Secure Features, Sales Soar | A CPO’s Take on Application Security


 In this episode, Marcelino Moreno (CPO, Stream) shares with Venkatesh (Venky) Sundar how product managers can contribute to an organization’s growth by baking in security into the product roadmap.  

 He also shares how a product manager can influence engineering teams to prioritize vulnerability patching along with building features to ensure that the customers use a secure product.  

Key highlights from the discussion :
  • About Marcelino Moreno & Stream
  • The focus on privacy and user data
  • Why data protection = sales!
  • Going beyond compliance for building truly secure products
  • Invisible threats coming from new tools (GPT & LLM)
  • Advice to PMs on measuring the impact of security on the business


My name is Marcelino Moreno. I started my career as a developer, so my background is computer science. Over 20 years ago, I joined a consulting company. I was implementing large software solutions for enterprise companies initially as a developer.  

Then I move into management roles like project management and managing a business area. It was very interesting because those days, it was a combination of software and hardware; we were basically doing implementations for public transportation companies. So that includes automatic vehicle location and technical systems, operational systems, integrations, and data warehousing.  

And after ten years in that life, I moved into the entrepreneur journey. With some friends, I co-founded my first company. Later we built a second one that was more interesting with revenue, some very basic early-stage funding. Customers were in multiple countries. Then we end up selling the company. Third one, we also sell the company. It was ten years as an entrepreneur.  

I was looking for a different challenge. That was like 2019, and I saw so many companies growing so fast, and I just wanted to be part of the journey with all the learnings I could, so I joined Talkdesk. When the company was 500 people, I stayed there for about four years, and I left when the company was 2000 people. I was running the platform products and a large product team as VP of Product management. I’m very proud to be part of their journey, although, at some point, I had this opportunity to join the company where I am today. That is Stream.  

Stream is a series B company. What was very attractive for me at Stream is that the team is fantastic. The founders are very good. The product is also very interesting to me. I love platforms. I love solutions for developers. It’s the type of product I like a lot. It also has B2B solutions. That is my space, and the investors are also very good. Stream is backed by GGV, Felicis, and 01 Advisors.  

These investors invested in were Canva, Notion, Slack, Airbnb, Shopify, and many others. The opportunity to be part of that team, working with those founders and VCs, was just like something I could not refuse. And now I’m chief product officer at Stream.  

For context, if you go back a bit, we started with Microsoft DOS and Windows, which was very exciting. At some point, there was the cloud. The cloud was like a game changer, allowing some companies to build a kind of infrastructure for the cloud. So, Amazon, with AWS, Google Cloud, and Azure, was just a big facilitator for developers to build applications.  

Like in my early days, I was planning the hardware; it was all on-prem. I was planning all that, which was tons of work. Now, it’s so simple because I can leverage those cloud providers to implement an app.  

But in recent years, we have seen new companies providing high-level components to build applications like PubNub, Cloudflare, and Algolia. So many companies now provide high-level components, and that’s where the Stream is for.  

We provide high-level components for companies to implement real-time use cases like activity feeds and chat applications, and more recently, we are launching video and audio supports to our suite of components.  

And so basically, if a company is planning to have a chat integrated into their app or activity feeds or audio or video, they can do it with us, and they can do it in days or weeks, depending on the complexity of the experience that they are trying to build integrations. You no longer need a huge team of developers to build and maintain.  

Now you can leverage the type of components that we are providing for many other use cases. We have other companies also providing the same type of high-level components. The two differentiators that we provide:  

  1. Basically, we provide the APIs & SDKs so that developers can implement the solution fast with high quality, with many UI components out of the box. But at the same time, they also have a high level of customization. They are not locked to a predefined chat experience; they can build the needed experience. So that’s a big differentiator.  
  2. The second one is the quality of the infrastructure we provide. So why real-time? Because in real-time, it’s complex to build and very difficult to have a reliable and secure infrastructure. Our products are based on our edge infrastructure which is highly reliable and very performant. We offer the silos and are very secure. So, we also offer that layer of the infrastructure that is also a huge value because you don’t need a team to build the infrastructure for a real-time use case. It’s very challenging.

I worked with enterprises and big companies handling sensitive data at some point. I was working for a company like a government agency in Portugal that handles some security information.  

It was like 2000; I was working in a room that was kind of completely locked. It was completely on-prem—no network in that room. I’ve even worked with public transportation companies who handle very sensitive data. I’ve worked with hotel chains and they too have data from the guests.  

Most of my life was with enterprise companies. And security was always a big concern. Yet I saw some positive changes in how companies handled data with the new regulations like GDPR. I feel that, at some point now, most companies are becoming more sensitive to specific industries and countries. Complying with regulations is mandatory, so evolution was very positive from my perspective.  

But there were other changes; for example, the first challenge was the cloud and people not trusting the cloud because there was a big change in how people saw security. 

But now, with the pandemic and when people move from the offices to remote, a new set of concerns is popping up. Now, there are other security risks that the companies were not seeing. When the context changes in how we work, security needs to be redesigned and retained when new technologies appear.  

But at the same time, I also see that the evolution of technology is also facilitating how secure software data and companies can be. It’s always about a fight because technologies empower people to act on the systems more easily. But at the same time, this also empowers new tools to be built and more accessible so that everyone can have a higher level of security for their company, their systems, and their data. 

I think security is very important, and I believe that the tools are improving and that security will be accessible to any company of any size. There is no reason for a smaller company just to start a business and ignore security concerns because nowadays, it’s easier for them to put those concerns to the company into the products, and they don’t need to start with something that could be very dangerous.  

For sure. In the past, companies were very concerned about protecting against an attack on their systems. So, it was more about the reliability and stability of the systems. If they were under attack, everything would go down.  

But concerns about privacy and user data were not handled perfectly. And there are tens of examples. Even recently, in Portugal, there was a situation where a public entity just shared an Excel with personal information from tons of people working at that company. They sent that by email, and they didn’t realize it was not just the information from that person; it was from everyone. And that happened just because they were managing that information in a spreadsheet and not in a proper system.  

And today, there was no need for this to happen. You have the technology to manage that type of data already available. Just subscribe to a SaaS tool. It would be better than using a spreadsheet, but they probably felt safer.  

Now that level of concern is stretched, and you can see, like many new start-ups starting in, they are already like GDPR compliance, SOC2 compliance.  

For example, if I talked about Stream, they already added security. We were already SOC2 compliant. We have GDPR endpoints that we provide to our customers so that they can delete content if needed. All those things were already in place, and we are talking about this because the company is this type of series A.  

Hence, things now are very different. Companies take security more seriously, and companies like Stream provide messaging and chat solutions. If we don’t provide that, we will not sell it. So it’s become a must-have enabler for any sales.  

From a product management perspective, how do you prioritize security and security-related capabilities when developing the product?  It also needs to be a layer of defense to understand hacker-related analytics. It’s not just about vulnerability or hacker intent; where are they coming from? 

It’s more like a set of guidelines that could vary depending on the company. At Stream, we work with many fintech companies, healthcare companies, and companies in other verticals that are quite big. So, security is always a conversation. We handle that, as always, a conversation when we are closing a deal. So, it would be impossible for this company to exist without protecting the data and without providing a secure and reliable product for all those things.  

But kind of some guidelines would be:  

Work in a closed partnership with other security experts. That’s needed because they are the ones; they are the experts in that field. They are the ones that can tell us about the risks of something failing in that space. We need to be aware of those risks. Ideally, we need to quantify those risks to convince all the stakeholders that we must invest in this place.  

But there’s a different perspective working very closely with sales and customers to understand how important that topic is to close the deal. What are the specifics? It’s fortunately; nowadays, many companies have SOC2 and GDPR endpoints.  

They have all those things that are the basics. But, like for every deal, there will be specifics because, like large companies, they have their own processes and guidelines regarding security. So, they end up asking very specific things that we also need to know to consider. And sometimes, as a product manager, that is also an opportunity for me to go beyond the standard security to the security certifications and standard regulations. We can use that as an opportunity to improve the product, as we do.  

And then, from a satisfaction endpoint, it’s also important. I want to track how happy we are handling data and the endpoints for managing sensitive data. All that is if that is in a good place and customers are happy with the components of the product.  

So it’s a topic, it’s a concern. It keeps changing and evolving; some bring new challenges, like new customers.  

Yeah. I can.

It’s interesting, and kind of the evolution I’m seeing right now is moving from traditional security and data protection to content amortization. And if we think about all those pieces, it’s about trusting a company.

For example, when we provide chats, we also provide moderation tools so that they apply to chat conversations. And if you think about a company with a strong brand, some types of content cannot happen. If they happen in public channels, many harmful situations could affect the company’s image. And there are so many use cases in that space and so extreme. We also provide those tools and use AI to manage content, an interesting part of our product.

We understand the intent of the conversations and can trigger alarms if a specific user generates harmful content that affects the community. All those pieces make sense from a trusted and a reputation perspective, and the negative or positive impact is very similar.

And I see that trend also growing. Now many companies also have trust, safety, and a team. It’s also an exciting space, and we are evolving in the right direction to protect people in a digital world.

I prefer to focus on value. Now we see many companies being funded because they have AI and ML.  

A few weeks ago, a company with four weeks of existence was funded for over 100 million. So AI buzzwords have that interesting effect, but I still prefer to keep my mind focused on the value of those things. The AI tools that are now available are a very big revolution, something that we can compare to the cloud, smartphones. For me, it’s the same type of change. There are so many new things we can do with us.  

But at the same time, we are learning this completely new space; the security risks are also obviously many. This opens a new space to do fraud in a way that will be very difficult for common people to understand if that email, those words, that voice, that face is from the person looks like. And that is a very dangerous space, for sure.  

But again, this is the same as with the cloud. We have new opportunities for fraud and people to do harmful things. But we also have new tools to protect people from those things.  

And the evolution will go in that direction. So we will end up building the tools to protect people from those dangers, we are vigilant.  

And, of course, some companies are focusing on building tools for that space. We are doing the same. From a security perspective, we need to learn and stay on top of that topic to understand what new challenges will come.  

From that, we are still waiting to see an impact. Because of that situation, we are not seeing any requests to protect data from our customers. We have a team working on the type of technologies which will help us do what’s needed when the time comes.  

We will see the impact of AI in a different way. We will all understand the impact of AI five years from today. It’s when it will be obvious what’s happening today. People will understand in a few years, but the impact will be very good.  

My advice for the governments is to find good partners to work in security and tech. That is still a big issue. In the last 20 years, it has been a big issue in many countries. Some countries are like an exception. They are doing very well. They understand the value of technology in running a country to serve citizens. But to be honest, I think that the majority is not educated enough, and it isn’t easy to have people with strong experience working in the government, especially in the tech sector, where people have super high salaries and amazing conditions.  

So, it’s difficult to attract people at the top level to work in government agencies. That’s why it’s very important to build those relationships which the tech companies to find very good advisors and companies to work in a partnership with them so that they can understand the impacts and prioritize.  

At the same time, that is very common in Europe. Of course, we need to protect data, and we need to protect the citizens, but we need to do it while we incentivize innovation.  

If we do it by blocking innovation, we are becoming less competitive than all the regions, and stopping innovation will also impact citizens because innovation comes with some dangers. But innovation is what the law also for us to be more protected from those dangers. So it’s a very tricky balance to have to build. There is some tendency to make innovation move too slowly to protect the citizens. It’s doing the opposite because people in other parts of the world are moving much faster, and people with bad intentions are just moving faster. And that’s where the danger comes.  

So my advice to governments would be:  

Just find very good partners, work very close with the best companies in the world and try to be better educated on the technology because it can have like tremendous impact on all of our people.  

First, a product manager must understand if the company takes security seriously. For example, if the company does not have a security team or a very good partner, that would be a concern.  

Assuming there’s a security team or a security partner, I suggest working very closely with that team to engage with that team to understand what they are doing with the challenges. This is a very complex topic; the product manager needs help understanding this topic.  

The second piece of advice is to work as a product manager and measure any risks and opportunities regarding security. And that comes from what I said before you need to work closely with the engineering team, and you need to understand how security can impact the business, and you need to translate that into numbers.  

And fortunately, today, there are very good tools for that to be captured as we can. For example, we can capture how often security topics come from sales meetings because those meetings, at least some of the authorized ones, are recorded. We can capture the intent of the meeting. And it’s at a very large scale to capture all our security. It’s important for our customers. We work closely with sales, understand how security is a differentiator to customers, and prioritize based on those decisions.  

Don’t forget existing customers because security keeps evolving, and their concerns keep changing. You need to stay very close to your customer and to the security team on their side to understand what new challenges their business is facing. And, of course, that will be very different from vertical for healthcare, fintech, and government agency. All that will have different concerns, all different sizes. As a product manager, you need to make security part of the conversations of the user research and customer research you are doing.  

So those are some of my advice to young people. Talking a little bit about me – there are always things we can do better. In the past, in the early days, we were not paying enough attention, even myself. But it was a very different context. It’s hard to compare regarding security.  

What I feel is the biggest challenge is understanding how important that topic is for the organization because it’s very difficult if you are working in an organization that doesn’t pay attention to that despite all the arguments and all the numbers and the risks, it becomes very challenging.  

If I look back, I would have put more attention into working at a higher level so that something could be prioritized across the company. Because if we start at a higher level making that a priority, then everything becomes easier.  

In summary – Build a strong partnership and have an innovation mindset which is the product managers’ view, and then automatically basis so that security automatically gets viewed into it as part of your overall framework of prioritization justifications, ROI, and everything.