Discover JTBD for the Security Policies group

What did we learn?

Results

We found 3 main jobs regarding security policies;

• When a new legal requirement appears, I want to create security policies for the organization's assets so that I can reduce the likelihood of a legal or financial threat before it touches production.
• When a new security policy is published, I want to implement security controls in my organization's assets so that I can increase the adoption of my organization's assets to the compliance requirements.
• When I'm preparing for an audit or potential security threat, I want to ensure the organization assets are compliant the security policies so that I can maintain the organization's reputation in the industry.
• These 3 jobs fall under the more extensive, aspirational job of Enforcing the security requirements across my organization's assets
• I also got a lot of solid feedback that manually checking all of the repositories in the organization is very frustrating.

---

What's this issue all about? (Background and context)

A usability benchmark study was recently conducted for the Secure and Govern stages and one helpful past research used was JTBD for those groups. In fact, JTBD are the bases for Category Maturity Scorecards which the driving force for maturity on a feature. Designers and Managers use JTBD and their components to help strategize what to build and how to test it.

However, there are no validated JBTD for the Security Policy group. This research issue will use the process laid out in the Jobs to be Done Playbook by Jim Kalbach (what GitLab's jtbd are based on).

It is worth noting that this research is from a solution agonistic perspective and the participants I will attempt to recruit will not necessarily be GitLab users. This is because we want the result of the JBTD to be helpful regardless of current solutions or technology. This increases the long-term value we will get out of this research and its outcomes. Also, these JTBD will not be incorporating a lot of emotional elements to the research outside of the emotional and social jobs which are naturally uncovered. This is to focus on the actual job process which our users are going through in their work.

What are the overarching goals for the research?

The goal of this research is to create a list of big jobs and little jobs which will be used to update this JTBD handbook page, including micro jobs and job statements for each main job.

While this issue is focused on gathering new JTBD for the security policy group, a secondary outcome that can be worked on after this issue, in alignment with our UX Roadmap planning, is opportunity and value mapping which can be used to find unmet and underserved needs.

What research questions are you trying to answer?

• Understanding the main (& possible related jobs)
  • What are the job performers trying to accomplish?
  • Why are the problem the job performers are trying to prevent or resolve?
  • What would the ideal service be to do the job for the job performers?
• Understand the process of executing the jobs
  • What are the beginning, middle, & end steps in the job?
  • How do the job performers make decisions along the way?
  • How do the job performers know they are doing the job right?
• What are the desired outcomes the job performers are looking for?
  • What do the job performers dread doing?
  • What is the most annoying or frustrating part?
  • What could be easier, and why?
• What circumstances significantly change the process, and how?
  • Which situations do the job performer act differently?
  • What conditions influence the job 'performers'performers' decisions?

What persona, persona segment, or customer type experiences the problem most acutely?

JBTD does not use personas to define the users - Instead, we will use general job statements to help us talk to actual job performers (as opposed to managers, advisors, reviewers, etc) who interact with their organization's security policies. Since the goal is to talk to people who could use the security policy tools, we will make the screener somewhat more broad and exhaustive than typical, and then whittle the responses down from there.

What business decisions will be made based on this information?

GitLab uses JBTD for a significant amount of planning and discussion. They serve as some of the foundational understanding of a feature and its use cases in the real world for job performers. Future designs and research will use these JBTD to shape the user's needs, goals, and circumstances, which will shape future roadmaps/product decisions, and validate the existing roadmap.

What, if any, relevant prior research already exists?

• Past JBTD for vulnerability management (https://gitlab.com/gitlab-org/ux-research/-/issues/1068)

What timescales do you have in mind for the research?

The goal is to have the outcomes of this study done by 2/28/23

Who will be leading the research?

@moliver28 will be the primary DRI and @andyvolpe will help with the note-taking and possibly some of the analysis.

Checklist

• Create draft of script (link)
• Create recruitment issue (https://gitlab.com/gitlab-org/ux-research/-/issues/2241)
  • Create draft of screener (link)
  • Create Calendly link
  • Finalize screener
  • Launch recruitment
• Finalize script
• Start interviews
  • Create Dovetail project
• Synthesize Data
  • Clip of user developing policy
  • Clip of user's Vanta Setup
• Finish interviews
• Summarise Data
  • JTBD Mural Board
  • Google Sheets data summary
  • Detailed summary video
• Sync with Stakeholders
• Communicate changes & insights with stakeholders
• Update JTBD Handbook page
  • MR for changes: gitlab-com/www-gitlab-com!122493 (merged)
• Share insights via Research Report
  • Finished of Report
  • Report summary video
  • Detailed summary video
• Close research issue w/results