make sure we are deliberate about what we are designing and how we are controlling our environments. Every new feature that we introduce risks an attack.
For my team, this means that we have to have a tight relationship with our threat intel team. We work together to stay ahead of the new threat intelligence research coming out, and use that to shape our roadmap. We couldn’t keep building features as a cybersecurity company without making sure our existing product is efficient enough. We track everything threat intelligence-related and always keep it as a high priority.
Also, customer feedback is really important to us. Every customer environment is different — some have numerous applications and extensive networks, while others are smaller in scale. Our customers’ feedback is very crucial for building out security solutions because we need to understand all of their needs, potential vulnerabilities, and security threats they might face. It helps us tailor our solutions to fit their real-world challenges.
Customer feedback is a big aspect of shaping the product roadmap, as you just highlighted. Is there an example you can share of some valuable customer feedback that you've gotten that you've implemented in your product strategy?
A lot of our customers use applications like Word, Excel, and PDFs. We include anti-exploit solutions as a part of our cybersecurity product because these are all easily exploited applications. Especially if you’re running older versions of Java or PDFs — those can be like an open invitation for attack. We include Malwarebytes best practices as a part of our offerings.
Also, many companies, such as government organizations, don’t regularly update their software due to resource or budget constraints. There’s a lot of legacy software out there, and many times, our customers have said, “The product is blocking my ability to open this application.” So, we created the ability to make exceptions for that. It’s like giving them a special ‘override’ button for when they really need it.
Aligning the product roadmap with market research
The product lifecycle in cybersecurity is often longer and more complicated due to security testing and compliance. How do you handle this extended lifecycle in terms of managing stakeholder expectations, resource allocation, and time-to-market?
In traditional software, people can test and launch fairly quickly. In the cybersecurity space — and especially the business environment — the customer wants more time to run their proofs of concept. They need to ensure that this won’t interrupt their day-to-day operations and will seamlessly integrate into their environment. As a result, the sales cycle for us is often a little longer compared to traditional software.
The bigger piece is compliance requirements. In cybersecurity, we need to do a compliance check, especially if we’re working with schools or federal governments. Security validation is also crucial. This is the case for every company — when they implement something, they need to make sure their security compliance is easily checked. That takes longer as well.
Whenever we plan or roll out something, we need to make sure stakeholders are aligned with the expectations. We loop in sales and marketing because sometimes getting stuff to market can take a bit longer than usual. Our strategy is to break things into smaller pieces to test with a small customer base. This way, we make sure we get feedback before we go full blaze in the market.
Overall, we maintain a balance in our roadmap, which means thinking about product efficacy versus new product introductions versus features and capabilities that harden our platform even further. Because if we don't manage and optimize our go-to-market, it won’t just be a problem for customers, but for our company as a whole.
How do you ensure that your product team is staying ahead of evolving threats and attack vectors?
The most important thing we do is market research. Our research team is always on top of the latest threats that are evolving each day. Their threat intel is embedded in our product roadmap. In my product teams, I have a group that focuses more on the core technology of the product. They work very closely with our research team to understand the security features we need to build to protect our customers. We also make sure they collaborate closely with our feature development and new offering product teams to make sure everything aligns perfectly.
If we make changes for security needs, we need to make sure they align with what’s displayed to the customer. For example, when we set up content filtering policies to protect our customers' web browsing, we don't just let it run silently in the background. Instead, we've developed a user-friendly frontend interface that gives customers visibility and control over their filtering settings.
Also, if the market is heading toward something, my team makes sure they bring that knowledge up to the rest of us. The other core component is customer feedback. We proactively partner with our customers, managed service providers, and managed security service team, to get timely feedback. We get product feedback almost every day, which is great. My team reviews, prioritizes, and responds to the feedback right away.
Lastly, we have a Managed Detection and Response (MDR) team that manages the customer environment since that's part of the service we provide. We get a lot of intel from them because they process customer data directly and ensure that our product is addressing security needs.
You mentioned that you offer a way for people to give in-product feedback. Can you share an example of that?
One of our products is vulnerability and patch management. As I said, every one of our customer segments is different. Our small business segment may not have that kind of sophistication, whereas medium-sized businesses may want it. For example, software companies often have to push patches for their software. Consider how Zoom, which most of us are familiar with, sometimes sends multiple updates asking the user to close the app and re-open it. Security professionals want control over how often to send that information to end users so they’re not disrupting their work.
Using the Zoom example, say you’re in a Zoom meeting and you get a popup telling you to update the application. That means you need to close the Zoom app, but you can’t do that in the middle of a video call. We got feedback similar to this where our customers asked for more granular control of this. They want to prompt users to give them a time window for the update so they don’t have to do it right away.
When we first started out, we didn't have all these features in the product. Our customers asked us to make some changes and we listened. We made it a priority, and customers really appreciated the changes.
The need for platform-based applications
Lastly, given your extensive experience in the cybersecurity space, what do you believe are the most critical challenges product leaders in this industry will face in the next five to 10 years?
So much is evolving with AI. Many companies now want to build a platform rather than a point solution. From a threat landscape perspective, the customer is no longer saying, “Just give me protection” — they want to make sure we are taking care of their incidents and recovering their environment from any potential threats. They also want more automation and the ability to integrate new tools into the software.
With that, AI is adding value, but it's also adding risk. People need to understand what AI can generate as malware and how exactly it can add risk to their environment. So, as a product leader, I need to make sure I’m up-skilling my team with AI skills and knowledge. Without staying up-to-date on these things, we won’t know how to build products that will prevent the next evolutions of threats.
And, as I said, people are not looking for point solutions anymore. They want consolidations and holistic, end-to-end solutions — a platform. When I say platform, I specifically mean the ability to integrate multiple security solutions into one, regardless of the providers. This means that we need to establish partnerships with other companies so people can say, “OK, if I’m using this solution from Malwarebytes, can I integrate with another vendor?” Customers should be able to do everything on the same platform — it's all about making life easier for our users while giving them the comprehensive protection they need.
The last component for the future has to do with go-to-market teams. Collaboration between product and go-to-market needs to be strong in order to drive that adoption. If we build a product, we can’t sell it unless people know about it, which is why awareness and education continue to be so crucial.