Data security in the legal industry
In July 2018, I led a workshop with several technology leaders in the legal industry in New York to better understand the challenges they face with email management and data security.
Please note
This workshop was highly confidential and therefore this writeup will not cover everything that was discussed or discovered. I will write only about my approach and will skip over any details about the outcomes or strategic decisions that were made.
Overview
One of my roles at Workshare was to lead the overall design direction of our suite of security management software. At the time of writing this, we had three products, Protect Server, Protect Desktop and Workshare Detect.
I was asked by the CEO to lead a workshop with the goal of better understanding the challenges law firms are facing in email management and how data security plays a role in a lawyers email workflow. To run this workshop, we travelled to New York and arranged a three hour discovery workshop with technology leaders from the largest law firms in the world. Having three hours with these individuals was extremely valuable and we needed to ensure the workshop was carefully structured to make the most of the time we had.
Agenda
In order to get the most out of our participants, we needed to have a series of highly interactive activities that promoted debate and acceptance of the common issues that affected each organisation.
The best way to run this workshop was to use a process called affinity diagramming followed by a process called "How might we...". The affinity diagramming would allow each participant to contribute and have their voices heard without being overpowered by other participants in the workshop. The "How might we..." activity would then allow the participants to inform our team as to what they would and wouldn't accept as part of a potential solution.
Before we got started
Prior to running the workshop, the participants had already begun "solutionising" what they believed was the problem they were hoping to solve. I needed to ensure that their ideas were acknowledged but at the same time stress the point of understanding the general problems first before committing to a solution.
Key problems
There were two common problems that had been identified in our users workflows prior to the workshop that we wanted to better understand.
In an environment that contains a Data Loss Prevention (DLP) solution, there may be cases where an email that has been received by a recipient may be different to what has been archived/stored in a users sent items and DMS due to post-send metadata removal or the effects of third-party plugins.
In many of our users environments, there are many plugins that compete to process an email at the same time, leading to instability.
Problem one
In a DLP environment, metadata removal, convert to PDF and email blocking occurs after an email has left the users computer. However at the same time, plugins on their computer may be completing additional tasks such as archiving. This has resulted in cases where the email and attachments the recipient has received may be different to what has been archived.
There are two scenarios that can occur:
The first scenario is when a user sends an email that requires metadata removal or convert to PDF. Once the user sends the email, a process kicks off that archives the email and any attachments, adds a signature block or any other action. At the same time however, a DLP service may modify the email and attachments to conform to the organisations policies. This results in the archived email and documents being different to the email and documents that have been received by the recipient.
The second scenario is when a user sends an email that has been blocked by the organisation’s DLP. Again, once the user sends the email, a process kicks off that archives the email and any attachments, even if the DLP blocks the email. This results in the email and documents being archived, even though the email was never actually received by the recipient.
Problem two
There are many plugins on our users computers, many of which kick off their processes after the user clicks Send. The problem that has been raised is that these plugins compete to process the email at the same time, requiring the user to know in what order to address each plugin. This could lead to instability in cases where the user has addressed a certain plugin before another.
An example of this problem would be addressing an archiving plugin before converting a document to PDF. In this scenario, the recipient would receive a PDF file however the user would have archived a Microsoft Word document.
Key problems
There were two common problems that had been identified in our users workflows prior to the workshop that we wanted to better understand.
In an environment that contains a Data Loss Prevention (DLP) solution, there may be cases where an email that has been received by a recipient may be different to what has been archived/stored in a users sent items and DMS due to post-send metadata removal or the effects of third-party plugins.
In many of our users environments, there are many plugins that compete to process an email at the same time, leading to instability.
Agenda
Below is the plan I put together for the three hour workshop.
| Activity | Description | Time |
|---|---|---|
| Introductions | A chance to meet and introduce each other. Also a chance to break the ice. | 10 minutes |
| Outline the agenda | Short overview of the workshop. Explain what we will be doing, how long we will be here for and how the workshop will be run. | 5 minutes |
| Affinity diagramming | During this stage, everyone will have the opportunity to identify problems and concerns and have an open discussion about them. | 2 hours |
| How might we fail | Chance to ask everyone how might we fail | 20 minutes |
| Address the parking lot if necessary | At this stage we will have the opportunity to discuss anything we have added to the parking lot. | 20 minutes |
| Summary of the meeting | We will summarise everything we have learned over the past few hours. | 5 minutes |
Affinity diagramming
The process
Affinity diagramming is a highly interactive activity that promotes healthy conversation and debate about what people believe is important and what isn't. It gives the opportunity for everyone in the room to have their voices heard and to empathise with each others pain-points and concerns.
Briefly explain what this activity involves but not what the outcome will be.
Ask everyone in the room for 10 minutes to brainstorm any pain points or concerns they have regarding email management and data security. This activity should be done in silence.
Ask everyone in the room to spend 30 seconds to one minute explaining what they wrote down and then stick these post-it notes onto the wall.
Once everyone has spoken, ask everyone to stand up and to begin sorting the cards into groups.
When groups have been created, begin naming each group. If this becomes difficult, allow new groups to be formed or post-it notes to be moved around.
Once groups have been labeled, go through each one and have a general conversation about what the group means and why its important.
Give each person in the room three little stickers. In silence, ask the participants to place a sticker on any groups they felt were the most important to them. Note that you can put more than one sticker on one group.
Call out the groups that have the most stickers and begin have another conversation as to why they believe these groups were the most important to them.
Evolving the process to address cheating
I identified a concern at step 7 when asking our participants to begin voting on what they believed were the most important groups to focus on. The problem was that some of the participants were waiting for the rest of the participants to vote and would then place their stickers on the groups that didn't have the most votes, hoping to get more items considered as a high priority.
To address this concern, I gave each of the participants another three more stickers and asked them to vote on the underlying post-it notes and asked the participants who previously waited to vote first. This ensured that the overall voting was balanced.
Unfortunately, one of the groups that was raised called "design and usability" didn't get any votes. The rational was that whatever solution is designed, must consider usability in the first place. I cant win them all.
Outcome
The outcomes of the activity was incredible enlightening. Many problems that participants had raised on their own in the past became less important once they had seen what the other participants had shared. It was also interesting to understand why these pain-points existed for some participants and how other participants had already solved them.
Unfortunately, I cannot share any more detail than this.
How might we fail
I personally love this activity. Its a real insight into what our users see as success and what they see as failure in our delivery of a solution. It gives our users the opportunity to tell us what we need to consider when designing a solution to their problems. It also allows us back in the office to set success criterial and acceptance targets to ensure that the solution we design meets the expectations of our users.