Are Personas Obsolete in the App or Web world?

As people learn advanced product management, they try to solve more complex product problems. Now a common problem that is cropping up in the SaaS or app world is the identification or creation of personas. But given the massive amount of usage data, and the quality of real time analytics and artificial intelligence today, are they really necessary?


Personas are a commonly used tool by product managers and product designers, to denote a fictional user of a software or a set of features. Rather than making assumptions about feature usage, you identify a set of users with similar needs, who will use the software in a particular way. Based on this set, you create a fictional persona, which is then used to validate any new feature idea.
If you attend any product presentation or work with UX designers they will identify personas for their work.

There are many videos on YouTube, such as this one, that also talk about personas, how to create them, the value they add and so on.

Personas: Good or Bad

So there are both sides to the story.
On one hand, there is a detailed blog post on the Adobe blog. It talks about how they use personas for design and why they are important. Given the prominence of Adobe in the design world, this is a strong perspective.
On the other hand, this post on UX Collective, talks in detail about why personas have limitations, and where they stop adding value (Why is the 'college' of a persona important? What happens to users who attended thousands of other colleges?).
And the Neilsen Norman group (world famous in UX domain) also has an article titled "Why Personas Fail" that talks about the challenges in using personas. As you gain more experience in using personas, you will definitely encounter such challenges.

The Bottom Line

There are both pros and cons to using personas. However, the tools to track usage and user engagement have improved to such an extent, that you can see in real time what an actual human using is doing, filtering out data about bots and other automated tools. This is particularly true for B2C tools for apps and websites. And if you have the resources, you can invest in an analytics team that can offer detailed insights into every significant interaction or engagement of any user. In fact, for a product manager, I would recommend that they get certified on Google Analytics, rather than on any UX tool used to create personas.
As a product manager, you can still use personas to suggest new features and engagement (use cases), however the validation of features already released is better understood by using data and tools, rather than referring back to the standard personas.

SaaS API Security and Management – Impact of Cloud Access Security Brokers (CASB)

[This is a mildly technical post, intended for product audiences]

So your firm launched an app for tracking stock market data in different countries, and it has received a lot of traction (downloads, usage and other metrics). After a while, the app has done really well, and now your business is expanding to cover more and more use cases. This is also important for monetizing your app.

However, a key use case identified by the Product Manager (PM) is of transferring data to and from business partners using SaaS APIs. It could be for sharing reports, financial information, security information or other data. And it so happens that the partner's data center resides in the cloud in another country, geography or region, with it's own rules for data access.

Well, the personas, features and access rules you created for your own tightly controlled app may no longer be enough. You will need to understand the rules of access, and the scope of data sharing that is possible and permitted. Based on that, several addition features may be required to manage data access of your partner.

Let's continue with the example of the stock market app. Here are 3 use cases:
1. Your partner collects user information to share specific data of based on list of that users tracked stocks
2. Your employees needs to access the user's bank balance details to share top recommendations for investment
3. Your partner needs to aggregate your user data with similar apps users to improve its own performance
And in many such cases, the role of CASB (Cloud Access Security Brokers) is gaining prominence.
One key function they perform is to manage secure access to such data, based on policies, roles, rules and other heuristics.

Now even if a PM is a functional or domain expert, she still needs to understand privacy, security and access management to define the best use cases within his app. Otherwise, such use cases will be termed as "technical" and the architect will define these. [I do not recommend this approach, as the PM should be the best judge of use case quality, usability and app metrics.] In large firms you will have PMs looking at security and privacy, however they have their own priorities in the organization.

Here are some guidelines for data transfer across domains, clouds, companies or countries:
  1. Read what the CASB's are writing about their products. Netskope has it's website and so does Oracle. This gives insights into what is possible in terms of new features.
  2. Have a Data Processor Agreement in place with all partners. Either the legal or the business development team should take point for this, however empowered PMs or Directors can also lead this effort.
  3. Talk to your platform teams, including PMs and architects to understand what is currently possible and what new features are on their roadmap.
  4. Create partner personas, cloud personas and other relevant user types (including employees and admins). When adding features that use SaaS APIs, it gives a lot of information to the testing team to ensure compliance with business laws and requirements.
Enterprises never develop apps in a vacuum, there is always an existing IT infrastructure and applications (which may be in public, private or hybrid clouds). By understanding SaaS data transfer and CASBs, you can improve your apps, whilst making them more secure and usable.

[Reach out to me on LinkedIn if you would like to discuss more]

Killer Features or Killer Products?

If you're a seasoned product manager, you must have heard about the "killer feature" that enabled product X to dominate the market, or product Y to completely change the paradigm for all competitors.
By definition, this is a revolutionary change, that was missed by competitors either because of 
a) lack of investment
b) lack of understanding
c) lack of interest
d) different strategic priorities

However, the "killer feature" seldom emerges in today's agile world. Products have "incremental" features, and the product team's focus is on hedging their bets by making small tweaks in different functional areas. And no, allowing seamless data transfer over the internet or improving your perimeter security is never a revolutionary change (it can be good marketing spiel).

So are all companies doomed to create "me-too" products? More often that not, business strategy still dictates that a large company enter a segment or country, where it's competitor is entrenched (Google Wave?). Additionally, it is easier to get incremental budget to introduce 10 new features, than to invest in a completely new idea (those are usually doomed within innovation labs in large firms.)

Unless your firm is a dominant software vendor, you will end up working on those me-too products, building incremental features, based on "competitive analysis" and prioritized based on the skills of your engineering teams.
To make a paradigm shift, which is itself a big career risk, you need to pitch your idea and the business case, to a business decision maker. Only if there is buy-in, can you even hope for investment in that idea.
And the decision maker must be convinced of the benefit of supporting this, for their career. Otherwise, you are probably better off recommending a strategic investment in a startup, or identifying a potential acquisition.

B2B SaaS Solutions: The 'SaaS' is unnecessary

The New Wave Tech

Technology has a way of reinventing itself. 20 years after the Y2K fears, the Y2KK bug is lurking again. We had full stack developers before, who were in turn displaced by specialists, but are again back in demand. The same goes for software stacks, programming languages, data analytics etc.

However, in the B2B software world, some things have changed permanently. And one of them is migration to the cloud. It is a very rare enterprise that does not have some of their IT in the cloud (public, private or hybrid: a definition from Microsoft). If you are not familiar with the term SaaS, here is a link to the Wikipedia article.

  • There are a number of vendors available to meet your privacy, security and compliance needs (here is a white paper from Symantec). 
  • The quality of cloud infrastructure can support really critical applications, including telecom billing, at scale. I remember hearing from a CTO in 2015, that "billing solutions will never move to the cloud". It just shows that technology changes can disrupt a lot of planning and strategy.
  • The skills to manage such infrastructure were scarce even 10 years ago, but are ubiquitous now. Most people have re-skilled, and are able to handle this change very well.
  • Even governments have recognized the consumer privacy and security needs and have framed laws to support this transition. The E-privacy Regulation, GDPR and similar laws 
  • Every single digital transformation initiative, across industries, talks about moving to the cloud. I do not know of any case where digital transformation requires buying physical servers or building desktop based applications.
So why are recruiters, candidates and hiring managers still talking about B2B SaaS as a separate category of work? There is hardly any other option viable, if you want to build a scalable, secure and distributed application for any category of users (employees, vendors, consumers, internal teams). Even mobile apps can be powered from cloud servers securely. And if your people are not skilled at planning, building, deploying or maintaining cloud solutions or mobile apps, then you can always use the time proven product management strategy - "Buy, Build or Partner".
In fact, here is one slide from a article talking about it. This is a pretty important product management topic, so I will post more about this in future.

Bottom Line

In 2020, in the B2B software category, the word 'SaaS' is redundant. Every software solution is, or will be cloud driven, and people associated with these services (systems engineers, web developers, product managers, infrastructure teams) will need the necessary skills to deliver these services.

World Data Privacy Day - 28-Jan-2020

Yesterday was recognized as World Data Privacy Day globally, except in the EU, where it is known as the Data Protection Day. 
In most online magazines, there were articles about how to protect yourself. The Data Economy website has provided 10 tips for safeguarding your data. Some good ones include:
  • Carefully read and modify your privacy settings on websites you visit
  • Actively manage your reputation online, by deciding who can see your content
  • Always use added security, beyond simple passwords, for your online accounts
  • Be aware of what others are posting about you, this can impact your online reputation big-time
  • Always keep a backup of your online data, including photos, posts, credit card statements etc.
If you look at large corporations, there are active data security and privacy policies in place. They protect and enable the organization to safely handle consumer data in compliance with the laws in different countries or states. Here is a link to Walmart's Privacy Policy, which is also the largest corporation in the world. However, despite these efforts, data breaches can still occur, with significant financial and reputational impact to both firms and consumers. This CISO article lists 5 major breaches that occurred in recent times.

For consumers, there are the data protection laws that protect their online and offline data. However, a point to note is that these don't actively protect you against hacking or other attacks on your reputation. They will provide a legal framework to address the issues that arise if your privacy is breached.

For victims of identity theft or data theft, the consequences can be immense, and it is a prolonged process to recover from the same. There is also a comedy movie from Hollywood called Identity Thief released in 2013 that touches on this subject.

If you are concerned about your privacy, or identity management, ensure that you follow at least some basic security protocols, such as those listed above. Depending on the country you live in, data recovery or reputation management can be very difficult once data is released in the public domain.

Seasons Greetings and a Happy New Year

Lots of interesting things are happening in the technology products space. There are startups becoming unicorns, telcos anticipating 5G use cases, and enterprises looking for more and secure ways to handle consumer privacy.
2019 has been an interesting year, where I personally saw how investor money was not utilized in the right way due to internal politics, a great product I advised on was delayed and the e-commerce space is beginning to rationalize.
I feel 2020 will be the year when product consultants and advisors will get their due, advising CXOs on top level product strategy in the digital transformation story. However, the nuts and bolts of product development and roadmaps/stories/epics etc. will continue to be distributed among product managers and agile product owners.

Happy New Year to All!!

Product Blogs and Social Media Presence

Google has a lot of official blogs. Here is the main one, and at the bottom, you can see links to several other blogs, including corporate, product and developer blogs. (The complete directory is available here. So does your company follow this trend and also host several blogs? And what is the value of such blogs and blog posts.

Almost eight years ago, I tracked a blog post on a large software company's product line blog. That line is a specialized category with limited consumer interest. At that time, they got 50k page views and over 10k visitors.[ Note: this is a top level number and does not delve into much detail on accuracy, visitor segmentation etc] And this is a well maintained blog, with articles on product usage, updates from engineers and product managers and information on industry events.

Recently, I looked at the blogs on Adobe website's.  For a post from last week, there are 6 likes and 6 forwards visible on the website. If you scroll down, these numbers are about average for every blog post. If these are an indication of deeper engagement, then the product blog as a medium to engage people seems to be in trouble. And this excludes the number of people who may potentially post comments on the blog posts.

Interestingly, you can compare those numbers with those for a product management blog, such as the one called Mind the Product. I am sure that a blog like this, that comes on top of google search results for "product management blogs" must get at least 5k page views a month. [I know it's like comparing apples and oranges, however, the value of a blog should be analyzed independent of other factors]

Widen your official product presence

For a niche product, it may not be cost-effective to just maintain a product blog. Instead, a social presence on multiple channels, such as on Facebook, Twitter, Pinterest might be a far better mechanism to engage the audience.  

Any challenges to shutting down your blog and starting a Facebook presence? A few come to mind.
  1. Accessibility: If your audience is business users, they may not be comfortable surfing Facebook from work. And from home, they may use personal accounts, which may hide true audience demographics.
  2. Search: Facebook search is good, but for general search terms, Google search is better
  3. Privacy: You may not want to publish information about your followers, as your competitors could also be lurking there
In the end, your leadership team's vision will decide how you approach social media, and how your product gets the benefits. But if you want to make a case for a Facebook presence, or a broader social media presence for your products or product line, do think about the above factors.

User Identity Management for Websites/Apps


Identity and access management (IAM) is a very big segment of cybersecurity. Gartner, the research giant, has a conference for security professionals and a Magic Quadrant covering this segment and the key vendors, use cases and technologies. This market has grown rapidly, and it continues to grow, with vendors offering solutions that can scale up to millions of cloud users. Today, on-premise solutions do exist, however they have limitations that can be overcome with cloud based offerings.

Traditionally, IAM was focused on employees and their access rights and privileges. Later it expanded to include vendor and partner access, privileged user access and securing API access, commonly through a key-vault type of solution.

Consumer Identity Management

With the explosion of smartphones and internet browsing speeds, there are millions of users registering on websites and apps through various devices everyday. One way to simplify the registration process is through social login, a form of single sign-on, that let's you use a single username and password across websites. However, this is not the only solution or even an optimum solution, and thus we have a new segment of cybersecurity that covers Consumer Identity and Access Management (CIAM).

For any startup or enterprise capturing user data, there are always regulations covering user privacy & security to comply with. In addition, as identity theft remains a big concern, user data must be kept secure beyond regulatory compliance, as any data leak can cause damage to both reputation and the share price.

Beyond, data leaks, the concerns are also about data usage. Where inappropriate use of customer data (possibly through machine learning algorithms), can again breach ethics or regulations. A classic case reported recently was of Apple Cards offer cards with different credit limits to spouses, including the Apple co-founder.

Preparing for the Future

Here are four things that all website and app owners must remember, when registering consumers:
  • Get up to speed on privacy regulations that cover your website or business
  • Secure financial transactions much more, and regularly audit that coverage
  • Be aware of inadvertent side effects of using machine learning on collected data
  • Continue trying out new security techniques to simplify user experience (UX) for consumers


For successful businesses, registering millions of users, or handling millions of transactions can be a great reward. To continue this success, properly attention must be paid to consumer identity and access management as well.

Feature - Allow User Authentication without Passwords

As "reset password" requests eat up IT service desk dollars, and most passwords remain insecure, it is time for authentication protocols that do not depend on passwords for user login.
Many such methods are available today, these include Apple Touch ID, Multi-factor authentication and authentication using TOTP.

Microsoft security blog  has a post describing their goals and different techniques to ensure users are able to use devices and software without worrying about passwords. However, all these techniques have two things in common:
  1. They either need your biometrics (fingerprint, face, eye etc.) or 
  2. They validate the token or security key generated by an app on a mobile device

Imagine a typical use case

A user likes to browse the web, and shop at different e-commerce sites, check his account balance, join forums and personalize his browsing experience.
For her, the vast majority of login screens will still ask for a password. 

There are some secure websites that send a TOTP (time based one time password) instead of asking you to enter a password, however they are not widely adopted.
Social login (e.g. login using Facebook) has major privacy issues, so that is a solution with limited use.
And if you use a solution like LastPass, then all you are doing is moving your passwords from your mind, to another app on your mobile.

The only solution appears to be with the website owner, or the enterprise providing the service. If they start offering secure authentication without passwords, and allow other secure websites to confirm the user identity, then the process of login will become easier and more secure.

For this, a key factor is to eliminate passwords from registration forms. With this approach, and using techniques such as adaptive risk based authentication, the user experience at registration and login can be vastly improved, without compromising on security.

Identity & Access Management for Cloud Applications

If you have a SaaS offering, fundamentally, you need to adopt a security posture that is much more stringent than that for on-premise applications. This includes user life cycle management, identity and authentication services, authorization to use key features and log management for audit and compliance.
Here is a conceptual cloud security architecture from the Cloud Security Alliance.

This gives a great overview of the potential points of concern for any CISO.
To read more about how to secure your applications or design secure applications in the cloud, head over to their website, and take a look at the research resources they offer.

Calculating TAM (Total Addressable Market) for a SaaS firm

If your firm or start-up does not have a full time strategy team, then the founders will use different resources to calculate the potential market size for their firm. Here are some key methods to calculate the TAM, and create a product launch and marketing strategy.
  1. Use Data from Research Reports

    Many research firms put out their estimates about the TAM for different products and services. For example, there is a category of products called Next Generation Firewall (NGFW)
    Research reports such as this and this, indicate that the NGFW market size is about $7.4 billion in 2017, growing to $12.5 billion by 2022. 

    Using such numbers, from a creditable source, can give a good estimate of the market size, as well as the sub-segments within the market. Adding to this data, you can make some projections on your own, to identify which verticals, geographies and customer profiles will be a good fit for your products and solutions. Add to this the range of growth rates expected, and you can have a very good range of TAM, for planning and budgeting.
  2. Create a "Bottom up" Estimate

    This is a more accurate method, however, it takes more effort, and requires expert level skills to make good projects. In this method, you first identify the total number target firms per vertical, geography and revenue/employee size. This data is available from public sources and databases. For example, if you want to target only firms with a firewall spend of over USD $1 million, then you are probably looking at an annual IT budget in the range of  $15-50 million. Which indicates that the firm size is over $1.5 billion (estimating IT investment budget range from 1%-3%). 

    The next step is to select 10-20 priority verticals (healthcare, government, retail, manufacturing, mining etc.) where you see a good fit for your product over the next 2-3 years. In these verticals, you then identify the firms with a size above the cut-off. Let's say that you come up with a list of 250 firms. Making projections of their IT spend, you can estimate the size of your addressable market for the first 2 years. The key advantage of this estimation method is that it incorporates your corporate constraints and is customized to your current capabilities.

    There is another way to estimate TAM, which is based on the current ticket size per sale of competitors and come up with an estimate for your firm. Ticket size multiplied by potential buyers can be another estimate of the theoretical TAM. Unless you are a marketing guru, this is not recommended.

    Bottom Line

    Estimation is a necessary activity, when you want to make a business case for new investment. Using either of these methods, any product manager can project the TAM for his products and services. And as always, you must document your assumptions behind these estimates.

TM Forum Digital Maturity Model for Tracking Digital Transformation

According to their website, TM Forum is
is the global industry association that drives collaboration and collective problem-solving to maximize the business success of communication and digital service providers and their ecosystem of suppliers.

They have worked extensively on creating a digital maturity model, defining the digital transformation journey and working with CSPs (Communication Services Providers) looking to become DSPs. In their model, there are 5 dimensions covering:
  • Customer
  • Strategy
  • Technology
  • Operations
  • Culture
Across these dimensions, 110 criteria are identified, along with sub-dimensions, to assess how far along a CSP has come in its digital transformation journey, and how to assess its target objectives.

TM Forum Digital Maturity Model

The full model is members only, but there are a lot of additional resources for telecom professionals on their website, including videos and case studies. For people looking to understand digital transformation in the telecom industry, this is a good starting point.

Telecom Trends and Opportunities

A while back, I was engaged for a study on the opportunities for CSPs (communication service providers) to transform into DSPs (Digital service providers). Depending on the market maturity, the size of the opportunity, the geography and economy and some other factors, I prepared a slide about the key trends and opportunities in 2018-20.

From the slide, you can infer some points yourself, and see what makes most sense for a CSP in its business evolution. There is a complete presentation about this topic which I created, I will upload it some time in the future. Meanwhile, you can read about the latest research on this transformation at GSMA Intelligence and at