Separating Security & Compliance

Design ManagerFY19 (2018–2019)
LeadershipResearchProduct

Inherited a fragmented landscape of 8+ admin portals. Through extensive customer research and cross-team collaboration, I led the design vision to separate Security and Compliance into distinct products, each optimized for their unique user needs.

What I Did

  • Grew my team from 2 to 10 designers
  • Led Jobs-to-Be-Done and customer research
  • Validated separation strategy with customers
  • Established common UX patterns across M365
  • Built design vision for two focused admin centers

Outcomes

  • Shipped security.microsoft.com and compliance.microsoft.com
  • Helped scale design org to ~50 with senior leaders
  • MDATP grew from 8K to 13.5M monthly active devices
  • Research-validated: customers overwhelmingly preferred separate portals

Are you a hiring manager short on time?

Get the quick highlights in a more visual format.

Microsoft's Security and Compliance tools had grown organically over years, resulting in 8+ separate admin portals, inconsistent design systems, and confused customers. The fundamental question: should they remain combined, or would customers be better served by separate, focused experiences?

I led a small design team through the research and vision work that would ultimately answer that question—and reshape how Microsoft delivers security and compliance products.

Security work is reactive and daily. Compliance work is proactive and periodic. Cramming both into one experience served neither well.

The Challenge

When I joined, the Security & Compliance space was fragmented. Products were scattered across multiple portals with different visual languages and interaction patterns. Customers didn't know where to go to accomplish their tasks.

The landscape we inherited:

  • 8+ separate admin portals
  • Multiple conflicting design systems
  • Features duplicated across portals
  • Customers frustrated by inconsistency

Products spanning both domains:

  • Microsoft Information Protection
  • Data Loss Prevention
  • Insider Risk Management
  • eDiscovery & Audit
  • Secure Score & Threat Protection
The combined Security & Compliance portal before separation
The original combined portal—DLP policy matches shown across services with inconsistent patterns

Growing and Organizing the Team

I grew my team from 2 to 10 designers, then helped scale the broader organization to about 50—bringing in senior design leaders to expand our impact across the suite. But headcount alone doesn't solve problems. I organized the team around the domains that mattered.

Compliance

Information Protection, Governance, Insider Risk, eDiscovery. These products help customers understand, classify, and protect their data while meeting regulatory requirements.

Security Admin

Secure Score, Monitoring, Reports, Threat Protection. These products help security teams detect threats, respond to incidents, and improve their security posture.

Information Worker

End-user security and compliance experiences. Defender for consumers, privacy controls, and the experiences that help employees stay productive while staying secure.

Each area had dedicated design leads embedded with product teams, building deep expertise rather than spreading thin. Two design leads worked directly with the Security and Compliance VPs—design became integral to planning and strategy.

Research to Understand the Problem

We ran extensive research to understand how customers actually worked—not how we assumed they worked.

Research methods:

  • Jobs-to-Be-Done studies with Security and Compliance professionals
  • Customer interviews across small business to enterprise
  • Competitive analysis to understand market expectations
  • Usage data funnels to see where customers struggled

Key personas:

  • Security Admins—monitor, triage, respond
  • Security Analysts—investigate, hunt, remediate
  • Compliance Officers—plan, configure, audit
  • Data Admins—classify, protect, govern
  • Legal Admins—discover, hold, produce
Compliance customer journey map showing the full workflow
Compliance customer journey—mapping the entire workflow from awareness through reporting

The research revealed a critical insight: Security and Compliance professionals have fundamentally different jobs, different rhythms of work, and different mental models.

Security work is reactive and daily

Security admins monitor threats, triage alerts, and respond to incidents. They need real-time visibility and fast action. Their tools should optimize for speed and situational awareness.

Compliance work is proactive and periodic

Compliance officers plan for regulations, configure policies, and prepare for audits. They need comprehensive understanding and careful configuration. Their tools should optimize for completeness and confidence.

Validating the Separation Strategy

We tested our hypothesis directly with customers: which approach would serve them better—a single combined portal or two focused portals?

The results were decisive. Customers overwhelmingly preferred separate experiences.

"Companies typically think of security & compliance as separate areas. Tasks and areas can intermingle, but customers need their own place to work."

Research findings:

  • Different usage patterns: Security is daily, Compliance is monthly
  • Different org structures: Security in IT, Compliance often in Legal
  • Roles rarely overlap: The same person doesn't do both jobs
  • Customization is key: Each domain needs to optimize for its users

Raising the Bar While Scaling

With the separation strategy validated, we needed to raise the quality bar across the entire suite—while simultaneously scaling the team. This meant building systems and processes that could scale with us.

Prioritizing High-Value Tools

We reviewed every tool across Security and Compliance to identify where design investment would have the most impact. This wasn't about spreading thin—it was about focusing effort where customers needed it most: Secure Score, Compliance Score, Insider Risk Management, and eDiscovery.

Cross-Org Design System Collaboration

We partnered closely with the M365 Admin Center design team to develop a shared design system. This gave us coherent navigation patterns, consistent card and dashboard components, and unified information architecture across both portals—while still allowing each domain to optimize for its users.

Jobs-to-Be-Done for Information Architecture

Our Jobs-to-Be-Done research didn't just validate the separation—it informed how we structured each portal. We redesigned information architecture around the tasks customers actually needed to accomplish, not around our internal product structure.

Extensive Usability Studies

We ran continuous usability studies through our FAST (Focused Analysis for Strategic Testing) program—3-week cycles that gave us rapid feedback on every major feature. This let us iterate quickly and validate design decisions with real customers before shipping.

The result was a virtuous cycle: better research led to better designs, which validated our approach and earned us more resources to scale the team further. By the time I left, the organization had grown from my initial team of 2 to nearly 50 designers across the Security and Compliance space.

The Outcome

The separation strategy became reality. Microsoft shipped two focused admin centers: security.microsoft.com and compliance.microsoft.com.

Microsoft 365 Security Center dashboard
The new Security Center—focused on security posture, active alerts, and assets at risk
2→50Design org growth
13.5MMDATP monthly active devices
88%MoM MAU growth (Comm Compliance)
190MeDiscovery MAU
Security alerts view in the new Security Center
Unified alerts across endpoints, identity, email, and apps

What the research told us—validated in market:

"Compliance Score had more active users in its first 2 months than its predecessor did in 2 years."

— Internal metrics

"MDATP grew from 8,294 to 13.5 million monthly active devices—a 1,631x increase."

— Product telemetry, 2017–2020

What I Learned

01

Research removes opinion from strategy.

The decision to separate Security and Compliance could have been debated endlessly. Customer research made the answer clear and gave us confidence to execute.
02

Growing a team requires organizing it.

Adding headcount without structure creates chaos. Organizing by domain expertise let designers build deep knowledge and strong partnerships.
03

Coherence comes from collaboration, not control.

Working with the M365 Admin Center team on shared patterns gave us coherence without forcing everything into a single experience.
04

Different users need different experiences.

The temptation to build one product to rule them all ignores that different jobs require different tools. Security and Compliance professionals work differently—they deserve experiences built for their needs.