No Adversaries: Getting Users on Your Side for Tough Transformations

all right morning everyone thank you for bearing with us um did you know technology is difficult I don't know if you've bumped into this in your career before but hi we're here to talk to you about uh creating change through policy process and other security shifts without making everyone you deal with hate your stinking guts and to do a little bit of vocabulary setting for this so we're talking about getting users on your side A lot of times that means end users here we're talking more about people that are Partners within our organization folks who depend on our work to get their work done and the people that we need to buy into what we're doing in order to make a

better more secure experience for them and everyone else because without them absolutely none of this will go hello I'm Amy Martin I'm a project manager with San Francisco Digital Services we're part of the City and County of San Francisco before that I was a public librarian for 17 years most of that in Oakland I ship public libraries and Civic techs so hard I have an mlas and everything and I right now work mostly on website migrations for government agencies that's where I really love to work my name is Brianne Boland I work in product security at Gusto i words and communication are really important to me to the point that I also write a lot of fiction uh I find that

creating an experience around security is not exactly super different from creating worlds and I'm a big believer in using gentle persistent Relentless persuasion to get what you need for security things so we want to start you with a couple of stories um both of them spoiler are failures but I promise everyone learns a lesson in the end okay I'm going to take you back to January 2022 when I left my public library job and joined the delivery team at San Francisco Digital Services we needed to move about 80 websites off our Drupal 7 platform and onto sf.gov which is the city's unified and accessible website in advance of the planned end of life of Drupal 7. that was meant to be

in November 2022. it didn't happen that's a whole other story when I started a digital services in January about a third of the Departments we were working with didn't know yet that they were going to have to move their websites by November many of those liked their current government-oriented government speak oriented websites just fine sf.gov is built for usability and accessibility plain language is key not government speak every site we moved required content redesign and Department staff had to be trained to do the work so how can government digital service staff convince civil servants and other agencies to embrace digital transformation in the face of big unwanted change project the short answer is we only did part of

that we did move the websites before our deadline and we got people started on building user-centered websites and writing in plain language however most of them did not continue that work some of them even got rid of the content that we made for them and pasted their old content back in so although we met our goal of moving the websites by the deadline we found that we had fallen short of setting government agencies up for future success with user-centered websites my story takes place in a little bit of a smaller scale this was a few jobs ago I was a site reliability engineer but already pointing towards security and I was tasked with a colleague to write

anti-fishing documentation in a presentation for the whole company after we'd gotten hit by text a few times the audience included Engineers but it also had a lot of sales and marketing people which I don't mention because like oh I had to talk to non-technical people um I don't actually find that extremely important what was very different was that you know as an engineer I've gotten I think one random phone call in the last several years and it was pagerduty I just hadn't added them to my contacts yet so a known Menace you know in our case you know the sales and marketing people their jobs depend on things like picking up phone calls they don't know responding to texts and

emails from strangers it's necessary so we had to give more nuanced guidance than just like well just you know don't answer the scammer try that out in our case what went wrong was that writing complex documentation about a really big subject for a really wide audience is really difficult and there's some Nuance you have to apply that uh we all had to learn on our feet so how can a project start doomit there are a few potential sources of Doom one is that your planning doesn't account for reality another is that your engagement doesn't account for the real needs limitations and motivations of your users another is meteor from space or other things outside of our control that might

have felt way less possible before and March 2020. now I write large-scale crisis into every risk plan I make on projects so we can't control everything what can we do again remember that your partners are a user group like with end users it is worth your while to get to know these users motivations limitations wants and hard knows things they absolutely will not tolerate for that I find it useful to find the similarities between groups because they will tend to have background and tendencies to pool together for this I like using a really lightweight version of personas which unlike the kind in ux or marketing it's not extremely research heavy it's just based on your own

collected observations across time so instead of kind of intrusive stuff like you know what's your income what's your educational level it's more like oh this group is familiar with these tools but not so familiar with these ones or oh yeah these people deal with security all the time but this other group if security shows up in their inbox their first thought might be that they're in trouble are they open to change or are they kind of resistant and then if they are resistant it's really important to find out why and what motivates them like what does professional success look like for them I would actually specifically advise you to avoid unhelpful demographic information you want to focus on the

differences that are meaningful to you but avoid stereotypes and most especially avoid guessing because if you're at the point of needing to make these personas we know that your guesses are not going to be the thing that gets you through this situation with uh the action you need and if you encounter resistance it's a great time to slow down and regroup if you feel resistance forming especially if you start feeling like consistent resistance across different people then it's time to go back rethink take what you've learned and then find a new strategy or a hypothesis but before you roll it out there it's a good idea to go back to someone in the group that wasn't feeling served at

first and ask them for their take on it this has a couple different applications one is of course like tell me if this is also wrong but also when we deputize people a lot of times they want to step up and they get invested I like telling them that they hold the one key to success to doing this that I cannot under any circumstances make myself and usually people feel pretty special when you say that which is good because they are it's also a really good idea to make the behavior you want into the easy path and this is something I talked about in a b-sides talk last year about documentation then as now I'm a big fan of bribes give

people snacks and stickers they respond really well to it but we can go further than that one thing is that whatever you're putting in front of them something to read something to watch put the important stuff first don't bury it don't think like oh but they need to get through this context usually they don't a lot of times they don't just the thing that you want them to do like have that front and center with bullets in a colored call out box make it unavoidable and undeniable so for that reason I like executive summaries too just a page or two at the front of a longer report or if people do really have to Wade through all the

content having like tldr boxes occasionally is both merciful and really functional it's also a great time to revisit accessibility which is the right thing to do and usually legally mandated but it also goes beyond just ability stuff to reaching people who absorb information in different ways um I can watch a video I can hear a video I really prefer reading so whenever I see a video with the transcription immediately below I feel seen in like a golden light is coming down upon me thank God I don't have to watch the 17 minute thing and I know I'm not the only one like that and when you're thinking about how to make things easy look to the Past like

what is normal in your organization um you know no one loves getting training dictates via email but if people are used to it it lets them know immediately what's expected of them so you don't have to bring everything from the past forward but there might be something useful in there that's worth keeping just because people don't have to do as much adapting but wait you might be saying like tech people are used to horrible content we issue mandates it's what we do why do we need to think about this at all and that's because people are part of the system too and both people and systems work better if you give them what they need

the other thing is people will not adapt the change the changes you recommend if you don't make it easy explain it well and make the behavior that you want into the easy path technical motivations alas always have human implications and unfortunately I must tell you something sad it doesn't matter how incredibly fabulous your new training paradigms are or the wonderful tool that you've purchased and what the person in sales told you that this will solve all of your problems people aren't going to go for it if you don't get them into it they might agree begrudgingly at first and then we're still the first day that they're stressed they might revert to old habits and abandon what you're doing and make

you start all over again okay so we talked about some strategies let's revisit how do projects fail missing buy-in it doesn't have to be an exhaustive propaganda campaign but it's just good to get people on your side that can mean just saying you know hey in two weeks this is coming in one week this is coming check your email tomorrow just to let them not be taken by surprise people do not like surprises a large disruptive projects for the benefit of benefit of security it's kind of a normal thing they get pushed into being just because we have to you know comply with the law or something but if we do it without considering how it

affects the people who are going to be subject to it is going to be a much harder cell than it has to be and then this is a big one contempt for users and other affected Parties by those in power all of your future efforts will be diminished will have sand thrown in the gears if people can tell that you think that you are better or smarter than the people you're serving or that you know their lives in reality better people hate this and they will remember it and they will make everything you do in the future harder if they think that you're acting like that in bad faith so how can we fix this because I'm like

a meteor a lot of this is stuff that we can control so going back to the anti-fishing presentation our goal wasn't to say like here's an exhaustive history of fishing here is what all the texts look like did you hear about this thing that happened to Netflix in 2017 it does not matter instead it was important that it couldn't go too long we wanted a short memorable set of guidelines um that people people could remember really easily who wanted to relate cause to effect so people could tie it immediately to the work that they were doing we also wanted to be informed by technical needs but not so much that it buried it because a lot of our audience

frankly didn't care and didn't need to and indulging that technical curiosity separately in a leave behind that was available but was not mandatory and was made clear that it was strictly optional in the case of the sf.gov website migrations fixing it is still very much a work in progress a lot of our work in 2023 has been around evolving our practices and platforms to help our users experience digital transformation here are some things I'm trying consider accessibility and cultural differences I'm working on the accessibility of the artifacts I create and becoming more flexible with the formats and platforms I put them into city government is very typically a Microsoft house it's not my team's preferred set of tools but many of our

users are wary of using anything else and some of them aren't allowed to emphasize Common Ground my background is outside of tech when I talk with users I lead with my government background that allows me to show users our similarities I make it a point when it's relevant to visibly not understand things and ask questions to normalize those behaviors to teach people it's normal to not understand things it's normal to ask questions about how something works say things the easy way on sf.gov we write in plain language but it can be hard to remember to do that when we're speaking with our users too a tip can be if you if what you need to say to

someone is written down you can put it into hemingwayapp.com and try to lower the reading level based on the suggestions in that tool I added a link to the slide deck to that avoid Tech jargon where we know about this one and a lot of people do try to do this when we talk to people outside of our industry I would take it one step farther and say avoid business jargon and corporate jargon those terms tend to not translate as well as we think they do across user groups and where I work in a government space a lot of people don't use business jargon at all and it's confusing to them when you do need to introduce a

technical term You Can level set in advance by saying something like do you already know the word and then say your phrase give them a chance to say yes or no first and then explain it if they don't use non-judgmental language rather than calling something bad or another derogatory word explain the pros and cons of it try to be precise about what you're pointing out so that you're not just expressing judgment around it that goes tenfold for anything your user currently uses or wants to use speak at a comfortable pace for your audience watch for facial expressions that look worried like wrinkled foreheads that can mean someone is concentrating really hard to try to keep

up with you as for yourself use a neutral facial expression this comes from my years as a children's librarian I do not laugh and I do not smile when people ask me Tech questions every question is valid and every question especially a very basic or an exceptionally strange question gives you information about what that person needs to know from you we sometimes think that a smile will be reassuring but consider that even a reassuring smile can convey I know this answer and you do not as Brienne mentioned earlier you don't want to give even the appearance of thinking of yourself as smarter than the other person because that is extremely sensitive and it will be clocked

listen actively repeat back what you're hearing paraphrase but again be careful not to use Tech jargon because that will sound like you're correcting people and finally celebrate Mastery the first time I ever felt confident good and proud when using a Tech Tool was in an intermediate Excel class I am not an Excel Master sadly but confident good and proud is the feeling of Mastery when I see a user experiencing a feeling of Mastery I party with them and no matter how small a thing it's for I saw a user feeling a Mastery because she learned the keyboard shortcut for paste and we celebrated her success as a team and she and I are still a team

question your assumptions about your users a little humility truly does go a long way when you don't understand what your users are doing or why they want what they want a technique you can try is the five wise Brienne actually taught me this one asking why five times can lead you to the root of a problem I'll give an example from my library background there was a tech product that we bought we failed to adopt as a system and within a year we canceled the product why did we fail to adopt it well staff never made it part of their workflow why was that we had trouble training and onboarding everyone who needed to use it why was that rolling

out new software to busy Frontline staff is very hard and we did not set aside enough of everyone's time to make the training stick why was that the software wasn't seen as enough of a priority to take people away from public service and why was that well there was one person in leadership who signed a contract for the software despite every other person in the room saying it wasn't a good fit for the library the answer was lack of buy-in we're linking in this deck to a great article on the five wise you can find a version of it that works for you you might try using it to ask why you feel annoyed with your users

I was a librarian for 17 years as I mentioned and I want to talk to you about reference interviews when you go to a library and say can you help me find a book that is the beginning of a reference interview in this interaction a trained librarian is assessing the words you choose whether there's hesitation in your voice your body language your tone the way you approach them what you're holding in your hands if there's anyone else with you more than that here are some secrets of reference interviews that you might find helpful when you talk to users first is the cover is not blue and it's okay I've been surprised in the tech World by

how literally people take requests from users there's a librarian adage about the book with the blue cover a person will say I'm looking for a book and all I remember about it is that the cover was blue then you do a long reference interview and you track down the book and in the end the cover is never blue asking for things inaccurately is expected Behavior not because people are lying or because they're not smart but because this is the way human brains work imprecisely a good reference interview helps a person form their question when we work with users we can help them articulate what they want we can then use our expertise to guide them toward

available options that resemble what they want and also help them understand the technical terms so you are guiding people toward a request that is workable tangential lines of questioning I really like this one when you're looking for that book book with the blue cover it's tempting to keep asking about the cover is there a picture was it light blue was it dark blue don't bother the cover is irrelevant ask questions about something else when did you read the book in the 70s last year was it a book you were assigned in school did you get a Scholastic Book Fair was the main character an animal or a person I use a mix of Broad and specific

questions to try to snag on some detail that triggers a new meaningful memory something that makes that reader say oh actually I remember this really important thing because that's when you will actually get to the meat of what you're looking for the same technique can work for zeroing in on product requirements every question is valid a question might sound silly to you but it is not silly to the person asking it if you are a knowledge authority figure chances are they had to screw up their courage to ask you keep that neutral facial expression I won't tell you not to smile but remember that a smile can read as condescending I think I'm even smiling a little bit

right now it's easy to smile when you're feeling a little nervous or if you're talking to somebody new it's very easy to fall into but I'll share that when I've worked with children I learned very quickly that you never smile because you suggest that you think your their problems are cute or insignificant and so that's why I bring that tip forward get to know your users vocabulary and use it people often adapt their language in ways they assume make sense to us when they ask questions so they use vocabulary they've heard people in our position use or they focus on a detail that's related to what they want because they associate that detail with techie

people a common example of this in Tech is a user who insists on a particular feature but has an inaccurate understanding of what it does so they know what outcome they want but they ask for a thing that won't get them that outcome why because they're trying to communicate the outcome to you in what they assume is your language so repeating what users said in paraphrasing in addition to being good active listening gives them a chance to edit and refine their ask and finally be wary of contempt if you work with people who Express contemporary user it will serve you well to be aware of their motivations and to apply that lens to the work you're

producing all users are beautiful some are harder to reach than others and also just tie your directives to outcomes that your users value they might not be the someone the same ones that you do um I like tying it to something really personal related to their own desires and fears uh less like we're gonna get rated by the feds and more like you're going to get a call about this really late at night and your day is going to be wrecked people understand that pretty innately so takeaways understand your users motivations and use them please mimic their language find them in the way that they learn match them where they are and tie it to priorities that

they actually value rather than an executive said something and so now we have to do stuff finally now you know your secret librarian reference interview techniques use them to understand the bigger picture it's okay the cover's not blue try tangential lines of questioning and incentivize snacks stickers and also help people find that sense of Mastery and help them Master something important or lucrative to get them on your side thanks so much