There’s an unfortunate disconnect between the priorities of security teams and where they’re investing their time, focus, and budget. The recent 2015 Black Hat Attendee Survey found that while security pros are primarily concerned with the looming threats from sophisticated direct attacks and the long-term risks of social engineering, they’re actually spending the bulk of their time dealing with much more commonplace challenges.
This isn’t an academic problem – it’s a daily struggle between managing the urgent at the expense of the important. And we can’t address it without changing the way we think about these issues. Put simply, when your security team is devoting the majority of your resources to battling data loss from commonplace, avoidable risk vectors, there’s no way you can take a more proactive approach to the larger, more important threats.
There’s yet another dimension to this complex situation. The two biggest contributors to security budget spend are the short-term, lower-priority challenges of internal compliance errors and accidental data leaks. That’s precisely the opposite of what it should be, and exactly why companies will spend almost $80B on security technology this year. And they won’t have much to show for their efforts.
The root causes of these time-consuming security gaps are three-fold:
Poor user experiences. Applications whose designs limit flexibility or interrupt an employee’s preferred workflow drive people to seek out loopholes or unsanctioned solutions. This is the primary source of accidental data leaks for most companies. Organizations must adapt security to protect data traveling through collaboration platforms growing in popularity, like Dropbox and Office 365.
Convoluted processes. Complexity inspires improvisation, and if a process intended to protect information requires too many steps, approvals, or decisions, there’s a dual risk of employees circumventing the process and edge-case errors for compliance. It is not enough for security solutions to be impenetrable. They also need to be virtually invisible for end-users.
Heterogenous systems. A very visible example of this is the Android Stagefright vulnerability. Putting the details of the specific exploit aside, Stagefright highlights the risks of a heterogenous system – because the Android ecosystem is so splintered, experts are estimating that as few as 20% of active handsets may receive the system update.
When design is overlooked, we accelerate the cycle of risky behavior. Companies create new policies and implement byzantine security solutions to lock down devices and data. In response, employees seek out simpler, more effective ways to get work done, abandoning sanctioned apps. As these consumer-focused tools infiltrate the enterprise, companies create new policies and implement more byzantine approaches to control them. In short, poor software and systems design promotes bad behavior. Usable security is the strongest and most effective security solution.
There’s more to explore on the topic of ways to implement UX and design thinking in the IT security environment, but whether you’re developing a new security technology or trying to keep your infosec programs on track, there are a few simple things you can do to benefit from design thinking:
- Always think about usable security. It is not enough for security solutions to be impenetrable. They also need to be invisible for the legitimate users. It is not useful to have the strongest security solution ever if this solution is never used to protect sensitive data.
- Put yourself in the role of your employees. Examine tools, processes, and workflows from their point of view. This is often as simple as sitting with people as they complete daily tasks. Observe. Ask questions. And don’t judge.
- Make processes as simple as possible, but not simpler. A good rule for life overall, look for ways to eliminate unnecessary checks and steps in software and processes.
- Look at the system as a whole to find inconsistencies. Friction pops up in the most unexpected places, and a decision made 6 months (or 6 years) ago is potentially the Achilles’ Heel in your system design.
I believe that one of the most critical IT hires a security-minded organization with significant digital assets can make today is for an expert in User Experience design. Companies will find success in user adoption and comprehensive data security if they find someone who understands how a truly useful, low-friction experience can encourage more secure behavior. In the same way that thoughtful, experience-driven design has fueled the adoption of collaboration, sharing, and data exploration tools in the enterprise, I believe that we can improve compliance and security by focusing on design first.