User Personas for Secure and Protect: Internal Interviews
What did you learn from this issue?
More in depth insights can be in this google sheet (Gitlab only).
| Overarching Goals | AppSec Engineer | InfraSec Engineer |
|---|---|---|
| What sort of organizations are we likely to find this personas? | Application Security Engineers often come from software engineers who have some experience with security tools or practices. The most common area to find AppSec roles are in organizations with more than 500 people in either Finance, Healthcare, Government, or heavy traffic applications. | Infrastructure Security Engineers may occasionally show up as a DevOps role with security focus, and some other security roles may share duties. The most common area to find InfraSec roles are orgs of any size in industries such as Finance, Healthcare, Government, or B2B business w/3rd party certifications |
| What are the tasks these personas are responsible for? | - Review active/potential security vulnerabilities - Code Review w/focus on security practices - Collab w/other engineering teams on proactive AppSec work - Verifying secuity fixes in software environment |
- Create & maintain security scanning tools - Conduct security reviews - Respond to security incidents - Reviews product compliance with other tools |
| What areas of Gitlab do they use, and what are the pain points? | They Use: - Vuln Report - MR + widgets - Security dashboard - Security policies - Security Scanners Have challenges with: - Some security tools - vuln report especially - dont scale well and the Signal:Noise is bad. - MR widget UI issues. Technical knowledge reqd to configure security scanners" |
They Use: - CI/CD - Pipelines - Merge Requests - SAST - Repos - Third party tools - Secret detection Have challenges with: - Vuln report (bad noise) - Kubernetes integration - Secret detection |
| What are the other jobs titles for this role? | Security consultants, Soft. Eng w/Security experience, Product Security, Security Engineer | occassionally DevOps roles, most security roles |
What's this issue all about? (Background and context)
This issue will address the a-sync stakeholder conversation section of the research for creating a new user persona.
What are the overarching goals for the research?
The goal of this step is to expand on the information already gathered in #1578 through the stakeholder conversation sheet. This step will give us a chance to interact directly with the population we are trying to understand, which will help us know that we are asking the correct questions to the right participants.
The purpose of the research as a whole is to update any personas as needed with more relevant & useful information. Since these concerns have been felt for some time (which was confirmed through multiple team members), it is likely that substantial changes may be necessary as the outcome of the research surface.
What are the overarching questions for this issue?
- What sort of organizations are we likely to find this personas?
- What are the tasks these personas are responsible for?
- What areas of Gitlab do they use, and what are the pain points?
What research questions are you trying to answer with this issue?
Fundamentally, all goals should be fulfilled by answering these major questions:
- What are the other jobs titles for this role?
- What size org would you see this job title in?
- Are there any sectors you would likely to see this role in?
- What are the major jobs for the persona?
- Are there are any tasks this persona does which involve other teams?
- Does this persona rely on any essential information or tasks from other teams?
- Which of the following Gitlab features might this role interact with regularly? (add to this list as needed)
- If this persona were a using Gitlab, what product tier would be on?
- Would you expect this persona to be a SaaS user, a Self-Managed user, or either?
- Are there any areas in our product which you would expect someone with these responsibilities to have challenges with?"
What persona, persona segment, or customer type experiences the problem most acutely?
Potential additional personas:
- Applications Security Engineer
- Infrastructure Security Engineer
What business decisions will be made based on this information?
The insights from this research will lead directly into internal stakeholder interviews.
What, if any, relevant prior research already exists?
This research builds on the past research of #1578 and its A previous Epic was created which resulted in numerous persona - related outcomes by using external interviews.
Internal interviews have also been conducted, which was linked to the same study as described above.
What timescales do you have in mind for the research?
Who will be leading the research?
@sam.white - Just for visibility, no action needed.
Relevant links (opportunity canvas, discussion guide, notes, etc.)
This HB page on How to Create a User Persona will help guide this research.
Research Documents
- List of internal candidates
- Share Out message
- InfraSec Engineer and AppSec Engineer Stakeholder Conversation Sheets.
- InfraSec Engineer Internal Script
- AppSec Engineer Internal Script
Internal Interviews Checklist
-
Create new issue to track internal interviews. -
Find group of internal users who may fit the desired personas. - Use Gitlab meet the team, the gitlab security team page, or the product sections pages for any team member with 'security' in title. Record information in spreadsheet.
-
Adapt template script to current personas - May need to adapt it to an a-sync interview (possibly with video) depending on number of available team members in ideal time zones.
-
Write share-out message for schedule interviews -
Schedule Interviews using Calendly -
Conduct interviews - Use google forms to moderate interview and take notes -
Synthesize interview data -
Summarize all data -
Adapt Template Screener to current personas -
Create finding for each persona -
Close current issue -
Create new issue to track External Participant Interviews.