Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / UX Research / 11 Apr 2023
GitLab / UX Research / 11 Apr 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Discovering Security Policy JTBD Research Overview

Description

You can see the slides here: https://docs.google.com/presentation/d/1w_wEXanIo4dR4iaZRjcLVSfHAtKac-mpHoTU57MxuyE/edit?usp=sharing
Check out the issue here: https://gitlab.com/gitlab-org/ux-research/-/issues/2223

A

Hello, my name is Michael Oliver, and this is a high level overview of the research project for discovering security policy related jobs to be done. A little background into this project, secure and govern has been using jobs to be done.

A

A lot growing on there um on on our Reliance on them, using them in our road maps and understanding the user's needs using their the workflows to understand the process, um so um we're just kind of been using them more, and we wanted to make sure that they're well researched and I used the gym jobs to be done, Playbook by Jim callback as a primary source, because it gives a lot of help for actually deriving and discovering the jobs to be done and how to scope them appropriately, so moving actually to scoping them.

A

Our main goal was to find out what are the main jobs relating to creating a security policy. We also were wondering what are the various jobs to be done? Components of that so the needs and um the steps taken and the frustrations that occur and the circumstances that happen um and we're also wondering if there are any aspirational jobs. That kind of tie the main jobs together.

A

um So to do all of this, we had 60-minute interviews with 12 people that took place in the first two months of 2023 to screen. The people um was really important. We asked them to describe in one to two sentences, their main job description and we use that to determine if they were in scope or out of scope for the interview. So if one of their jobs was to create a security policy, then we would consider it in scope.

A

If one of the chops was or if their none of their jobs was to create a security policy, then they were out of scope.

A

If you want to have a more in-depth look at how we conducted these interviews, you can always look at the research issue or if you want to learn more about discovering jobs to be done, you can look at the handbook pages that were updated because of this research. You can also attend the ux Showcase that'll be happening on the 19th um that'll, be a little look at the Lessons Learned From This research.

A

So just to look at the actual jobs we've done. The job stories that we got from this research um I'll go one at a time and highlight kind of the important findings for each one. So the first one was when a new legal requirement appears I want to create security policies for the organization's assets, so that I can reduce the likelihood of a legal or financial threat before it touches production, um so just kind of moving in order.

A

We generally kind of knew when a new legal requirement appears that that's when a circumstance might happen um when um a person might start the job, especially um the main job of creating secure security policies. We obviously knew the scope of the organization's assets was very important, and that is an Insight that we found for all of our job stories and all of our jobs was.

A

The scope is almost always at the organization's level, the entire organization's assets or, at the very least, um the large part of the organization um that is important, non-testing branches and stuff, like that.

A

um So finding that out and Implement and putting that into all of our jobs was very important because one of the findings- actually one of the frustrations, was uh manually having to check each repository um to ensure that the security policies are being com are being followed or to manually change each repository to modify them if needed, so the scope of the organization's assets um building towards that is very helpful for the user.

A

The other thing that we found out was um so the in the need is to reduce the likelihood of a legal or financial threat before it touches production. um The circumstance before it touches production was kind of. It was an insight for us. We did know in general that there's a subset of the assets that were important, but the language wasn't quite clear, um but from the interviews we end up finding language. That was uh very clear, so the next job that we found was when a security policy is published.

A

I want to implement security controls in my organization's assets, so that I can increase the adoption of my organization's assets to the compliance requirements.

A

So we obviously knew that you would Implement a security control after a security policy was made because that's the next step, so we kind of understood that we wanted to use the term published because internally, it does seem that there's a distinction there of a security policy, because it's one of the other needs that we found with security policies was to not just increase the adoption but increase the awareness of security requirements among the developers.

A

So the term publish is kind of important there to try to get more widespread understanding and awareness of those policies um and then also so we can see, obviously the increased adoption of the organization's assets and we use the term compliance requirements um kind of on purpose, because we found that compliance jobs and the compliance um framework is or process can largely be covered by these job stories as well.

A

In fact, one of the next steps of This research is to continue on the compliance jobs to be done and to discover the relationship between those jobs and these jobs, because we do think there is a heavy relationship there.

A

So. Lastly, the last job that we found was when I'm preparing for an audit or potential security threat. I want to ensure that organization's assets are compliant with the security policy, so I can maintain the reputation in the organization's reputation in the industry.

A

um So we kind of we knew that people would prepare for an audit, um but kind of the two things in here that were that were interesting were in organizations that had high security maturity. They basically made security, the selling point or one of the selling points in their product. So if a potential security threat emerged in the market or in their organization, they took that very seriously, so sometimes it would even escalate to a new organization or a new.

A

A new security policy being made potentially um and the goal of maintaining a reputation is very important to those organizations as well, because the selling point one of them is security. So preserving that reputation is also preserving that business model.

A

um So to talk about the aspirational job that we found and how those the low earth, rather the main jobs of creating security policy, implementing security controls and ensuring the organization's assets are compliant. So all of those tie to the inspirational job of I want to enforce security and legal requirements across my organization.

A

So the term in force is very important here and we actually found that we were internally using the term enforcement or the term in force kind of loosely, but enforcing means in an organization that there is some capacity to change the behavior to to rectify the non-compliant bits.

A

um But right now in the product or in most products, there really is no way to do that. There are no jobs that are specifically for fixing the non-compliant areas other than modifying those applications or those repositories manually, which would fall under normal jobs to be done. So we realize that the enforcement is actually the aspirational job and the insuring is actually the main job and that's actually the job, that's usually being done because they're looking at the assets looking at the compliance and making sure that the assets are compliant.

A

That's really all they're doing they're attempting to modify if needed, but that's usually just a separate task um to go over the additional outcomes of the research.

A

This research um ended up being very helpful to strengthen the sections job speed under understanding. We had a lot of conversations around what are the components of jobs to be done and how to actually use them um in our roadmap and to have Innovation or outcome driven Innovation with them.

A

So to look at that, we, or rather as a process of that we're trying to overhaul our jobs to be done page for the secure and governed jobs to be done, we're in the process of trying to make it more scalable and consistent for all of the jobs. So they all kind of fit the same framework as I mentioned before. We're also continuing the jobs research with the security compliance groups so we're um we realized the increased understanding of security.

A

Related workflows, has kind of led to us wondering what the relationship is between the compliance and the rest of our understanding.

A

So we want to go there, um and this research also resulted in multiple handbook edits on the jobs to be done, page um clarifying the difference between job performer and user Persona, because that's a question that comes up very often um also building a screener and a script template for discovering jobs to be done, because it's very recommended to do interviews for them, and the interviews are quite generative and a little hard to do um so.

A

It is helpful to have screen iron scripts available, as well as an example if issue for future research- and if you wanted to look at other Clips, we did actually get such interesting interviews that I clipped some of the interviews to share internally. So a user that showed us how to develop a security policy. They just showed us the highlight of their process and there was also a user that blocked us through their vanta setup, which was the rare thing that almost did the enforcement jobs to be done, and you can actually look at that.

A

If you're curious to see how it did that. If you want a more in-depth look at the job map that we got from this, you can also go to the detailed summary video um of the job map for this that I made um and, if you're interested in learning more, then you could hopefully catch the Showcase that will take place on the 19th. Regarding some of the lessons learned from this project, thank you.