How to Build Usability Into Your Security Program

May 13, 2020
| |
3 min read

A positive user experience with security tools is essential to security itself. If a given application or policy is too hard or time-consuming to use, users will simply work outside of company security protocols — they may use their own email accounts and services or choose their own applications and cloud providers, ultimately circumventing entire layers of security technology.

Having solid security measures in place is a necessary condition for achieving your organization’s overarching goals, but user productivity requires both security and usability. When security harms usability, the organization’s overall efforts may be hampered as well. In this way, inconvenience can reduce not only productivity and usability, but also security. It is therefore critical for your organization to balance security policy with usability.

How Security Specialists Can Safeguard Usability

The greatest contributor to eroding usability in enterprise systems is when the security team operates in a constant state of reaction — rush this patch, lock down that app, remove those privileges.

Security threats, vulnerabilities and breaches come at you fast, and it’s hard enough just to keep up. The proactive way to incorporate usability is to replace piecemeal security thinking with an all-encompassing strategy based on coherence and harmony with tools, policies and training.

Balancing security and usability, in other words, is not something that’s achievable on the fly. It is enabled by comprehensive design. Here are the building blocks of a secure enterprise that maximizes usability.

Embrace Unified Policy Management

Employees are heavily burdened by overcomplexity, which makes their jobs harder. Technology that delivers a unified policy can boost both security and usability.

Implement Unified Endpoint Management

With the proliferation of device types — smartphones, tablets, laptops, desktops and a variety of internet of things (IoT) devices — and software and data types, implementing good unified endpoint management (UEM) software can be a huge step forward. Taking a cognitive approach to UEM simplifies and strengthens both management and use. To facilitate bring-your-own-device (BYOD) policies and the emergence of IoT devices, a device-agnostic approach calls for smart UEM.

Take Advantage of Automation

Automation is often framed as a benefit to the IT side, but it can also improve the user experience. For example, an effective and user-enabling patch management system might identify patches that could be automated and then update user systems without interruption.

Consider adopting a security orchestration, automation and response (SOAR) approach to improve security and reduce the mental workload of IT staff and users alike.

Leverage Threat Intelligence

The key to balancing security and usability is to find a way to step off the reaction treadmill and embrace a strategic and comprehensive approach to security at a larger scale. The way to get off that treadmill is to use powerful threat intelligence.

Although threat intelligence can mean different things to different people, it generally means taking an analytical approach to prioritizing and addressing threats. This should provide greater control than the more reactive, “whack-a-mole” method, which tends to distract attention away from the most pressing issues.

Phase Out Legacy Systems

It can be easy for legacy systems management to fall into a pattern of constant patching and updating, which can lead to a number of issues around security and usability. But here’s another way to look at aging IT: It’s a user-experience generational divide within your organization.

Employees who have been around for a while may be extremely comfortable with legacy IT, whereas younger or newer employees may find it extremely vexing. With each passing year, more employees who find legacy systems usable retire, and more employees who find them frustrating are brought onboard.

In general, legacy systems are likely to grow not only less secure over time, but also less usable for employees.

Maintain a Usability Mindset

Avoid and resist a “user blame” mentality. Users are humans, and humans have cognitive biases, impulses, inclinations and other characteristics that are, in fact, predictable. An enlightened security strategy takes all of this as given and works with human nature to promote user participation and partnership with respect to security. To that end, always cultivate an organizationwide culture of security.

Consider Mental Health

Take responsibility for one aspect of the mental health of users in your organization: Their stress level. Stress can have a significant impact on productivity, and it often causes people to make mistakes or take shortcuts. Strive to implement solutions that de-stress users, and make them feel empowered and safe.

Empower Your Users to Improve Security

When you are considering business purchases, be sure to give significant weight to how a new system might affect users. Will it make their lives easier or harder? If the answer is the latter, then this operational cost must be factored into the total cost of ownership to the greatest extent possible.

As a security professional, manager or buyer, doing your job well means enabling employees to do their jobs well. It’s not just about stopping the bad guys; it’s also about empowering the good guys.

Mike Elgan

I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...
read more