Introducing Jobs-to-be-Done: a way to help our users achieve their goals

As someone working within AppSec or ProdSec security, the scope and responsibilities of your role have likely changed over the last few years.

This is likely an accumulation of:

• An increased reliance on the public cloud, resulting in an adaption of your skillet to reflect this change;
• Security tool consolidation, meaning you’re looking to get more out of your existing tools;
• Attack surface coverage and growth, with the need to discover new unknown assets and secure what’s already there.

But what hasn’t changed?

Regardless of any new scope or responsibilities, you still have a set of things you need to accomplish and get done that are the most important to you. 

Helping users achieve their goals with Jobs-to-be-Done

Jobs-to-be-Done (JTBD) is a business framework we’re using to focus product development on aspects that will help our users achieve their goals through a set of ‘Jobs’ that need doing.

In this new series, we will look at the most critical jobs that AppSec and ProdSec team need to do in in day-to-day roles, what tasks these jobs involve, and the desired outcomes for you and your team when completing these jobs.

We will publish a deep dive into each job to be done throughout the autumn, with each article focusing on one job at a time, and how Detectify as a tool can help users achieve each job.

Overview of Jobs-to-be-Done and associated tasks

Here is a quick overview of each of the jobs we will focus on over the coming weeks and what you can expect from each of the deep dive articles:

Job-to-be-Done: See the current state of security and understand what is exposed and how it has evolved over time.

Tasks involved in this JTBD include:

• Discovering what is exposed on the attack surface in an automated way.
• Drilling down into specific aspects of your attack surface.
• What to prioritize based on the vulnerabilities and exposures you’ve found.
  (by exposures, we mean everything that is not a vulnerability, like an open port or a tech that isn’t allowed.)

Not only do you need to find what is exposed, but you also need to understand what and how your assets are being continuously tested for vulnerabilities and exposures.

Job-to-be-Done: Understand what is being continuously tested and monitored across my attack surface

Tasks involved in this JTBD include:

• Configuring all your scanners correctly.
• Highlighting risky areas of your attack surface, such as certain service providers you’re unaware of.
• Finding web applications that you should be doing deep testing on.

Once you understand how your attack surface is continuously tested, you’ll want to know where to take action first.

Job-to-be-Done: Quickly resolve exposures and vulnerabilities

Tasks involved in this JTBD include:

• Integrating vulnerability and attack surface data from Detectify into vulnerability management tools.
• Giving developers the information they need to resolve important issues

Finally, spotting anomalies across your attack surface and being able to easily follow up on these anomalies is crucial in empowering teams to work autonomously. 

Job-to-be-Done: Validate that your organization is following security policies

Tasks involved in this JTBD include:

• Setting rules on your custom attack surface.
• Spotting anomalies across that attack surface that can be followed up on. 

Shifting your approach to the bigger picture

The in-depth insights we plan to publish over the coming weeks will show you how to shift your approach from working on various tasks to focusing on the bigger picture.