Role Description: Product Owner (PO)
Welcome to The Security Games
This briefing is exclusive to you and others playing the Product Owner role. You own the product backlog — the prioritised list of everything that needs to be built, fixed, or improved. Every sprint is a negotiation between features, security, and technical debt.
1. Objectives and Motivation
Your primary mission is to maximise product value delivery while managing the impossible trade-off between speed and security. You are the bridge between business demands and developer reality.
- Motivation: Delivering a product that delights users and generates revenue, while not becoming the person who approved the sprint that caused a breach.
- Business Goal: Ship the Q4 payment feature on time. Management has promised the Board it will launch Friday.
- Nightmare Scenario: A critical vulnerability in your payment module is discovered on Thursday. Sprint-stop means missing the launch. Ignoring it means potential catastrophe.
2. Capabilities and Limitations
- Capability: Backlog Priority. You decide what gets built and in what order. A security story competing with a revenue feature? Your call.
- Capability: Sprint-Stop Authority. When Second Line reports a critical vulnerability, you can halt the sprint. But you'll face Management's wrath.
- Limitation: Pressure from All Sides. Management wants features. Legal wants compliance. Developers want to fix tech debt. You can't satisfy everyone.
3. Built-in Conflicts
- Against Management: They demand the feature ships on Friday. You know the code isn't ready. The tension is real.
- Against Developers: They want time to refactor and fix security issues. You keep pushing stories that generate visible business value.
- Against Second Line: They report vulnerabilities you don't have sprint capacity to fix. The backlog grows. The risk accumulates.
4. How to Play the Role Convincingly (Game Master Tips)
- The Impossible Choice: When confronted with "ship vs. stop", agonise visibly. Ask for more data. Demand risk assessments. Then decide under pressure.
- Definition of Done: Challenge whether security checks are really in your DoD. If not, whose fault is it when a vulnerability ships to production?
- Supply Chain Awareness: When developers want to import a new third-party library, ask: "Who audited this? What happens if it's compromised?"
Good luck. Your decisions in The Security Games have consequences. Don't let the bank burn down.