What is the current environment? Understanding the organization’s current state, norms, and the reasons behind current behaviors will help you design a tailored experience to increase its chance of success.
Current Behaviors
What behaviors do the Participants currently exhibit with respect to the identified Goals, and what is incentivizing these behaviors?
I recommend capturing the behaviors and motivations of your organization both at a macro level and for each Participant Group, as identified previously, considering each group’s specific priorities and security behavior beyond what’s defined at the org level. This can help you understand how to eventually tailor the experience to each of the different positions. Include explicit incentives like recognition, performance review criteria, or rewards, as well as implicit ones like cultural or social norms. Note that these will not apply uniformly to all individuals, or to any one individual. The aim is to think deeply using your own observations and experience to capture a general sense of how and why people behave the way they do.
Example Behaviors
These apply to all people of the organization, regardless of Participant Group.
Priorities and Incentives
- Performance: accomplish tasks, satisfy team and company OKRs
- Purpose and Meaning: add value and contribute to company success
- Personal growth / development
- Knowledge, curiosity, creativity, a sense of control over one’s work
- Social influence: help others, reciprocation
- Peer/Leader Recognition: Status, Title, Promotion
- Salary / Income
Security Behavior
- Unaware of security implications during daily work
- Not sure what’s expected
- Low priority, too busy to think about it
- Doesn’t think it applies to their position or career plans
- No emphasis by leadership / Not part of performance goals
- A belief that the way things are currently working is good enough
Priorities and Incentives
- Reduce Customer Escalations and Production issues – Motivated by a desire to keep the customer happy and see the business succeed
- Feature Delivery – increase points per sprint, incentivized by subjective supervisor performance reviews
- Technical Quality (Performance, Maintainability, Security) – motivated by pride in one’s technical work and reducing mean time to remediation of production issues as well as reducing technical debt
- Process Improvement – Refine process and time efficiency, including sprint velocity – motivated by desire to ease development and bring speed and efficiency
- Releasing Code Quickly > Low Production Defect Rate (Quantity and Speed over Quality)
Security Behavior
- Reach out to security team for help if needed
- Reach out to security team to review changes
- Find shortest path to delivery, skipping security best practices (cutting corners)
- Security is not convenient and expects security team to automate for them
Priorities and Incentives
- Shipping successful features
- Process Improvement – Refine process and time efficiency, including sprint velocity – motivated by desire to bring speed and efficiency
- Releasing Code Quickly > Low Production Defect Rate (Quantity and Speed over Quality)
Security Behavior
- Security integral to our product
- Reach out for help during product and technical design reviews
- Thinks customer focus means exclusively features and not quality or security
Priorities and Incentives
- Production Issues
- Production Monitoring
- Performance of Team
- Feature Development
- Regulatory / Compliance concerns
Security Behavior
- Use best judgement on security issues
- Have security team review risky changes (when identified)
- Meet compliance requirements as requested by legal or security (reactive, not proactive)
Priorities and Incentives
- Increase Sales Conversion
- Sales Opportunities / Leads
- Renewals
Security Behavior
- Security is someone else’s job
- Some think about phishing, passwords, other awareness-like security concerns
Current Experience
What are the details of the program today? Think about the current design, touch points, and interactions with participants. Also capture current incentives and motivations; what compels the Champions to participate today? Also, capture relevant metrics and statistics if available. If you don’t have a program today, you can skip this step.
Example Current Experience
Program Design
- Engineers may volunteer as Champions
- Word of mouth: No active recruiting, marketing, or communication
- Monthly brown bags hosted by AppSec team with invites sent to Champions only
- Champions list maintained in spreadsheet with columns for date joined and date left
- No additional responsibilities outside of learning
Incentives / Motivations of Champions within Program
- Champions care about company and want to make a difference in its security maturity
- Natural, intrinsic interest in security as a career aspiration / resume builder
- Feels socially compelled to participate because of relationship with security team and brown bag presenters
- Brown bags provide direct value to their day job
- Feel that they’re “part of the club”
Metrics
- 25 Engineers are identified as Security Champions out of 500 total engineers (5%)
- Attendance in brown bags is consistently a group of 5 dedicated individuals, with 1 or 2 others who pop in and out (brand new champions)
- Program running for 2 years
Surveys vs. Observations
It may be helpful to design a survey to send to a sample set of Participant Groups to really understand what’s important to people, how they think about security, and their opinions and suggestions about the current program. A word of caution though: not everyone will express their true incentives / motivations through a survey. There is often a disconnect between what people will tell you they want, what they think they want, what they actually want, and how they act. Use your observations of their behavior to draw your own conclusions and design accordingly.
<- Previous Step: Participants
Next Step: Concept ->