►
From YouTube: Discovering Security Policy JTBD Research Overview
Description
You can see the slides here: https://docs.google.com/presentation/d/1w_wEXanIo4dR4iaZRjcLVSfHAtKac-mpHoTU57MxuyE/edit?usp=sharing
Check out the issue here: https://gitlab.com/gitlab-org/ux-research/-/issues/2223
A
A
A
lot
growing
on
there
on
on
our
Reliance
on
them,
using
them
in
our
road
maps
and
understanding
the
user's
needs
using
their
the
workflows
to
understand
the
process,
so
we're
just
kind
of
been
using
them
more,
and
we
wanted
to
make
sure
that
they're
well
researched
and
I
used
the
gym
jobs
to
be
done,
Playbook
by
Jim
callback
as
a
primary
source,
because
it
gives
a
lot
of
help
for
actually
deriving
and
discovering
the
jobs
to
be
done
and
how
to
scope
them
appropriately,
so
moving
actually
to
scoping
them.
A
Our
main
goal
was
to
find
out
what
are
the
main
jobs
relating
to
creating
a
security
policy.
We
also
were
wondering
what
are
the
various
jobs
to
be
done?
Components
of
that
so
the
needs
and
the
steps
taken
and
the
frustrations
that
occur
and
the
circumstances
that
happen
and
we're
also
wondering
if
there
are
any
aspirational
jobs.
That
kind
of
tie
the
main
jobs
together.
A
So
to
do
all
of
this,
we
had
60-minute
interviews
with
12
people
that
took
place
in
the
first
two
months
of
2023
to
screen.
The
people
was
really
important.
We
asked
them
to
describe
in
one
to
two
sentences,
their
main
job
description
and
we
use
that
to
determine
if
they
were
in
scope
or
out
of
scope
for
the
interview.
So
if
one
of
their
jobs
was
to
create
a
security
policy,
then
we
would
consider
it
in
scope.
A
If
you
want
to
have
a
more
in-depth
look
at
how
we
conducted
these
interviews,
you
can
always
look
at
the
research
issue
or
if
you
want
to
learn
more
about
discovering
jobs
to
be
done,
you
can
look
at
the
handbook
pages
that
were
updated
because
of
this
research.
You
can
also
attend
the
ux
Showcase
that'll
be
happening
on
the
19th
that'll,
be
a
little
look
at
the
Lessons
Learned
From
This
research.
A
So
just
to
look
at
the
actual
jobs
we've
done.
The
job
stories
that
we
got
from
this
research
I'll
go
one
at
a
time
and
highlight
kind
of
the
important
findings
for
each
one.
So
the
first
one
was
when
a
new
legal
requirement
appears
I
want
to
create
security
policies
for
the
organization's
assets,
so
that
I
can
reduce
the
likelihood
of
a
legal
or
financial
threat
before
it
touches
production,
so
just
kind
of
moving
in
order.
A
We
generally
kind
of
knew
when
a
new
legal
requirement
appears
that
that's
when
a
circumstance
might
happen
when
a
person
might
start
the
job,
especially
the
main
job
of
creating
secure
security
policies.
We
obviously
knew
the
scope
of
the
organization's
assets
was
very
important,
and
that
is
an
Insight
that
we
found
for
all
of
our
job
stories
and
all
of
our
jobs
was.
A
The
scope
is
almost
always
at
the
organization's
level,
the
entire
organization's
assets
or,
at
the
very
least,
the
large
part
of
the
organization
that
is
important,
non-testing
branches
and
stuff,
like
that.
A
So
finding
that
out
and
Implement
and
putting
that
into
all
of
our
jobs
was
very
important
because
one
of
the
findings-
actually
one
of
the
frustrations,
was
manually
having
to
check
each
repository
to
ensure
that
the
security
policies
are
being
com
are
being
followed
or
to
manually
change
each
repository
to
modify
them
if
needed,
so
the
scope
of
the
organization's
assets
building
towards
that
is
very
helpful
for
the
user.
A
The
other
thing
that
we
found
out
was
so
the
in
the
need
is
to
reduce
the
likelihood
of
a
legal
or
financial
threat
before
it
touches
production.
The
circumstance
before
it
touches
production
was
kind
of.
It
was
an
insight
for
us.
We
did
know
in
general
that
there's
a
subset
of
the
assets
that
were
important,
but
the
language
wasn't
quite
clear,
but
from
the
interviews
we
end
up
finding
language.
That
was
very
clear,
so
the
next
job
that
we
found
was
when
a
security
policy
is
published.
A
So
the
term
publish
is
kind
of
important
there
to
try
to
get
more
widespread
understanding
and
awareness
of
those
policies
and
then
also
so
we
can
see,
obviously
the
increased
adoption
of
the
organization's
assets
and
we
use
the
term
compliance
requirements
kind
of
on
purpose,
because
we
found
that
compliance
jobs
and
the
compliance
framework
is
or
process
can
largely
be
covered
by
these
job
stories
as
well.
A
A
So
we
kind
of
we
knew
that
people
would
prepare
for
an
audit,
but
kind
of
the
two
things
in
here
that
were
that
were
interesting
were
in
organizations
that
had
high
security
maturity.
They
basically
made
security,
the
selling
point
or
one
of
the
selling
points
in
their
product.
So
if
a
potential
security
threat
emerged
in
the
market
or
in
their
organization,
they
took
that
very
seriously,
so
sometimes
it
would
even
escalate
to
a
new
organization
or
a
new.
A
A
new
security
policy
being
made
potentially
and
the
goal
of
maintaining
a
reputation
is
very
important
to
those
organizations
as
well,
because
the
selling
point
one
of
them
is
security.
So
preserving
that
reputation
is
also
preserving
that
business
model.
A
So
to
talk
about
the
aspirational
job
that
we
found
and
how
those
the
low
earth,
rather
the
main
jobs
of
creating
security
policy,
implementing
security
controls
and
ensuring
the
organization's
assets
are
compliant.
So
all
of
those
tie
to
the
inspirational
job
of
I
want
to
enforce
security
and
legal
requirements
across
my
organization.
A
But
right
now
in
the
product
or
in
most
products,
there
really
is
no
way
to
do
that.
There
are
no
jobs
that
are
specifically
for
fixing
the
non-compliant
areas
other
than
modifying
those
applications
or
those
repositories
manually,
which
would
fall
under
normal
jobs
to
be
done.
So
we
realize
that
the
enforcement
is
actually
the
aspirational
job
and
the
insuring
is
actually
the
main
job
and
that's
actually
the
job,
that's
usually
being
done
because
they're
looking
at
the
assets
looking
at
the
compliance
and
making
sure
that
the
assets
are
compliant.
A
That's
really
all
they're
doing
they're
attempting
to
modify
if
needed,
but
that's
usually
just
a
separate
task
to
go
over
the
additional
outcomes
of
the
research.
A
This
research
ended
up
being
very
helpful
to
strengthen
the
sections
job
speed
under
understanding.
We
had
a
lot
of
conversations
around
what
are
the
components
of
jobs
to
be
done
and
how
to
actually
use
them
in
our
roadmap
and
to
have
Innovation
or
outcome
driven
Innovation
with
them.
A
So
to
look
at
that,
we,
or
rather
as
a
process
of
that
we're
trying
to
overhaul
our
jobs
to
be
done
page
for
the
secure
and
governed
jobs
to
be
done,
we're
in
the
process
of
trying
to
make
it
more
scalable
and
consistent
for
all
of
the
jobs.
So
they
all
kind
of
fit
the
same
framework
as
I
mentioned
before.
We're
also
continuing
the
jobs
research
with
the
security
compliance
groups
so
we're
we
realized
the
increased
understanding
of
security.
A
So
we
want
to
go
there,
and
this
research
also
resulted
in
multiple
handbook
edits
on
the
jobs
to
be
done,
page
clarifying
the
difference
between
job
performer
and
user
Persona,
because
that's
a
question
that
comes
up
very
often
also
building
a
screener
and
a
script
template
for
discovering
jobs
to
be
done,
because
it's
very
recommended
to
do
interviews
for
them,
and
the
interviews
are
quite
generative
and
a
little
hard
to
do
so.
A
It
is
helpful
to
have
screen
iron
scripts
available,
as
well
as
an
example
if
issue
for
future
research-
and
if
you
wanted
to
look
at
other
Clips,
we
did
actually
get
such
interesting
interviews
that
I
clipped
some
of
the
interviews
to
share
internally.
So
a
user
that
showed
us
how
to
develop
a
security
policy.
They
just
showed
us
the
highlight
of
their
process
and
there
was
also
a
user
that
blocked
us
through
their
vanta
setup,
which
was
the
rare
thing
that
almost
did
the
enforcement
jobs
to
be
done,
and
you
can
actually
look
at
that.
A
If
you're
curious
to
see
how
it
did
that.
If
you
want
a
more
in-depth
look
at
the
job
map
that
we
got
from
this,
you
can
also
go
to
the
detailed
summary
video
of
the
job
map
for
this
that
I
made
and,
if
you're
interested
in
learning
more,
then
you
could
hopefully
catch
the
Showcase
that
will
take
place
on
the
19th.
Regarding
some
of
the
lessons
learned
from
this
project,
thank
you.