Driving product adoption through feature innovation
Background
Posture Management is an API-based product that continuously monitors critical configurations of SaaS applications (i.e. Google Workspace, Microsoft 365) to minimize cybersecurity risks and vulnerabilities. Simply put, this product recommends a list of important settings that users should implement in their SaaS applications such as “enable multi-factor authentication”.
Each recommended setting is assigned a number of points based on its significance. This yields an overall “Posture Score,” which serves as an overview of the user’s progress in fulfilling these recommended settings. Theoretically, the user should aim to maximize their Posture Score so they can maximize their SaaS application’s security. Posture Score also serves as a valuable metric and indicator of whether users are using the Posture Management product. The issue I quickly discovered when I joined the team was that the average Posture Score across all users was only 22%.
My Approach
My approach to improving the average Posture Score was to:
Conduct user interviews
Synthesize insights
Ideate a solution
User Interviews
Posture Management customers are diverse and spans across different geographic locations, industries, and sizes. For this reason, I carefully selected a wide range of users to research and interview because I wanted diverse input that was reflective of the diverse Posture Management customer base. Over the span of two weeks, I interviewed 8 users and followed the below question template:
What motivated you to purchase Posture Management in the first place?
What are your expectations for a Posture Management solution?
How do you use Posture Management as part of your workflow?
Are there any other tools or processes you use to accomplish your workflow?
How confident do you feel in the security of your SaaS applications?
I also interviewed all customer-facing departments, including sales, customer success, and customer support to capture a holistic picture of the situation.
Synthesized Insights
After conducting the interviews, I came to the following key insights and high-level solution requirements:
Many users are not IT professionals. Many of our customers fall in the Small to Medium Sized Business (SMB) range and more often than not, their IT department is understaffed. Consequently, untrained individuals play the role of IT administrator and are often intimidated by the SaaS applications’ settings so they avoid this responsibility altogether. A solution must give the user confidence.
Users have no reference for what is “good enough”. Users understand that a high Posture Score implies a more secure system. However, users also understand it is not practical to have a 100% score because every business has unique requirements that may defy traditional cybersecurity practices. Therefore, users struggle to understand what is “good enough”. A solution must give the user context.
Governance, Risk, and Compliance (GRC) is a top priority. A popular reason why users bought Posture Management, surprisingly, was to help their organization achieve compliance towards industry standards and/or frameworks (i.e. ISO 27001, SOC 2, HIPAA). In order to comply with these standards and frameworks, the user must demonstrate their SaaS application is appropriately configured. For example, organizations complying with HIPAA must ensure patient data is safeguarded - and one element is to configure the SaaS application appropriately such that access to patient data is restricted to those with the necessary privileges. A solution must include GRC.
Ideation
The next step is translating these insights and requirements into a practical solution. Since the solution must include elements of GRC, I researched GRC solutions to learn how their users are instilled with confidence and context. I noticed that some GRC solutions provide completion progress by the organization’s units - for example, the GRC solution would show the R&D unit is 30% complete while the Manufacturing unit is 75% complete. By providing a comparison between units, the user has context around each unit’s performance, thereby giving the user confidence that they should prioritize their efforts on the lagging unit.
Inspired by this approach, I created a comparison feature that allows users to compare their Posture Score across three areas: compliance, industry, and organization size. With this solution, the user can select a compliance (i.e. ISO 27001, HIPAA, etc…), an industry (i.e. Finance, Technology, etc…), or an organization size (i.e. 1-50 employees, 100-500 employees, etc…) to see the top Posture Scores of their selection, which serves as a benchmark for their organization. Since we have 1,500+ global customers, this data is already available and only requires minimal clean up.
Results
6 months after deploying this feature, the average Posture Score across all users increased from 22% to 42%. This increase was a positive sign that users were beginning to adopt the Posture Management product after receiving a bit of guidance.
Additionally, I received qualitative feedback from nearly all customer-facing departments. There was a sharp decline in customers inquiring about the Posture Score itself and a sharp increase in the number of questions about the configurations that ultimately comprise the Posture Score. In other words, users now understood their Posture Score goals and are expressing interest and engagement in achieving these goals.
My Takeaways
Visibility must include context. In my years of experience as a security professional, I learned that one of the first capabilities any security solution includes is visibility. It stems from the idea that you can’t protect yourself if you don’t know what/who you’re protecting yourself from. This project taught me that an important element within visibility is context - simply seeing potential risks, threats, and vulnerabilities is not enough. Users must understand its relevance and impact on their unique environment so they can take appropriate action.
Embrace the cybersecurity domain expertise. There were several areas that required at least some level of expertise:
SaaS application: An expert is needed to evaluate every security-related configuration within the application
Compliance: An expert is needed to understand the cybersecurity requirements of different industry standards and frameworks
Industry: An expert is needed to understand what cybersecurity practice does and doesn’t apply to the various industries
Size: An expert is needed to understand what cybersecurity practice does and doesn’t apply to the various company sizes
In the context of this feature, cybersecurity sits at the intersection of these areas. While I may not be as well-versed in these areas as my users, this project reaffirmed my role as a cybersecurity expert. I learned to embrace and leverage my expertise to bring together these diverse areas together and deliver a valuable solution to my users.
Build internal advocates. My product philosophy on collaboration is to keep my stakeholders involved. Since I interviewed the customer-facing departments early in this project, I kept them updated on the solution as it became clearer. When I shared the sketch and concept of the solution, my stakeholders not only agreed that this would help increase the average Posture Score across all users, they were also relieved because they believed this solution would reduce the number of inquiries and support tickets from users who would ask “what is a good Posture Score?”. The stakeholders were advocates for this new feature and included it as part of their demo calls, customer onboarding sessions, etc…, which increased the overall product adoption even further.