Narr: Good information security is seamless. It’s not something people tend to spend a lot of time thinking about. Until something goes wrong. A data breach, a security hack, a locked system–these things are a big deal even for small companies, but for companies at a cruising altitude of over 30,000 employees, they can be catastrophic. Being noticed only when something goes wrong is a tough spot to be in. That’s what we heard from Aaron Gerlitz, program manager of information security at Lowe’s.
Aaron: I think you definitely lose some trust and faith from the end users. And it’s tough to recover from, it’s a very thankless job and you don’t always get noticed, especially for stuff that’s supposed to be seamless. You’re not going to get a high five or a congratulations on those big moves, but you’re certainly going to get recognized when you screw it up. And when it makes the end-user’s life more painful so it’s definitely thankless and it takes time to build that back up by providing business value. And it just takes time.
Narr: So how can employee experience leaders navigate this challenge? How can they get recognized for the good work they do, day in and day out? As a highly successful leader at a company with over 300,000 employees, Aaron knows better than most. And luckily he was willing to open up to us about some of the secret strategies and tactics he’s used to get him there. Let’s get into it. Welcome to Cruising Altitude.
Welcome to Cruising Altitude, a podcast about employee experience lessons from leaders at companies with over 30k employees. A lot like reaching Cruising Altitude at 30k feet, things look a little different when you’re managing 30,000 people. On this podcast, we bring you insights from the leaders who inhabit that rarefied air. Today’s episode features an interview with Aaron Gerlitz.
Aaron: So I’m a Program Manager with a team of about five project managers that work for me. I support the information security group at Lowe’s and specifically within that, the engineering and operations team, which includes a lot of the functions you’d think of when you think of engineering and operations in cybersecurity or information security. So you’ve got the security operations team – security operations center, I should say. Our penetration testing team endpoint security, network security and a few other functions within that.
Narr: Aaron has extensive experience managing large IT projects, both for Lowe’s and for the United States military. On this episode, he talks about building with the end-user in mind, frictionless IT, creating a seamless, secure user experience, and how to make sure your work gets noticed in a positive way. But first a word from our sponsor.
Narr: Lowe’s is a massive company– A Fortune 50 enterprise that brought in nearly 90 billion dollars last year. They have close to 2,200 stores worldwide with over 300,000 employees. And when there’s a tech issue, they’re all calling in. Luckily, Aaron is there to keep things running smoothly.
Over his six years working at Lowe’s in different capacities, Aaron has led a number of different projects. He has had to take over projects that were years late and millions over budget and bring them to completion. He brought a multi-year three-million-dollar identity and access management project to fruition, affecting password protections for more than 300-thousand users. That was actually one of his first projects.
Aaron: I started out in identity and access management, in a pretty lengthy and large project , to replace our underlying platform for password and account management, spent some time working in the payment security space, doing stuff like tokenization of credit card data, within some of our payment systems antenna encryption, and a few other things there. After that, right before my current role, I spent some time in data analytics building from scratch some applications to support our merchandising teams. And then I came to where I am right now, supporting engineering and operations within the information security group and have a bunch of different projects within that are mostly implementation of new software or replacing other software, but also building some new capabilities for the overall team there too, some metrics, dashboard type stuff tying into data analytics, like my former job.
Narr: It takes somebody who knows the company well to handle all the security concerns. To understand the magnitude of Aaron’s job, let’s get to know a little more about Lowe’s in our first segment, the Flight Plan.
The Flight Plan is where we talk about creating the employee experience. First let’s find out who’s involved in creating that experience.
Aaron: So overall it’s about 300,000 employees. Obviously that includes all the stores’ employees, which is a different category than our supply chain or corporate side employees. Corporate side, I would say, is probably around 20,000 when you encompass all of the supply chain and true corporate office-type functions.
Narr: And because of his sweeping responsibilities, the stakeholders in projects could be corporate staff, workers in supply chain operations, inventory, or all 300,000 employees. Aaron gives an example of the stakeholders for one project he worked on.
Aaron: You’re building that data analytics project that I did just a couple of years ago. You’re building a platform, right? A new application specifically for one team to do one job, right? In this case, it was a merchandising team to automate some functions. When you talk about assortment planning, picking what they’re going to put in stores and how much they’re going to put in stores. So you have a more tight-knit stakeholder team that you’re working with directly. Now, obviously you’ve got the indirect – like we need to talk to the security team and whatever infrastructure and networking teams to make everything tick and tie on the back. But it definitely varies and can be a really broad stakeholder group, or it can be a little more finite depending on the scope of the work you’re doing.
Narr: Much of Aaron’s work is behind the scenes, so end users don’t even know a big project is underway until it’s finished.
Aaron: Especially when it’s a really large scope, one that hits tens of thousands or hundreds of thousands of users. Usually you’ve got that corporate representative from whatever business function you’re working directly with. And they’re the point man for those decisions and they’re involved throughout the process. And then towards the tail end you get into that real. Communications aspect of letting everybody know what changes are coming , using those, whatever communications functions you’ve got. It’s changed over my time here, but usually you’ve got some corporate function that specializes in that. And yeah, you work to find that right timing, of not telling them too early, but giving them enough time to be able to deal with the change and plan for the change. Especially if it’s something that’s going to impact their day-to-day work.
Narr: And once it’s time for that change, Aaron is tactful about how to get the message across. He has to get it to the right employees while creating the least amount of friction possible in their work day.
Aaron: There’s like a balance with the store employees, right? Anything we’re changing and anything we’re taking away or task we’re giving them, say, even if it’s just a communication to let them know something’s changing, is taking away from time they could be spending on the floor with a customer, selling product, or just conducting any other day-to-day tasks. So you really want to make sure when you’re getting to them some communication, it’s concise. If there’s an action they need to take, that’s also concise and very easy to follow along. And that you’re not giving it to them too early or too late in the process. It’s a really, really tough balance to make when you’re dealing with those frontline workers, but it’s important, too.
Narr: But things don’t always go as planned.
Aaron: One that I did early in my time here, that didn’t go smoothly. So, they may have not seen the communication up front, but they certainly saw the communications afterwards on, “Hey, this is broken. This is what we’re doing to fix it. And maybe here’s a timeline for when you can expect to fix it.” Or just having that kind of service desk, front line worker there, able to answer those questions as employees call in when you do have problems with the go live.
Narr: So just in case something goes wrong, it’s always a good idea to have a Plan B.
Aaron: Hopefully you prepare for it with a really solid backout plan, or just a complete plan to pull that change out. In the case that you can’t, and in this specific case I was referencing, we couldn’t back it out. We had some major data problems and we had a huge backup in that kind of queue of employee data changes that were happening to accounts. It was just being pretty clear about the communication of saying, “Hey, this is broke right now. That’s why your password change isn’t working,” or “That’s why this new employee can’t be onboarded, we’re working through it. And here’s where you can go for an update.” and just having a quick, concise update. And on the backend, really working your tails off to get that fixed, and improve the user experience there.
Narr: But at a company like Lowe’s, you have hundreds of thousands of employees who aren’t sitting behind a computer. So when you need to communicate with them about one of these updates, how do you reach them all?
Aaron: We’ll start from the store. Cause that’s the easiest, is you have this store employee that maybe doesn’t even get on a pure computer day-to-day, is mostly in the store, maybe on a cash register, and just intermittently interacts with whatever applications they need to do their job. Then you have the supply chain side of things. We have a whole bunch of different types of distribution centers and facilities on the supply chain side of the house that definitely have a different set of applications they’re using on a day-to-day basis. And a lot of different tools that they’re using that, if they break, can really screw up the whole supply chain and backup things if they’re fully down. And then you’ve got – I’d put the third category as the pure corporate employee, that in a non-pandemic world, like we are right now a year ago, would be in the office about five days a week, working with their team and in one of our office buildings in North Carolina or one of the other corporate offices. And within that you do have the more specialized segments of that, right? You’ve got the contact center segments that are on the phone with customers most of the days. You’ve got the help desk folks on the IT side of the house that are on the internal customers day-to-day, and then you’ve got the other corporate functions, right? The rest of technology, finance, the executive suite, which almost gets treated as a separate category. They’ve definitely got different needs and,different outage time periods that you can deal with, and all of that.
Narr: When the pandemic hit in 2020, Aaron’s role became more critical than ever. He had to help 25,000 employees shift to secure remote work overnight, and friction was a big concern.
Aaron: One of the biggest things we had to do right there is shore up our VPN capabilities. Make sure once you went from just maybe a couple hundred or a thousand people working from home each day and using the same VPN that now you can scale that up to, what, 20,000 people or 25,000 people working from home or remotely on a day-to-day basis. Making sure that experience is seamless.
And it really, I think that’s the biggest part of security when it comes to employee experience is making whatever capabilities you’re providing, or whatever security capabilities that you’re putting around the rest of technology at the company as seamless as possible so that it’s not causing friction. A lot of times, I think, especially when technology teams are building something or implementing a new team, they don’t like working with the security team sometimes because it’s considered a friction point, right? It’s considered a barrier and something that’s going to slow you down. And bringing as much transparency to that process around why you need to do it, why it’s important for the company and our customers, and maybe our data, and just making that as seamless and easy as possible for those internal customers and external customers is important.
Narr: Aaron knows that taking care of security now prevents potential breaches and headaches in the future. Which is why he works to anticipate security issues and tackle them head-on.
Aaron: Having the right monitoring assets, the right logging tools out there so that you can proactively find those problems, having a vulnerability management team that can go out there and track those vulnerabilities and let teams know when there’s something that needs to be addressed. And just being a partner. It’s a thing you talk about a lot when you talk about vendors and having partnerships with them on different things, but it’s important internally , between security teams and the other technology teams that are developing applications and implementing applications.
Narr: A large part of improving the digital experience for employees is making any tech-related process easier. Sometimes this takes work up-front, but makes for a better experience moving forward.
Aaron: I know, switching to a different project when we did that merchandising data analytics platform project, we spent a lot of time with that assortment planning team. They were in our kind of scrum meetings as we were building out new features and figuring out what needed to be prioritized and figuring out how we need to shift how something looks within that tool so that it works for them. And so that it does actually enhance their employee experience, make their lives a little bit easier day-to-day and help them make better decisions that hopefully trickle down to the bottom line for the company. And so that’s on the corporate side, I’d say, and that’s probably the easiest one to translate. I think on the more store side, it’s a lot more indirect. I think of all the network security stuff we’re doing, just to make sure that our stores are secure, that we’ve got the right firewall set up or the right infrastructure set up that keeps us secure and doesn’t cause problems, but also is transparent to the end user. And all they see is just a good, seamless experience with whatever applications they’re using on that end , on a day-to-day basis, and they don’t see a big disruption, which is a lot to do with that change management component as well.
Narr: Employees working in the stores also have Zebra devices, a cool little tool that gives each employee more knowledge and power at their fingertips, while also keeping them connected.
Aaron: It’s basically a smartphone that employees, if you go into I think a target maybe a Nike outlet, I know I’ve seen them a lot of retail stores these days, they’ll have devices that they can look up inventory on. They can get the customer information in some cases, they can even check out the customer on that kind of smartphone device. So that’s the one that immediately comes to mind. In our stores, you’ve got a lot of different selling applications that integrate together. Some that are more focused on specifically, “Hey, we need to check out this customer and let them pay for their items.” Some that are more focused on inventory, and finding an item. And then I’d say closely related to that are the customer-focused applications, right? I go onto my Lowe’s app and I want to see if this product is in the store down the street, or if I got to go a little further for it, or if it’s just something that’s not in stock right now, and stuff like that. And they all tie together. Cause you need to have that consistency and in a omni-channel world, you need to provide the customer the ability to shop in whatever way they’re most comfortable with, and make that seamless.
Narr: Lowe’s also uses a variety of ways to communicate across the ranks, and not just by mass email.
Aaron: I’d say a couple of things I think we do pretty well at Lowe’s is how we communicate from the top to bottom. So for the store, specifically, our executive vice presidents on the merchandising in stores teams, they’ve got a kind of a podcast. It’s more of a live feed, a video feed, that they do weekly. And they spend an hour talking about what’s going on, what the stores need to focus on that week, maybe sales specials and stuff like that. But they would bring to the forefront, “Hey, this change is happening. Pay attention to this. This is important.” Cause that’s a forum that they know they’re going to pay attention to you. And then beyond that, , we’ve got some tasking systems, too, where it specifically spits out tasks that store needs to complete on a day-to-day basis. So if it was something they needed to turn on or start using or something they needed to action on. That’s also there. So a couple of different ways, depending on the criticality or the type of change, that we use specifically. But, But it’s key. Those different types of communication are key to success and key and making sure the top and bottom are on the same page and working towards the same goals on a day-to-day or week-to-week basis.
Narr: Let’s talk about the three best practices Lowe’s uses to provide a top notch digital employee experience in our next segment, First Class.
Aaron: I’d say the first is having an end user or a representative of an end user in the room. I go back to that merchandising product that we’re creating. And, we struggled if we didn’t have someone in the room while we were planning out that next two week sprint and figuring out what the priorities were because they were going to be constantly changing. Based on how their experience in the system was going right then based on what they thought of the newest features. And if you’re not constantly, and I guess it doesn’t have to be in the physical room, you can be in the virtual room, teams, Slack, whatever you guys are using. But that’s critical having them as part of the decision-making process and having a good feedback loop there.
Aaron: I think number two is probably being able to figure out when something’s not working. And being able to say, “Hey, we know we spent millions of dollars on this, but this is obviously the not app, not the right application or not the right direction for us to take,” and cutting your losses and switching directions, being able to make those decisions quickly. And it ties into the feedback loop, but not going along the same path and making a bad decision.
Narr: Sometimes you find out what’s not working by reading between the lines. By looking at the data instead of asking people upfront.
Aaron: I think honestly, sometimes it’s not signals through direct communication. Because people can be a little passive sometimes. So one example I think of is we developed a dashboard and we thought it’d be very useful for the teams. But in monitoring usage, we just didn’t see the same usage. So obviously something wasn’t working or it didn’t have quite the, all the features that were needed there. So, it’s a simple example but just monitoring usage and seeing if that user adoption is there. When you introduce a new capability might give you some better feedback than the direct feedback from someone face-to-face. I think the third one go-to is a, is really, and it sounds nerdy is working in an agile fashion. We’ve over the last few years had a huge effort to work from move from the more water file-type strategies, the traditional software development life cycle, where you’re spending a lot of time developing and testing and very sequential. You’re not breaking down the work like you would in an agile fashion. And not working in either scrum or Kanban methodologies.
Narr: The Kanban [[ CON-bon ]] method Aaron’s talking about comes from the Japanese word meaning “billboard” or “signboard.” It basically means making a to-do list and sorting items based on where they are in the process from start to in-progress to finished.
Aaron: And as we’ve moved to that methodology more. You see the feedback loops naturally work a lot better. Just how the teams work or together a lot better. You get capabilities out there and value to the business a lot quicker the second one that I say you figure out when you can quit something or when you shouldn’t be doing something or you’re heading in the wrong direction a lot quicker. So I’d say that’s gotta be the third best practice for any team that’s truly developing. Software or doing software engineering in any way is working agile practices into that, having the right people, having those roles in the room, whether it’s product owners, product managers, scrum, masters, and adapting that to your organization.
Narr: Of course, part of a first-class experience is how the company goes above and beyond the status quo, and though security and IT may not play an obvious role, they can make the difference between a seamless experience and a tedious one.
Aaron: A lot of times I think it’s the simple stuff that goes above and beyond. And staying consistent in those simple things, those weekly cadences, having those one-on-ones or those bi-weekly conversations with your business partners or your employees, having a good communication mechanism, having that good top to bottom communication about what’s going on, what the goals of the organization are how macro economic things are affecting what you guys are doing week to week. All of that stuff, honestly, and it seems simple. But you see when. It people that’s quickly what goes away, as soon as things get really tough or you have a pandemic that shows up and you have to figure out everything else, they stopped communicating as much and there’s that hole or that gap in communications. And I think, honestly, that’s the above and beyond is just doing the simple things really well, doing them consistently. Not letting them go when something gets in the way.
Narr: We’ve talked about what makes a phenomenal digital experience. Now let’s go the other direction in our next segment: Turbulence.
During this segment, we take a look at how employee experiences can get bumpy. What lessons can we learn from the speedbumps and setbacks that come up along the way? . To start, we asked Aaron about the project he mentioned earlier that he said didn’t go so well.
Aaron: I go back to that identity and access management, go live I alluded to earlier where we had some major data challenges and some major problems after we went live. And it wasn’t just an easy backout we had to work through those problems free up the queue. And in that case, you had a big queue of password changes. So if someone ran into their password expiration they could be in, in a huge queue waiting for that password to change. And you can just imagine them sitting at their computer, watching it, just spin. So that’s an awful employee experience. And it’s one that, that there were work arounds, right? Maybe you, ,you get rid of that. Whatever that 90 day expiration for a little bit of time while you’re working through that challenge, knowing that there’s a huge queue or maybe you can do different things right on the backend with how you’re managing that. But on the other side of that we also had a huge queue on the account management. So any employee change that was coming through from our HR systems for let’s say a promotion or a pay change, or a termination or maybe even higher. So maybe a higher wasn’t getting access to their computer. Maybe they usually got an in, in three days, it was taking seven days or eight days, which can be an awful employee experience. That was a little bit of a disaster, I’d say.
Narr: This was a chance for Aaron and his team to take away what wasn’t working and make some changes. Since working in an agile manner is one of the best practices at Lowe’s, he has to figure out how to keep moving forward when things don’t work out.
Aaron: That one specifically probably would have forced a lot more conversations on how we could back out some different components. It might not have been possible, but given the scope and scale of the change we were doing, but just looking into every option would have been huge. Another one I think was having the right people that That can react to problems and solve problems quickly and not exacerbate the problem. Cause when you have a big problem like that, some engineer engineers can’t handle that stress, and can’t work well in a stressful situation like that, or work those extra hours. And so you need to make sure you’ve got the right people on the team to, to be able to adapt, come up with solutions, figure it out and, and get the employee experience better. So those were two of the biggest ones.
Narr: And sometimes when things go wrong, it takes time to bounce back.
Aaron: I think you definitely lose some trust and faith from the end users. And it’s tough to recover from, it’s a very thankless job and you don’t always get noticed, especially for stuff that’s supposed to be seamless. You’re not going to get a high five or a congratulations on those big moves, but you’re certainly going to get recognized when you screw it up. And when it makes the end-user’s life more painful, so it’s definitely thankless and it takes time to build that back up by providing business value.
Narr: Aaron says he’s learned some big lessons over his past couple years at Lowe’s about what makes a great digital employee experience.
Aaron: I think it’s the end-user partnership, the business partnership, and even if they’re at. Even if they’re not interested in being in the room, forcing that a little bit, finding ways to, to get them engaged, finding ways to make sure that you’re getting their input and feedback. I think is the most critical, because the quicker that feedback loop is. Is, and the more transparent it is, the more valuable whatever you’re building or implementing is going to be for that end user. So I’m a little repetitive, but that’s gotta be it that’s the most important thing for sure.
Narr: And though security may not seem obviously tied to a good employee experience, Aaron says a crucial part of his job is keeping the personal information of customers safe.
Aaron: I think the biggest part is, the threats to your true customers and how you solve for those and how quickly you resolve different problems. I go back to my payment experience my payment security experience back a few years back when we were doing tokenization and antenna encryption all those different PCI components and it may not Immediately jumped to the forefront of employee experience. But I’ll tell you what, if you get hacked in those customer credit cards are out there and you have to deal with all those problems. It’s certainly going to have an impact on an employee experience and is this is a critical component to have. For right. I’d say just as important and stuff that you constantly see flying through the news nowadays is the different ways you solve for new vulnerabilities that pop up, having a team that can quickly identify them, whether it’s a penetration team that’s going out there and proactively trying to find problems with it within your systems or a threatened vulnerability management team that is helping bring visualization to all the problems that you’ve got out there and prioritizing them for your different application teams. So that those systems don’t come to a crashing halt because that vulnerability is taken advantage of by a hacker, or just the proactive aspects of a security operation center, logging what’s going on in the systems being able to identify when there’s different problems within our environment, right? Whether it’s maybe might even be an insider threat issue, and just having the capabilities there to take care of that because that can certainly disrupt employee experience for a whole subset or the entire organization, if something goes wrong and you’re not and you’re not attacking those problems.
Narr: Like Aaron said, it’s important to keep all systems running and secure. So monitoring activity and being proactive about potential threats is key. Aaron shows how taking care of the IT infrastructure may go unseen, but it plays a crucial role in creating a seamless employee experience. Thank you for listening to this episode of Cruising Altitude. This episode is brought to you by SocialChorus. SocialChorus is the creator of FirstUp, the platform that makes the digital employee experience work for every worker. FirstUp brings personalized information and systems access to every employee, everywhere. No matter whether they’re wired, distributed, or on the frontline. That’s how we help Amazon, ABinBev, GSK, and many others stay agile and keep transforming. Learn more at firstup.io.