Sometimes it seems that no matter what we do, we’ll never be able to find a solution to that one, specific problem. It could be a glitch in your agency’s website, or a review process that seems to take longer than it’s really worth.
And even though it might be tempting to simply shrug your shoulders, sigh, and give up, ask yourself this question first: were technicalities, and facts and figures the central aspects of your problem-solving strategies, or did you center your decisions around actual customers?
If your answer veers more toward the technical side of things, then perhaps its time to consider a new approach that puts people at the center, or human-centered design (HCD). This technique is already being put to use by several agencies, most recently the National Geospatial-Intelligence Agency.
For NGA, human-centered design came into play when the agency was attempting to go through the assessment and authorization process. The assessment and authorization process is required by law to ensure the government’s system and applications meet federal security requirements.
The process can be excruciating, with several, multi-step phases to go through. In fact, at the recent Symantec Government Symposium in Washington, D.C., a handful of chief information security officers expressed their grievances about the A&A or Certification and Accreditation process. As Emery Csulak, Chief Information Security Officer and Senior Official for Privacy at the Centers for Medicare and Medicaid Services put it, “We are dealing with ten years of history of decisions that came before us, some of them were good and some of them were bad.”
So it isn’t a surprise that when the NGA’s Office of Expeditionary Activities went through its own A&A process, “a bunch of pain points” had been identified, according to Matt Conner, Acting CISO and Director of the Cybersecurity Office at NGA. It was a “security process that was painful,” Conner recalled, and nothing seemed to be improving on that front. So, they decided to take things in a new direction, and give HCD a chance.
What Conner really wanted to accomplish by implementing HCD at his agency was to get the customer’s perspective. “If you’re the poor soul on the other end of my process, what is it like to find, use, and then apply knowledge information, what are the challenges?” he explained. To achieve these goals of really going down on the ground level and seeing things from a new perspective, the NGA worked with the Research and Development (RAND) Cooperation to conduct customer interviews.
Conner said NGA is trying to make the interview process as informal as possible, even conducting interviews in casual settings like the cafeteria so that employees feel comfortable.
NGA is determined to learn “all the different ways to find truth” using HCD, which as far as Conner knows is a new venture for the agency. With NGA in the midst of using this new technique, it’s important to look at what’s next and what will actually go into the implementation of this strategy.
For Conner, this is “akin to the DMV giving a survey and then people actually doing something with that survey.” In other words, change is coming. “I want this,” Conner stressed. The incredible value that HCD brings to the table cannot be overlooked. If the assessment and authorization process can in any way become less cumbersome then people won’t look for ways to circumvent the process.
Of course, statistics and data are important in solving problems, but agencies must keep in mind who those numbers affect: people, not just the priesthood of government cybersecurity experts who know technical lingo. Never lose sight of what, or who, is at the actual center of your office, your agency and your work. Try a solution with real humans in mind, and you might actually start to see a difference.
“If HCD can guide us towards a human-centered process, that accommodates how people work, how they like to discover and consume information, we’re all the better for it,” Conner said.