In this post I will reiterate what we have been presenting to partners, analysts and customers alike – from a ‘why we did this’ perspective to a ‘how we did this’ approach.
As covered in the previous post, we built this product primarily out of frustration being a user of several of the ‘old school’ products that are out there. I personally found them to be:
- Hostile to the end user experience
- Had significant architectural and operational requirements prior to deployment
- Required end user training in most cases (tough to do when you have 40,000 of them!)
- Capable of delivering on the technical requirements – but rarely facilitating the ‘spirit’ of the requirement
- Covering only a small part of the footprint required
- Missing a huge component of any info sec program – SoC and IR teams
- ‘wasting’ the data collected, and not sharing it with other interested parties
- Enabling and reinforcing negative user interactions (more on this later)
So, it’s a long list – but these are the primary issues I had with the marketplace at the time. Having been on many sides of the issue in my career (as a product guy, as a deployment customer, as an end user, as a consultant) – I feel there still is a long ways to go in this space.
So lets quickly cover each item – again my opinion so YMMV – however I have spent quite a bit of time validating this with customers, users and architects:
Hostile to the End User Experience:
Ahhh.. this is a big one for me. My main point of frustration with this item was threefold:
- Why are you asking the ‘user’ to ‘compute’ for you? (That is – asking them to classify the document for you). Aren’t you sitting in front of a computer? Isn’t that what a computer is supposed to do – Compute?
- You are interrupting the user – they have better things to do than answer your silly security questions – so you’d better make it simple, fast and easy – preferably without having to think much about it
- If billions of people can figure out Facebook, Twitter and other products – why do you need to train people how to classify? Design up front with ‘minimal to no training required’ as a stated design requirement
- Bonus Points – Why are you promoting the software brand in your end-user facing interactions????
We spent a lot of time on this item – engaging UCD and UI/UX experts right away to help us (geeks don’t make good User Experiences generally J). After over 300 surveys, about 20 different designs and many many user interaction sessions – we have come up with something that delivers on all fronts.
Why are you asking the ‘user’ to ‘compute’ for you?
Whenever we interact with the user – we are actually asking them just to confirm our calculations. With a quick eye scan (we tested this!) – the user can see that ‘oh the computer thinks its ‘Confidential’’ – I agree – click Ok and move on. Simple, fast – easy.
If the user happens to not agree with the automatically calculated classification – simply all they do is select the other classification (Partner External for example) – and if the administrator set the flag – enter a reason WHY its different. Entering a reason is a significant portion of our ‘classification stewardship’ architecture – a whole section on that coming up!
Either way, its designed to be simple, fast and quick to understand – while also being highly accurate and up to date – just as important!
You are interrupting the user
Indeed, users Looooove being interrupted. Our hundreds of user surveys show a high level of dissatisfaction with almost everything in IT, but especially with ‘change’. Anything that is new or different is a big point of concern (and worry!) for most users. They have been conditioned to worry about viruses, ransomware, malware, ‘breaking their machine’, etc. over the years that anything new is a big problem.
So, in addition to having a user interface that is both uniform to their existing environment (looks like Office, acts like Office, etc.) – it is also very selective when we actually prompt the user. Instead of asking them to classify or validate a classification on every file->save, or every time they email the document, or every time they close Word – the administrator has high granularity capabilities as to when to ask the user something.
We found this to be both very specific to organizations – and even departments within them. Some areas of the business you are going to be asking every time a document is edited – since these are either high risk documents or high risk users. In other areas, you may only ask once, or only when the classification has been detected to change.
At the end – you decide – not the software vendor – when/how/why you interact with users.
Why do you need to train people how to classify?
When is the last time you read a manual for a new product (software or hardware)? Indeed, try and find one for the app on your phone! We worked with the UCD folks with this premise in mind – we don’t want to train users how to use the solution. Such a simple thing, but goes a long way in the design and implementation of the whole stack – goes to the core of what we do and drives many decisions around the implementation of functions and many of the features.
Our usability testing demonstrated that at worst, users need only a few seconds of ‘coaching’ – potentially from a colleague or a manager or a simple self help video (“oh yes, when this comes up – if you agree with what the computer estimated, just click ok… if you don’t agree, select the different classification and enter why – then click ok”)…
Branding – why are you promoting the software vendor?
Personal pet peeve of mine – when the user is being interacted with – why are the users subjected to the commercials of the software? The vendor name, logo, etc. – why? Who cares? Certainly – users DO NOT.
So, in our solution – end users will not be subjected to the ClassiDocs brand, name, logo or anything else. The full solution is not just brandable with your logo scheme, but more importantly it supports any information you wish to present to the user – in all HTML5 goodness. Do you want to remind the users about something? Link to a video that corporate produced on Data Classification? Include a click-to-call button for the helpdesk? Anything else? With two clicks on the administrator UI – everyone in the organization gets this information – globally within 5 minutes.
We felt from the beginning that the end-user interaction mechanisms, approaches and designs were yours to own – greatly reducing end-user friction with the solution (less scares, less confusion, more knowledge transfer, up to date messaging) and ultimately – higher uptake of the solution – which is something we all aspire to!