IBM

The Data Security Product Management team at IBM wanted to intorduce a new SaaS version of Guardium, that would serve middle market customers, rather than just IBM's typical enterprise customers. However, being primarily an enterprise software firm, IBM had little information about middle market customers and needed a way to understand their unique needs. The Data Security PM executive tapped me to figure this out and deliver a way forward.

Goal:

• Identify and understand any unique needs of potential middle market customers
• Understand differences in database security needs
• Understand differences in demonstrating data and privacy compliance
• Understand how this cohort views risk

Method: User interviews.

Participants: Seven prospects in the middle market segment, with job responsibilites that involve securing databases and demonstrating data and privacy compliance.

The competitive landscape within the middle market looked different than the enterprise space. While traditional compeitiors like security stalwarts and hyperscalers had a presence, this cohort also relied on smaller and more diverse vendors - from GRC firms like OneTrust, to database sepcialty firms like Idera and Open Raven.

These insights are related to team structure and operations.

• Teams are less siloed than in the enterprise
• Most participants operate in a security generalist role, regardless of title
• All rely on cross-functional colleagues, either within IT or outside of it
• Basic security practices are established, but more is needed
• Nearly all are using a behavioral-based monitoring tool
• Nearly all have an established vulnerabilities program
• Nearl all classify data, even if in an informal sense
• Most do not use data discovery tools
• An array of factors can affect purchasing decisions
• All said that having a SaaS solution was important
• All expressed that having a trial experience is an important part of selecting a data security tool
• Most stated that cost is a major factor in purchasing decisions

“No one's gonna manage it here on my end.”

These insights are classified under the theme of Guidance.

Content challenges loom in the middle market

All participants expressed a desire for clearer descriptions and explanations.

Recommendation:

Invest in adding content designers to the Data Security team.

Ensure that all new content and any content changes are tested as part of the standard design and research process.

"You're a jack of all trades, but you're not a DBA."

The middle market needs to be told what to do

All currently follow previously established practices that were handed down to them, or learn from mistakes.

Independent guidance is desired by all participants.

Recommendation:

Provide detailed guidance around data security best practices and compliance.

This is a prime opportunity to add Watson Moments to the application.

"Why am I remediating this resource against this control? What am I trying to achieve here?"

The data security space is void of leadership

There is currently no independent authority providing guidance to partcipants around best practices of data security and compliance.

Recommendation:

Forge a strategic partnership with Marketing to launch a tool-agnostic website and community, around data security and compliance best practices and training.

This will aide in selling into the middle market.

With further simplification of the Guardium experience, this could provide a pathway to eventually selling into the small business market.

Example: What HubSpot has done with Inbout Marketing and HubSpot Academy.

"Does anyone know what to do with data security?"

Enablement

These insights are classified under the theme of Enablement.

The Strategy of a data security hub was validated

IBM Security Product Management has a vision of creating a data security hub, in which all hybrid cloud data is protected and can be acted on under one roof.

All participants reactived positively to the idea of a data security hub.

Recommendation:

Think beyond the UI. Consider what a data security hub would look like when data is piped into a SIEM or SOAR tool.

"Having a tool that could connect the dots from end-user to DB would really help."

Pre-built compliance policies are becoming essential

Pre-built compliance policies are already being offered by competitors.

Recommendation:

Provide pre-built compliance policies and advise customers on what exactly needs to be done to be in compliance.

Utilize automation to make this happen for them.

"AWS is coming up with these policies where we tell them that it needs to be compliant and they tell us what needs to be done."

Globalization has affected compliance

International participants and global companies are having to deal with compliance mandates of other countries.

Competitors are already offering assistance with meeting these compliance mandates.

Recommendation:

Create an internationalization strategy around compliance.

Provide pre-built compliance policies catered to non-US compliance mandates.

Utilize automation to make this happen for them.

"So, in the Azure Secuirty Center...New Zealand ISM was one of those...that's really great. That's a huge time saver."

Major tension exists between Security and GRC teams

Most participants expressed frustration when dealing with, and even a dislike of GRC teams.

Security is often shot-down when proposing new ways to demonstrate compliance.

Teams are stuck in monotonous meetings, doing repetitive work, and managing myriad documents and links.

Recommendation:

Provide a way for team members to manage a customized or personal compliance workspace.

Create a way for GRC teams to be invited to that workspace with a view-only account, or allow for customers to provide GRC teams with a link to downloadable files.

Empower security teams by including IBM educational resources in the compliance workspace for GRC teams to view.

"These people are dumb - they don't know anything from anything."

Moving to full vulnerability management with add value

Nearly all participants rely on a vulnerabilities program as a core element of security.

There is uniform desire to increase automation.

Rcommendation:

Create a central place for customers to manage their vulnerabilities workflow.

Provide additional assistance with remediating vulnerabilities.

Vulnerability management could also act as a barrier to entry for some competitors.

Azure Security Center looks at databases and databse servers and it's got its own set of vulnerability management suggestions and recommendations."

Opportunity

These insights are classified under the theme of Opportunity.

Risk can complete the puzzle

Most participants are already tracking risk.

Nearly all need guidance and enablement, with respect to IT risk management.

Competitors are already offering this.

Recommendation:

Tighter integration with IBM Risk Manager.

Allow for everything to be tied to an area of risk and viewed through the lens of risk.

"It would be nice to see a risk-oriented approach, where you can reference an area of risk and look at the associated controls with that risk, and then the compliance of your resources against those controls."

The middle market is ready and waiting for XDR

Automation and self-remediation were a consistent theme amongst participants.

Recommendation:

The success of IBM's forthcoming XDR product will be largely dependent on what signals IBM Security takes in.

This list will grow exponentially as IBM goes down market, where integrations will be required with a host of smaller players that serve this segment.

The same remains true for a data security hub in this space, thus the success of these two products are inextricably linked to new integrations.

"Where I can have a robust system that is smart enough to not only alert me that something has happened, but to mitigate the issue."

With these new insights in hand, we set out to reimagine what data security and privacy compliance could look like for our new persona, Jack - who we viewed as a "jack of all trades."

Jack's new journey

We created a guided compliance journey that takes Jack through the compliance process step by step, ensuring a seamless experience.

This included educational resources that explain what a given compliance standard is, and how to actually setup a program that demonstrates compliance.

Begin the quick start complance journey

Our guided compliance journey starts with the customer selecting a desired compliance standard, such as CCPA - the California Consumer Privacy Act.

Choose a regulation

We then meet the customer where they are - allowing them to move the compliance program forward, based on what they currently have to work with - rather than mandating a rigid process that requires all information to be ready before one can begin.

Just have a list of Admin users and not Authorized users, Sensitive table names or Source IPs? No problem! We've got you covered!

Tell us what you have

The customer has the option to enter their information manually, or to dramatically expedite the process with a bulk add of Admin users.

Enter your information

Then, presto! With the pre-built compliance policy in place and the customer's information added - the foundation of the compliance program has been setup.

Create your program

With the foundation of our guided compliance journey in place, the customer is provided with a milestones experience.

The three milestones continue to guide the customer down to the task level - providing step-by-step instructions on how to complete the compliance program.

Milestones experience

The culmination of this nearly effortless experience is the compliance workspace.

The compliance workspace is a one-stop shop, allowing customers to monitor their data security and privacy compliance programs - exactly what they needed!

Compliance workspace

This effort underscores the power of working with users to build a 0 > 1 product, as well as how to approach an entirely new market. The research ucovered a strong need for more guidance and explainability, pre-built compliance policies, and a personal compliance workspace - and that's exactly what we built.

We also satisfied the need of a trial experience, by first providing a sandbox complete with pre-populated data, allowing prospects to test drive the new Guardium SaaS experience without having to deal with the arduous process of hooking it up to one's own data, or the strict security approval process that comes with it. Prospects can then move on to a trial experience with their own data, if desired.

This research was so impactful that it was showcased by IBM's VP of Global UX Research at IBM TechXchange, as a way to demonstrate the impact of user research, and convince customers in the power of working with us.