"Vendors tend to forget that we look for solutions that are supposed to make our team's lives easier, not more difficult," Masserini says. "I don't care what bogeyman you think you're protecting me from. If my team has to work harder after your solution is in place, then your solution offers little to no value."
Security vendors, he says, need to do a better job connecting their solutions to open platforms so that teams like his can share data and build a common dashboard across teams. And they should also be working to continuously improve usability over time.
"Dedicate a release each year to fixing those bugs and requirements that directly go toward making your product easier to use," he says. "Those are the kind of things we look for in our partners."
Bottom line, the easier it is to use a security product, the more likely it will be used. And that is far more likely to make an impact than a product with the best AI engines and other capabilities that never see the light of day.
"If you look at the way Web application firewalls used to work, we saw many of them would end up as shelfware because the challenge of getting them safely inserted into the flow of Web traffic and tuned to reduce false positives made it difficult to even get the system operational," says Andy Ellis, CSO at Akamai. "So operator usability is a key component to even getting deployment."
Even the most technical security users like SOC analysts appreciate "usable and elegant" interfaces, says Phil Neray, vice president of IoT and industrial cybersecurity at CyberX, who explains that security vendors need to know how to balance those kinds of views with the flexibility to dive deeper into data through APIs or command-line interfaces. This means security vendors need to specifically target investments for usability from the very beginning.
"Not all vendors understand the value of a professionally designed user interface," Neray says. "Startups often skip this step for expediency or cost reasons, but in our experience having professional usability experts and graphic designers involved from the beginning delivers a significant payoff in terms of happier and more productive users."
DigiCert's Ashley says her firm realized this as it was redesigning the certificate discovery feature in its platform. Usability was a key requirement from the start of the design and development process — precisely because the feature it was replacing had been panned by users.
"We had a tool called Cert Inspector, which attempted to do certificate discovery, vulnerability identification, and reporting, but it was never adopted by customers because the UX was terrible," she says. "The new discovery feature was a big improvement because we did extensive research and applied user-centered design. More users means more people scanning their network and identifying vulnerabilities, resulting in a more secure Internet and intranets."
Conclusion: Respect Your Users
No matter who the user is or what the security product or feature is, developers and designers must make user experience a key requirement in creating security functionality. And that starts first at conception.
"Right now, as an industry, the focus isn’t on designing security products from a human-centric perspective," says Nicolas Fischbach, global CTO at Forcepoint. "If you want better results, let people be people and design accordingly."
This is perhaps the fundamental challenge because, at its root, many of the usability problems that the security industry faces are due to a lack of respect for users. This is ultimately what must be changed to start making headway.
"When designing systems or services in general, a lot of people think that we have to 'fix the user' in order to achieve an overarching business goal," says Samira Creel, vice president of product and client success for Risk Based Security. "However, in our field especially we need to stop trying to fix the user to achieve security. Usable security does not mean 'getting people to do what we want.' It means designing security that works given, or despite, what people do."
Related Content:
- Wendy Nather on How to Make Security 'Democratization' a Reality
- How Do I Make Sure My Work-From-Home Employees Deploy Software Updates?
- Beyond Burnout: What Is Cybersecurity Doing to Us?
- How Enterprises are Developing and Maintaining Secure Applications
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.