It's a process; not a product
Sometimes a client asks me a question and I'm a little stunned by their mental model of the world.
A few weeks ago, we were discussing the need for better cybersecurity in their architecture. We spoke about several aspects of security, then they asked an outstanding question.
"What should I buy to be secure?"
It took a few moments to tease out exactly what they thought they were asking. In their mental model they could just buy a box which did what they needed. Want to print from any workstation? Buy a big HP network printer. Want to get WiFi in the office? Buy a bunch of access points. Want a website? Buy a WordPress. Want security? Buy a [fill in the blank]?
Their notion is that most things are products. This is a common belief. I've had clients ask "What do I buy to make this accessible?" or "What can I buy to improve usability?"
In all these cases there are unscrupulous people who will sell you a magic cure-all - but the real answer is that these things are a process; not a product.
Yes, you can buy tools which will help improve your security / accessibility / usability etc. But unless you put processes in place to get people to use them effectively, the tools are useless.
People need to understand why something is important. They need processes which support best practices. The business needs a holistic understanding of how these processes improve the business. And that is all underpinned by tools which make it possible.
There's no magic box which can both protect you from your CEO accidentally CCing confidential data to a competitor and stop DDoS attacks. An accessibility overlay won't help you if your staff refuse to incorporate alt text into their workflow. Automated code testing can't stop you building things without testing them with users.
Security is a verb - it is a doing word. Accessibility is a verb - it is a doing word. Usability is a verb - it is a doing word.
Buy nouns which support your verbs.
Spike says:
@blog
"Security is a verb - it is a doing word.
Accessibility is a verb - it is a doing word.
Usability is a verb - it is a doing word.
Buy nouns which support your verbs."
Brilliant!
NatalyaD says:
I love your framing of access and security and things like data protection being doing words.
The only way they work is by constant investment, not just crappy e training, but opportunities for staff to talk things through, share ideas, identify risks and consider solutions. Ongoingly.
Ian says:
Maybe they were thinking of it as a service that can be bought, a bit like hiring a security guard for the office is buying a service to improve security.
While undeniably there's a strong element of behaviour by employees, etc, that needs education (buying a staff training service?), it's not unreasonable to buy a number of services that can improve security - website pen tests, anti-virus, spam filters, etc.
The client just phrased it awkwardly as buying a product, than renting a service?
More comments on Mastodon.