How to Leverage UX to Defragment Your Security Solution

With cyberattacks increasing in both frequency and sophistication, cybersecurity has become top-of-mind for organizations. Yet there is no one cybersecurity technology that can tackle and anticipate all of the evolving attack vectors that have spread through the IT environment. To have a comprehensive security solution, organizations need to build a security architecture or framework, and many do this using a number of different point solutions. When done correctly, numerous cybersecurity technologies can provide a wide range of coverage. The problem with this scenario is that having numerous point solutions can also result in a fragmented security architecture--and when it comes to cybersecurity, any gap in the security posture of a network can be a critical risk. Creating a seamlessly consolidated security architecture is key, but in order for it to operate seamlessly, user experience needs to be considered at the front and center of the consolidation.

In this blog, I chat with Angela Duggan, VP of User Experience at BeyondTrust, to find out how organizations can improve their overall security posture by incorporating User Experience (UX) into the foundation of the security architecture.

How can a good user experience impact the efficacy of a security solution?

Link copied

Good user experience leads to more effective and efficient products. It also leads to better adoption.

There are really three parts to this answer, as I see it:

1. The first is the principle that good UX removes friction. Less friction means the user is more likely to adopt the product without complaint. As soon as a product introduces friction, it causes inefficiencies in that user’s daily work. That will cause them to look for workarounds. Where that gets truly dangerous is when that workaround isn’t approved or known about by the security/IT team. Sometimes that can lead to behavior that is even less secure than if you didn’t introduce the policy/software in the first place. People avoid what’s difficult. You don’t want people avoiding security practices.
2. The second has to do with a belief in the UX world that human error is actually a result of poor design, not the fault of the user. “Human error” remains one of the main causes of data breaches. If the experience of the product or service is properly designed, it removes the potential for errors to occur. In contrast, if the experience is confusing or doesn’t give clear feedback to the user, it’s much more likely for the user to introduce an error or miss something critical.
3. The last leans into the previous a little bit; the part about missing something critical. The better the user experience, the more likely the important, critical, or urgent information is surfaced quickly. This means less “hunting” or investigation is needed by the user. That means problems, or potential problems, are surfaced quickly. It’s even better if clear direction of what recommended actions to take to mitigate the risk are shown upfront.

What does a defragmented security solution look like?

Link copied

I think a truly consolidated security solution is yet to be seen in the market. A lot of the time, we see security teams fragmented in their org structures, and some of that is because of the way our industry breaks its products into different pillars. If we could imagine, for a moment, a world where those imaginary categories and pillars don’t exist. If all security and IT teams were to have consolidated tools with shared views, they would most likely see:

• Lower costs - Time and effort cost, not just financial costs, would be lessened.
• Cross-team collaboration would increase - Shadowing of professionals in the different areas would be easier as well. That could mean a company could lessen their chance of having an individual be a single point of failure for a security team.
• Faster adoption of new features and integrations - As a company grows and needs more and different coverage, the ramp up time for new additions in that consolidated system would be significantly less. While the feature itself may be new to the user, the system, how it works, its patterns and workflows, would all be familiar. This means that new feature would be easier to understand and lead to faster, more confident adoption.
• More efficient detection, mitigation, and prevention of threats - A consolidated system would also have all the data to work with, instead of just a narrow view. That means different types of potential risks or threats could be more easily identified and mitigated. It also would eliminate the potential for gaps to act as doorways to threat actors.

What are the challenges involved in building a consolidated security solution?

Link copied

There are two main challenges:

1. The sheer scale of a single solution. There is no one person who has detailed knowledge of every use case and every scenario end-to-end across all pillars. That means clear communication and constant collaboration across all teams is key to success. Teams that aren’t used to working together need to partner, share, and learn from one another. The people designing and building security software are human, and they are usually pretty passionate about what they do. This means there will be unavoidable friction and grey areas that need to be understood and addressed. Beyond that, testing consolidated designs is tricky because customers aren’t used to it, so it’s tough to find the right people to talk to and test with.
2. Training people out of old habits and preconceived ideas. This goes for internal players and customers. We all have these pillars built in our heads, and that’s tough to overcome. People really must push to think outside of the box. In order to be innovative and effective, we need to think outside the bounds of what we already know about how the industry works today. Customers need to be open to seeing new solutions in action, even when they may not exactly fit their organizational model as it exists today. It all boils down to being the most effective for the greater purpose of why we’re all here: to protect access and identities from threats.

How can UX help consolidate a security architecture?

Link copied

I think UX plays a key role. We are used to taking complex problems and breaking them apart into specific scenarios and problems. We’re good at investigating the problem itself and not focusing on a solution. Because of this, UX can be the real driver of innovation for an initiative like building a consolidated security architecture. By starting with the problem itself, we break down the preconceived ideas of existing solutions and focus in on the actual needs of the user. Having a human-first approach is critical to understanding the true problems and use cases you’re trying to solve. Understanding what the human on the other side of the screen is dealing with on a daily basis (and this includes the stuff seemingly unrelated to your product) will help you design the best possible experience. Beyond that, UX helps design concepts and then test those concepts with users to make sure we’re on the right path. With proper UX research and testing, you can be sure you’re not running on a wild goose chase. You can be sure you’re going to release something valuable. It takes assumptions and biases out of the equation.

What factors make for good UX when it comes to a security solution? Is there a checklist you watch for?

Link copied

We follow UX industry standards like NN/g’s 10 Usability Heuristics for User Interface Design. But we also have our own list of design principles that we follow:

1. Build for our users. We are not building a retail site or a shopping cart experience, so we don’t design with those users in mind. We keep our personas at the center of every decision we make. Don’t overestimate our users’ technical abilities or underestimate their desire for something simple.
2. Respond to user actions and optimize for speed. The application should be responsive and provide clear feedback after an action is taken. There should be no guessing if something was completed or when it will be completed.
3. Build on familiarity. This really ties into that single, consolidated experience. Don’t reinvent the wheel. Build on the patterns and mental models our users already know, patterns they may be used to from popular apps outside of the security world. Remain consistent. If there is a learning curve, it should only need to be learned once, and bonus points if you help them learn it through in-product guidance.
4. Show the user only what they need. I see this a lot in security software: a complete overload of information. This is dangerous because important and urgent information gets lost in a sea of data. Often, there is the urge to make sure we show the user everything, and that’s counterproductive. We need to make sure we show the user only what they need to see, but then let them dig deeper if they want to.
5. Eliminate fear. The user must trust the application. Prevent the user from making an error and eliminate confusion so they can feel confident they’re doing the right things at the right time. This will give them a sense of comfort and put them at ease.
6. Save users time and effort. Not every user will want this, but automating certain processes can be a big load off, so where you can, give that option. Reduce the number of repetitive tasks. If the application has collected data in one place, it should be usable throughout the whole system so the user doesn’t have to input the same information twice. This is yet another strength of having a single, consolidated system.
7. Design for security. Prevent user error and keep tasks simple to reduce the risk of error. Design scenarios with roles in mind so that a user only sees what they are privileged to see at the time. Avoid information leakage, and make sure things like error messages are helpful without giving away potentially harmful information.

How do you know when UX issues could be impacting security?

Link copied

Workarounds are probably the number one indicator of UX issues. If users are fighting against a policy and finding ways around it, that majorly impacts security. You need to make it easy and fast to work within the confines of a policy or request a temporary exception.

As far as UX in the security tool itself, when the IT/security team can’t find the data they need quickly, or they don’t trust the tool, that impacts security. It’s very common for users of a security tool to export the data from the tool and run their own queries, even if it’s just to doublecheck what the tool has already told them. Without that trust in the tool, a security expert may discount a risk the tool has identified. This wastes valuable time and potentially lets things fall through the cracks.

Do you have any tips or recommendations of what people should look for when choosing a security solution? What are the red flags that suggest it might not offer a good UX or CX?

Link copied

1. Security is complex, so make sure you choose a company that is going to partner with you, not just sell you something and disappear until renewal time. No matter how well the product is designed and built, you’re going to run into bumps along the way. That’s why it’s so important for the company you choose to have a proven customer satisfaction track record. It should be a partnership, not a transaction.
2. Buyers who aren’t also users should listen to their users before deciding what to purchase. Buying something because it checks a box or has the most features means nothing to the people who are actually using it day-to-day. Dig into what they really need and what would be the most valuable to them, and then look for a solution that fits those needs.
3. Don’t be fooled by pretty interfaces, graphs, and dashboards. This is probably the number one mistake buyers make. When we talk to actual users, they don’t even look at those dashboards because they’re useless to their actual tasks and needs. They may look nice, but so often they’re not useful at all. The problem is so pervasive in security software that, when my UX team tries to design and test a dashboard, users often immediately discount it or ignore it, and look elsewhere for the information. Dashboards in security software are almost like ad banners in websites: users have become blind to them. The sad part is that a thoughtfully designed dashboard can be so valuable. It can save critical time in an investigation or more quickly surface a risk.

Making the change to better UX

Link copied

In order for organizations to have the strong, agile, and resilient security postures they need to counter today’s threats—and to meet today’s compliance mandates—they need a security strategy that puts UX at the center. A security posture that combines seamlessness between solutions and effortless use will make all the difference.

Ready to learn more about how you can leverage UX to strengthen your security posture?

Link copied

Here's some further reading:

• Good User Experience Leads to Good Security
• Security vs UX – It doesn’t need to be a fight to the death
• Keep on Running: Why UX is like the Olympic 100m