Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

4/30/2020
02:30 PM
Ericka Chickowski
Ericka Chickowski
Edge Features
Connect Directly
Twitter
RSS
E-Mail
50%
50%

User-Friendly Cybersecurity: Is a Better UX the Key to a Better Defense?

Frictionless security, improved interfaces, and more usable design may improve the efficacy of security tools and features (and make life easier for users and infosec pros alike). So why has there been so much resistance?

(continued from page 1)

"End users don't necessarily want friendlier GUIs; they want security to be as invisible as possible and to not impact their job on a daily basis," explains Rob Boyce, managing director at Accenture Security. 

Some classic examples of this gone wrong are unbearable VPN connections that make it impossible to get work done outside of the office and extremely cumbersome login processes. 

Worse yet are controls that simply disable or block the use of tools that end users find valuable to their workflows without the security team asking for input beforehand. Authoritarian blocking of cloud tools comes to mind here. 

"Anytime security takes agency away from the end user, it can have a negative impact," Boyce says. "So it's less about usability than ensuring end users have the control they need to do their jobs — in conjunction with the necessary cybersecurity education to do them securely."  

According to Kurt John, chief cybersecurity officer of Siemens USA, it's crucial for his organization's employees not to see security as a barrier for doing their work. That is why his team always evaluates the software and hardware the organization uses from both a security and usability standpoint — and strives to protect existing environments that preserves the way users want to work. The prevailing question they ask is, "How do we make this as convenient as possible?" 

"There are some technologies that present relatively low effort in conjunction with incredibly high value for keeping company resources secure," John says, explaining that his team's approaches to multifactor authentication offers a good example. "We have provided at least three methods of completing the second factor – giving employees options to integrate the most seamless method that fits their workflow. This also provides our employees with a backup option in case there's an issue with any option." 

Meanwhile, his firm has found ways to make it possible for end users to keep using their favorite cloud technologies while still minimizing risk.  

"We have also implemented some cloud-based technologies that do not require connection to company resources and provide robust security features, such as protection against new attacks and, in some cases, zero-days," he says.  

(source: user poll, Dark Reading's The Edge, April 2020)
(source: user poll, Dark Reading's The Edge, April 2020)

In some cases, regulatory mandates will make it such that security has no choice but to be a little Draconian on certain matters. This will inevitably cause a hit to usability.

"A good rule of thumb is the more regulatory burdened an operating environment is, the more usability impact you may encounter," says Jason Hicks, global CISO for Kudelski Security. But he explains that ultimately security should be seeking to design secure, compliant processes in a way that minimizes monitoring or heavy-handed controls wherever possible. "If you build an overly burdensome solution, users will do their best to circumvent it," he says.

Decreasing Disruptiveness in the IT User Experience
End users aren't the only ones impacted by the user experience of security products and features. Security leaders must also think seriously about how administrative usability impacts their colleagues in IT and sometimes even business leadership.

As security considers products to fold into the IT workflow, it needs to keep in mind the disruptiveness of the product, says John Masserini, global CISO for Millicom Telecommunications. The more administrators need to contort their working processes to suit the operation of the security technology, the more likely it will fail to gain traction, and vice versa. Masserini highlighted this dynamic in an anecdote about a privileged access management (PAM) solution his team recently rolled out; it succeeded largely because usability for IT administrators was top-of-mind.

"During the initial meeting, the system admins pushed back a great deal because PAM solutions were notorious at making their job much more difficult and their response times slower," he says. "After several meetings with the sys admin team, we were able to demonstrate how we could take their current experience of eight to 10 logins per day down to a single, integrated, multifactor login, making their experience significantly better."

In this way Masserini was able to turn the project's biggest detractors into its biggest champions.

"[It] became the team that wanted to be first to migrate to it because of how it bettered their lives," he says.

One point to keep in mind as security organizations architect administrative user experiences is that many security tools require line-of-business leaders and other nontechnical leads to tinker with dashboards for policy setting, regular review of end user activities, and things like approval. This is another area where security usability tends to be lacking.

"The security industry has, in general, been rigid in regard to who they view as core 'users,' often focusing on technical user personas such as infosec security teams or system and database administrators," says Nicole Sundin, director of user experience and product management at Thycotic. "These technical users are used to complicated task interactions – for example, complex scripting and leveraging APIs – to complete their security tasks. This paradigm no longer works for everyday users that need to adapt security products in their day-to-day workflows."

Security Pros Are End Users, Too 
The user experience discussion shouldn't stop at end users, business leaders, or even IT administrators. Security also needs the products that make use easy for security operators and executives, too. 

(Continues on page 3 of 3) 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
Previous
2 of 3
Next
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cartoon Caption Winner: In Hot Water
Flash Poll