Josh Kimmell

Design Principal | Designer | Experience Fanatic

Consolidating security

View all
Case study

Consolidating security

Cloud Pak for Security

When we kicked off the “Security platform” project in 2017, I was fairly new to the cybersecurity domain. During onboarding, I took the requisite SOC analyst and incident responder trainings and was continuously researching industry trends and learning more about security operations. With this knowledge coupled with my expertise in UX principles, I was able to deliver an experience that enabled security professionals to quickly integrate their existing security tools, generate deeper insights into threats, orchestrate actions, and automate responses—all while leaving their data where it is.

Skills used

Leadership, UX design, UI design, prototyping, project management, UX research, workshop facilitation

Background

In 2017, IBM Security had over 100 disparate and disconnected security products spread over many teams. Security professionals had similar problems with disconnected data and too many security tools that didn’t work together.

CP4S Home
Jack, the security generalist

Identifying an untapped market

With my previous experience designing platforms and working with decentralized data, I felt confident I could meet the target users’ needs. Our personas were very clearly defined, so I thought I knew what I was getting into. However, after conducting generative research with users at companies with varying maturity, it became clear that we were too focused on traditional IBM enterprise clients, and that there was an untapped segment of the market with less mature security teams. We needed to modify our approach to the analyst experience. We needed a new “generalist” persona, the “security worker.”

Understanding users
  • Users at lower maturity organizations tend to fill many roles, rather than specialize in one.
  • Pain points revolve around lack of collaboration and moving between disconnected tools.
  • They need to know about malicious threats before they are affected.
  • They need to find the “needle in the haystack.”
  • They need to document investigations and collect evidence in a collaborative workspace.
Understanding the market
  • There were a few players trying to bring security data together into a platform, but none with the existing technology (and client base) we already had.
  • We were one of the few that wanted to let users keep their data where it is and just connect it to our platform.

Exploring solutions

Now that I knew we were designing for users in mid- to high-maturity organizations, the solution needed to cater to both types of security workers: generalists and specialists. I led designers from multiple teams across Security in deep exploration to uncover solutions to identified pain points. Although we needed to consider existing IBM technologies, I made sure we thought holistically about how a security worker in a SOC might complete a job, regardless of the number of tools on the platform. Rather than designing for individual “apps,” we instead landed on an experience with three main “phases” of a security worker’s responsibilities:

Gather intel

Security workers can view prioritized real-time threat intelligence and be alerted when known threats are affecting their environments.

Investigate

With a single query, a security worker can get relevant, automatically enriched results from multiple data sources, and collect evidence from those results without leaving the platform.

Respond

A security worker can respond to an incident within a prioritized case by following a playbook and demonstrate its remediation to leadership.

Getting alignment

After validating our explorations with actual security workers with varying maturity levels, I delivered a Playback 0 to all IBM stakeholders across the business unit and received resounding approval. This alignment guaranteed continued investment in the project and resulted in the formation of cross-discipline product teams charged with delivering these experiences.

Then the hard work began.

My role was to lead three separate product teams working on three separate parts of the experience simultaneously. The challenge was to make sure they were all working together to ensure a seamless experience across the platform and not just focus on their “app.” Previously, IBM Security products were very siloed and often overlapped in capabilities.

By setting up shared sprint schedules, combined Agile ceremonies, and cross-team playbacks, I was able to mitigate this challenge and deliver a seamless end-to-end experience that met the needs of our users. This experience consists of three integrated apps: Data Explorer, Threat Intelligence Insights, and Cases.

Delivering user value

Federated search

In addition to being the Senior Lead for the entire platform, I also served as Design Lead for Data Explorer. I led a team of designers and developers in creating an experience in which a security worker could investigate a case by building a complex query without needing to learn a query language, then running it once and getting correlated results from all connected data sources, pre-enriched with threat intelligence to see the severity of each result.

User outcomes

As a result of this new experience, security analysts could now run one search across all connected security tools and view the correlated results in one place.

Prioritized threats

In this case, serving as a design lead came with unique challenges because I was working with a product team that already had a prominent threat intelligence offering, X-Force Exchange. This team had an established, siloed mentality that was not conducive to alignment and collaboration. In order to overcome this challenge, I knew I needed to form partnerships with my fellow product leads and attended a kick-off workshop in Atlanta in order to form those relationships. These relationships, combined with my deep knowledge of the domain, enabled me to influence the vision for the product, navigate the siloed team structure, establish guidelines, and improve collaboration over time. Ultimately, we delivered an experience that offers detailed, actionable threat intelligence so a security worker can identify and prioritize the threats most relevant to their organization—based on their organizational profile and environmental telemetry.

User outcomes

Security analysts felt secure that known threats were now prioritized for their environment and that a case would be automatically created if they were affected.

Case management

Like the Threat Intelligence Insights team, the team responsible for delivering the Cases app, Resilient, was already a fully functional product team and posed similar challenges. In addition, they had not yet adopted Carbon as their design system. I attended meetings and hosted workshops and used my knowledge of front-end development practices to convince them to use Carbon components, rather than cloning their product in a darker theme to resemble the platform’s styles. I shepherded the team to deliver the Cases app, which served as the hub for most of the activity on the platform and provided a workspace, or a case, in which a security worker could conduct investigations, collect evidence, and follow recommended tasks to respond to threats to their business.

User outcomes

Security workers were able to remediate threats in a fraction of the time, and efficiently document their work in a collaborative workspace.

Impact

Year over year revenue growth for 2021

114%

Total revenue from 2018-2023

$200M

I won a Corporate Technical Award

You did an amazing job leading the efforts of your design team to a successful Hills Playback yesterday for the [Cloud Pak for Security]. From my vantage, the alignment you got from our project stakeholders on your presentation of the Hills Playback yesterday was accomplished in large part to your diligent communication, collaboration, and perseverance.

– Brady Starr, Program Director


Josh’s leadership during the Cloud Pak for Security project has helped the Design team get a seat at the table with executives and broken down barriers between multiple siloed application teams. Data Explorer has a great team culture, work ethic, and collaboration with Design that is paramount. All product teams should use them as the perfect Case Study for a ‘One Team’ approach.

– Jimmy Dyer, Senior Design Lead

Hide