Compliance Management

Compliance Management Workflow for New Unified Platform

Led end-to-end UX design during Palo Alto Networks' strategic consolidation of security portfolios into Cortex Cloud - a unified platform delivering seamless "code-to-cloud-to-SOC" visibility. Transformed fragmented compliance workflow into intuitive experiences that serves enterprise security professionals managing complex regulatory requirements across multi-cloud environments.

Role

UX Design UX Research

Duration

3 months

Context

Business Context

Palo Alto Networks was consolidating its major security portfolios into Cortex Cloud—a unified platform delivering seamless "code-to-cloud-to-SOC" visibility. Migrating critical compliance workflows from Prisma Cloud's established but fragmented experience required complete redesign:

Not just visual updates, but fundamental rethinking of how enterprise security teams interact with compliance workflows in the product

User Problem

Enterprise cloud security professionals needed to assess compliance posture across hundreds of cloud resources and multiple regulatory frameworks (CIS, NIST, PCI, custom organizational standards) while collaborating with distributed teams under tight audit deadlines.

Existing workflows created three critical barriers:

Fragmented interfaces forced context switching between multiple screens for basic compliance evaluation
Multi-step, multi-page, complex process to create simple custom compliance frameworks deterred adoption
Shallow drill-downs prevented thorough compliance investigation and assess non-compliant assets

Challenges

Considerations for the new workflows -

Legacy Usability Issues: Couldn't simply port existing workflow due to known customer complaints and significant usability problems - needed complete reimagining while maintaining feature parity
Platform Transition: Users needed to adopt new unified platform while learning improved workflows - balancing familiarity with necessary UX improvements
New terminology: Several key terminologies were being reworked (ex. Standard → Requirement → Sections → Policies were being changed to Standard → Controls → Subcategory → Rules). The terminology change combined with new workflows would increased the probability of user confusion.
Evolving Design System: Product in a transition state with the new design system still in progress - limited component library and inconsistent patterns required creative problem-solving
Backend Uncertainty: Engineering backend still in development created ambiguity around technical feasibility - required an agile design approach with rapid iteration capability

Process

Impact

Early rollout across 65 customer accounts demonstrated strong adoption:

480 new compliance standards created with 16% monthly growth in adoption
600 new controls created with decreased duplication indicating successful requirement reuse
High engagement with status widgets: 70 clicks/week on asset breakdowns, 30 clicks/week on compliance summaries
Customer feedback: "My customer really liked the new compliance... happy to see past feedback make it into the new platform"
Field team validation: Positive sentiment across customer success representatives

Workflows & Persona

Target Persona

GARY Governance / Risk / Compliance	VANESSA Cloud Security Practitioner	RICARDO DevSecOps
Responsible for monitoring compliance, information & trends, unlikely to use other features in the product, but still gets default access, in case he wants to investigate compliance issues	Visibility from "Code To Cloud", interested in policy controls, alerts, notifications, and reports on who's doing what and shipping those over to CISO. Interested in furthering my operational journey.	Responsible for operationalizing the product, alerts, vulnerabilities & preventative controls from "Code To Cloud" for specific applications, needs information on what to fix to ensure most efficient use of time.
Compliance Focus - Monitoring posture - Managing non-compliance risks - Creating custom requirements	Compliance Focus - Visibility into the posture - Compliance Reports - Analyze trends and ensure positive change	Compliance Focus - Downstream workflows to fix non-compliant issues - Surface up issues that can’t be fixed

GARY

Governance / Risk / Compliance

VANESSA

Cloud Security Practitioner

RICARDO

DevSecOps

Responsible for monitoring compliance, information & trends, unlikely to use other features in the product, but still gets default access, in case he wants to investigate compliance issues

Visibility from "Code To Cloud", interested in policy controls, alerts, notifications, and reports on who's doing what and shipping those over to CISO. Interested in furthering my operational journey.

Responsible for operationalizing the product, alerts, vulnerabilities & preventative controls from "Code To Cloud" for specific applications, needs information on what to fix to ensure most efficient use of time.

Compliance Focus
- Monitoring posture
- Managing non-compliance risks
- Creating custom requirements

Compliance Focus
- Visibility into the posture
- Compliance Reports
- Analyze trends and ensure positive change

Compliance Focus
- Downstream workflows to fix non-compliant issues
- Surface up issues that can’t be fixed

Core Workflows

Workflows I designed for

Monitor Compliance Status:
Easily understand current posture against industry standards with clear pass/fail visibility across environments
Create Custom Compliance:
Mix and match policies across cloud configuration, host configuration, and security policies to meet unique organizational requirements
Configure OOTB Standards:
Select and configure out-of-the-box compliance frameworks (CIS, NIST, PCI) for cloud infrastructure and host configurations
Generate Comprehensive Reports:
Create highly customizable compliance reports with non-compliant findings and actionable remediation recommendations
Investigate Non-compliant assets
Investigate the outcome of compliance assessment in order to understand the compliance posture. Easily view the violating assets, and understand why they are violating.

Solution

Redesigned Status Monitoring

Current Experience

Users were unable to assess compliance posture without creating custom dashboards, adding unnecessary steps to realize product value and essential daily workflows. 78% of new users immediately bounced from the compliance landing page, pivoting to dashboards to assess compliance posture.

Solution: Metrics-First Information Architecture

Redesigned the landing page to surface four critical metrics immediately: overall posture score, compliance breakdowns, trending direction, and total assets assessed. Applied F-pattern layout principles with actionable links directly to non-compliant resources.

Process & Validation

Used product analytics to identify most-accessed compliance data points and validated metric prioritization through interviews with field teams and users. The key insight: users needed "traffic light" status first, detailed data second.

Streamlined Custom Compliance Creation

Current Experience: Excessively Complex

Creating the simplest custom compliance standard required 14+ steps across multiple pages with 4+ page transitions. This forced an enterprise-scale workflow on users who had even basic customization needs.

Solution: Lean and Progressive Workflow Architecture

Redesigned workflow into lean 5-step wizard optimized for 80% of use cases, while abstracting advanced features into separate specialized workflows. Created centralized requirement/controls (aka subsections of a compliance standard) library enabling cross-standard reuse and eliminating duplicate content creation.

Process & Validation

Deep interviews and product usage behavior analysis from last 8 months to assess how users currently use custom compliance framework, the essential and non-essenital steps, and the current painpoints. Validated the workflows with field teams and users through interview calls.

Compliance Management