Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / UX Research / 10 Mar 2023
GitLab / UX Research / 10 Mar 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Security Policy JTBD 2023

Description

This video is a walkthrough of the summarized insights gained from UX research on security policies for GitLab.




https://gitlab.com/gitlab-org/ux-research/-/issues/2223

A

Hey everyone um I want to go over the security policy jobs to be done. Research, um the summaries I, have finished all of the um big job and little job in micro jobs.

A

So I want to take the opportunity to record some thoughts about it, um I'm going to be off next week, so I figured this would be a good chance to have everybody understand the jobs to be done for security policy and all of the different aspects, and then we can sync up when I get back to possibly edit and adjust anything as needed or clarify any understandings, so with that I'll kind of start, with the first job in a logical order.

A

um So the first job that we found was to create security policies for the organization's assets, another way to say the job or what Sometimes some people do is to write security policies that are attainable.

A

um I think the difference between those is just a difference in perspective in the organization whether they're, like people focused or just kind of top-down business focused, but the needs for those jobs are to increase the adoption of the organization's assets to the compliance requirements, to reduce the likelihood of a legal and financial threat to the organization to increase awareness of the security standards among the developers. So all of those are kind of the needs and the reasons to do to create a security policy.

A

And then we can kind of look into the actual steps of that and I'll just go over. The excuse me, the higher level ones right here. So first they gather the security requirements and then they have to understand those requirements um and usually organize them among commonalities or like similarities in stakeholders or whoever is going to be like touching that specific aspect.

A

So they organize those requirements and then they scope out the language and kind of consider the non-technical stakeholders that might be involved versus the technical stakeholders and figure out what type of language the policy needs to be in and then they actually write the security policy language. This is sometimes done in collaboration with a legal team or security stakeholders. It depends on the size and organize and maturity of the organization. There are usually multiple people who do collaborate at that point, but the policy Creator is the person responsible for actually writing the language.

A

So after they do that, they also validate the security policy policies that can be done in collaboration with like develop managers to make sure that they understand what the policies mean stuff like that, and then they publish the security policies in a in some place where the organization stakeholders can then uh reach and understand those security policies so like for us as gitlab.

A

We would put it in our handbook, so everybody can see it, but another organization might have a slightly different system and then the last process, or the last step in the job, is to monitor the security policies and to follow up to make sure everyone understands. That's not 100 consistent throughout everywhere, but it is.

A

um But I would consider like the typical standard, because eventually um the policy creators do have to go back and make sure that the policies are actually being followed and making sure that everything's, okay and the monitor the policies just the step in that process. Eventually um so then we can go to the circumstances um when a policy Creator would, you know, create a policy and do all of this it'd be when a new legal or customer requirement appears.

A

So a legal requirement would probably come from their industry, um sock, 2 or gdpr stuff, like that, whereas a customer requirement might be an Enterprise company, has a specific customer that has a very specific set of requirements that they need for their data because they have a higher security maturity. So then they, a B2B contract, might specifically state to you know a couple requirements for security.

A

They also might change or update security policies if there's a security breach either internal or external kind of depends on the company. Obviously, internal is always a big alarm. If there's an internal security, threader or something happens, um something is exposed, but I had talking to some people- uh external or you know, Marketplace um breaches could occur and that could trigger an internal change in the company. So, like a leader in the company could see that something happened for another company and say we want to avoid that.

A

So um that's what would happen and then that kind of leads to the next circumstance which is to due to internal culture shifts. So that could be because a company is, however, old and they look at their standards and they want to become a leader in the marketplace. So then they try to you know, increase their maturity um and that's just like entirely internally driven the emotional elements of this job um were really only so understanding the requirements can be very time consuming.

A

That's a process before it legal could help, but legal could also not help, depending on the organizational's like standing and their you know their size, um but regardless that process is very time consuming, because it is a technical person having to understand the legal World, um because you need a security person to understand those things eventually, and that is the point they do it and it is usually pretty complicated and hard for the policy creator.

A

The policy security adoption is also pretty tiresome. um This kind of depends on the company and the maturity, but it is tiresome in the sense that tracking it even is tiresome.

A

Just any of that process can be tiresome, not just like actually making sure people are adopting the security policies so uh on the next episode, the next job, um in like a logical order that we found was to implement security controls in the organization's asset and the needs for this were to reduce the likelihood of a legal or financial threat and to increase the compliance of the organization's assets to the security policy. So, basically, this is um when a new security policy is created or a change to a security policy happens.

A

They a person would have to first gather those security policies and then kind of figure out what the the organization organization is currently doing.

A

um If there are current controls in there what to do, um and then they have to figure out, you know of the current controls or the newer controls, which one is the best one to go forward with um and then from there they they plan the implementation.

A

um They sometimes might meet with technical managers to make sure that they understand everything, because the developers and those the ICS under those managers are the people who the security control is actually going to be touching. So they make sure that everything makes sense for them and it fits into the developer's. Workflow is a big priority, so then they go ahead and actually implement the security control. So it could be. This is the implementation of the control, as well as the deployment of the control um it.

A

They are two separate things, but they happen at the same time and usually in the same conversation. So the deployment of a control could be saying if you want a certain scanner run. Every time a merge request is created where the configure of the control could be what that scanner is specifically looking for in the merge request.

A

So both of those are configured and implemented, and then it's a those controls are validated using a test, usually in a test environment or a local environment, something that's not touching production at all and to then they meet with like those stakeholders and make sure everything makes sense from the output and then they go and deploy it and then monitor everything um actually I'm. Sorry, this should be deploy security tool.

A

um There we go so then they deploy the security tool um and then we can go to the aspirational jobs on. This were um pretty interesting, two like um aspirational jobs, but not necessarily aspirational for all of these jobs. It's just for this specific job statement would be to have the ability to monitor all of the organization's assets um just having that ability uh was talked about multiple times in the interview for almost everybody um and then another thing that was brought up was to keep records of the compliance.

A

This is to prepare for internal audits, I asked we had 12 people and every single person said that their organization conducts security audits, I believe not all of them were because of a legal requirement, but because of a customer requirement or one of the other requirements that we said above so because of those audits. It is sometimes it would be easier and it would be an aspiration for those Crea for the implementers to keep the records of everything.

A

So they can go back and easily see what the outputs all were and making sure that everything was actually working.

A

uh So the last step to kind of lead into that is to um the job was to ensure the organization's assets are compliant with those security policies. So this is, after a policy, was implemented and created and in the organization's workflow, and then it's a security or a policy insurer, but usually it's also. It's also going to be a security professional going in and making sure that the controls are working properly. They are exhaustive and complete and they are being remediated.

A

So the needs for this job are to reduce the likelihood of a legal and financial threat to the organization to maintain the reputation of the organization and to increase the visibility of the non-compliant areas in the organization, so that last one is a little interesting because um it came up after probing what was difficult and what was challenging for the the users, and they said that one of the things that was challenging that they needed was to have increased visibility for everything.

A

Basically, they they want a place to see the organization's assets and not just an individual repositories. Assets I also asked the state the people I interviewed, are just the later half actually because it was when we realized. We should ask how large or how many repositories they're in charge of securing and the range was from 30 to a thousand.

A

um Multiple people said hundreds um of repositories that they're in charge of securing, so it is all of these jobs are in the scope of the entire organization or at the very least, the organization's assets that they care about that touch production. Typically, um we can see up here um that the one of the clarifiers is before it touches production, um so that is a clarifier that is very specific in that instance, but it could also apply to generally the organization's assets as a whole that they care about.

A

So there is a white list of repositories that they don't care about, usually in test environments and that sort of thing, and then there are a list of repositories that they do care about, and everything is in the scope of those so to kind of go back to the checking those repositories and ensuring they're compliant.

A

The circumstances are pretty much similar to what I said before Was preparing to conduct an audit or after a security breach, but one of the interesting things that came up ever almost everyone I can check actually how many people said, but um manually checking. Every single repository was the most common Insight I had um one two three four five six seven um people out of 12 explicitly said that the most frustrating part of their process was checking ever Pros every repository individually.

A

um So each person was really annoyed at that. um So yeah, that's kind of everything. I do also have a hierarchy. That kind of shows all of these and it kind of shows the big aspirational job, which is the most important.

A

um So we kind of found early on that we may use like the language enforce security policies, but that is an aspirational job, because the users cannot literally do that. um There is no way for them to actually enforce anything. So what they do instead is first they create the policies. Then they implement the policies and then they check to ensure that the assets are compliant.

A

If we wanted to truly say that we are able, you know that a person is able to enforce, then there's two I think there are probably two steps missing here, which is to understand the remediation path when a non-compliant object is found and then to actually remediate it and go ahead and solve it. So those two things are kind of missing here and that's one of the reasons why this is really an aspirational job and the users are only doing these these jobs and the micro in like the lower level jobs so yeah.

A

um If you have any questions on anything or if you want to go into some of the specifics, um I will share this mural and you can see all of the data over here. um It is I guess from right to left so I apologize. The data on the right is raw and um is is more raw rather is coded directly from the interviews. This is data gathered from all of this data and then this is the hierarchy level.

A

In the large picture um of of this job statement, data, so I will, like I, said, I'm going to be gone for a week uh when I come back. I will update the handbook page and um continue summarizing the stuff and surfacing all the insights in a way that we need, because I want to create the user stories, to link the circumstances and the job statements and the needs, so I will be doing all of that when I get back.

A

But I wanted this to be a good time for anybody to try to understand any of this see what we learned um and maybe what you expected or what you didn't expect. If you think we should change anything in here, if something doesn't seem quite right or you don't really understand it, I'm totally open to changing something. It's just a conversation. We need to have to make sure that the Insight still makes sense from the user's perspective and your perspective, because I don't always have all of the context.

A

um So yeah I'll I will do this async and let everybody know after I get back what the next steps are. So thank you very much see ya.