Resolving Critical Security Risks in a SaaS application

OVERVIEW

BetterCloud is a SaaS management product that enables IT teams to maximize efficiency through automating manual tasks and enforcing company security policies.

BetterCloud was undergoing a strategic effort to redesign the existing experience for the Secure platform. I worked as a Senior Product Designer on the team, leading the design process and work for defining the ‘remediation’ journey of the experience.

My Role
Senior Product Designer
User Research, Sketches, Task Flows, UI Design, Prototyping, User Testing, Planning and Launch

Tools
Miro, Figma, UserTesting.com

THE PROBLEM

Because companies have sensitive data that should not be getting shared out, it was important that customers be given the power to remediate these security risks as they happened to avoid data breaches or leaks.

With the redesign of BetterCloud’s Secure platform, there were multiple releases planned out to give customers the full depth of their Secure use cases. Through the first release, users could now easily discover and monitor any data being exposed outside (or inside) their org and identify critical security risks; however, they could not yet actually resolve or remediate these critical risks.

bettercloud problem

THE PROCESS

Discovery

Understanding current user journey and pain points

In the existing solution for the Secure platform in Bettercloud, users were able to view their assets such as files and folders that were being shared out across their organization. They would identify which ones were a risk, and then execute remediation steps based on their policy. A problem in this existing platform was the amount of actions presented to users to help them remediate these risks.

Users may not know what the right action was to remove the risk, and would often need the guidance from our internal expert team or security to know what they needed to do.

Actions menu in existing experience

Identify the Critical Actions

I discovered there were 86 total potential actions across 5 applications that users could take.

I found that there was opportunity for some of these actions to be consolidated together so that they became less actions for the user to decide from on the interface, but the back-end would be smart enough to execute the correct action.

I set up a card-sort activity, and worked with our User Researcher to run this with 10 users to see if we could uncover patterns or groupings of these actions to begin consolidating them.

Top actions and card sorting

Ideate Collaboratively and Rapidly Test a Solution

Because this was a problem I recognized was large, I decided to hold a design sprint to ideate collaboratively and quickly and craft a solution we could test. I led a design sprint with a cross-functional team, that involved: myself, our design team, product manager, and key customer-facing roles. The design sprint mostly followed the structure of Google Venture’s Design Sprints.

Because discovery step in the overall secure experience was already defined, I now needed to focus on the ‘remediate’ or the securing of risks step in this experience. This helped me to keep the team focused on this specific problem during the sorint.

To align on what the goal for the sprint was, I brainstormed with the team what our goal and challenges will be by facilitating a brainstorming activity.

Whiteboard with goals and challenges written out
I then established what the sprint goal and challenges were, and who our target user is.

THE USER

IT/Security Admin concerned about protecting their company's data and enforcing organizational security policies
GOAL

Guide users to quickly remove 100% of risks
CHALLENGES

Is the right action the same for all users?

Can we break out work to be done into digestible chunks while taking bulk action?
Map

I led the team through a mapping activity to outline what the individual steps and tasks the user would take to get to the goal. The map would help me begin to identify what the user journey looks like. I then led the team through a sketching exercise where each participant got to produce a solution sketch to represent an idea for the prototype.

Sketches on paper

Storyboard

Using the solution sketches, I then faciliated a storyboarding activity. The storyboard would tell the user's journey frame by frame, and help define the prototype screens.

Whiteboard with a storyboard

Prototype

I developed a prototype based on the storyboard we had written. To rapidly develop the designs for each storyboard frame, I faciliated screens that I and each designer would develop. On prototyping day, we continuously reviewed and shared our progress. I built in interactions and flows connecting each frame to develop an end-to-end prototype for testing. I wrote a testing script and outlined each scenario and tasks, and worked with the User Researcher to further refine the script. Our user researcher ran 5 moderated sessions, and I sat in on each session and took notes.

The following are solutions that resulted from our design sprint.

mockup showing actions to review
Quick Actions - users can take the correct action to secure their risk

mockup of a list of risks
Risk Lifecycle Tabs - users can see how many current risks they have, and how many risks that have successfully remediated

Define Scope

Coming out of our design sprint, I recognized the prototype was a little idealistic. I worked with the Product Manager and architects to align on what was feasible for us to build. We ended up identifying ‘chunks’ (or what later became the epics) that we could iteratively build on to ultimately help us achieve the end-goal we had defined in our design sprint. We aligned on the scope for the project, decreasing some of the capabilities we had introducing during the design sprint.

Align

We aligned on the scope for the first epic of the project to release. It was important for us as a team to understand what was reasonable for us to build and what our limitations were. With this first release, we focused on building out the remediation actions users could take and making the actions available on the UI. This would help us build the foundation for the experience of presenting ‘suggested actions’ we had designed in our design sprint.

Refine Designs

I refined the designs now that our scope was defined and mapped out the sad-paths and edge cases for the flow.

Task Flow of risk lifecycle

PLAN & BUILD

As I began planning the work with the engineering team, the team was still uncovering large amounts of work they would have to do. I collaborated with the team (product manager and engineers) to slice up the work up a little bit more to really focus on what we needed to solve for.

To develop the user stories, I led the team through a user story mapping session to clearly identify what they needed from me or to understand. I then helped write out acceptance criteria and prepared design deliverables for the the team.

user story map
Our User Story Map we developed from planning sessions

THE RESULTS

bettercloud problem

Quick Action on a risk

Lessen the cognitive load on the user when choosing an action. Surface the right action a user needs to take in order to move the risk into ‘Secured’

bettercloud problem

Universal action properties across applications

Users can easily configure the action properties, regardless of type of asset or application selected.

bettercloud problem

Risk lifecycle

Allow users to audit their activity at all time by viewing status of a risk, and when it was moved into the Secured status.

Previous Project: Building Automations / Next Project: E-commerce Checkout