All people want security, even though they don’t necessarily like it – whether physical or cyber related. However, it’s not fun to handle. In a way, it’s like opening a new highway – “Not in My Back Yard.”
In this blog, I will describe the different types of tension that enterprises experience (related to cybersecurity) and lay out some key guidelines regarding how I believe security can co-exist with the other needs of any company.
The Opposite Forces:
There are two main forms of tension between security and business operations:
- Security vs. Business Enablement – imagine a scenario in which, suddenly, everyone in an organization needs to work from home. Sound familiar? Now imagine the impact on the security department in the organization. All executives now demand the adoption of new tools, and fast. This creates real turbulence – adopting new tools is needed to serve the business need, but it also opens new threats and attacks vectors to the organization. Typically, it would take weeks to assess the risks of these new tools which usually postpones the adoption of them, however, due to the situation the business side cannot wait. What should the CEO do? This is only one example, and it’s a bit extreme, but this kind of decisions and internal negotiations occur on a regular basis in every organization.
- Security vs. User Experience – this generally encompasses multiple elements, but here I will focus on the impact of the security measure on the single employee and/or group of employees. A good example is VPN – or a way to connect to the work assets from a less secured network. Many employees suffer from the slow connection to the business’ network which builds frustration and reduction in the employee’s motivation. Another example is mobile device management. It has been proven that extreme mobile device restrictions cause employees to find ways to bypass security or stop working from mobile, which while secure, ends up harming productivity.
The Source of Evil:
It seems that security vendors and security experts within companies have adopted some kind of an axiom – that in the battle of security vs. user experience, the first always prevails. This might come from a misconception that end-users, knowing the importance of security, are always willing to sacrifice their own experience for the greater good of better protection. However, this, as any user can admit (at least to themselves) is not necessarily the truth. In reality, end-users are constantly willing to sacrifice security for better productivity/speed/efficiency. The best example of this as mentioned above is, is that employees always find various ways to “bypass” security protocols or choose to avoid using a service if they deem it to be “unfriendly”.
And if we’re completely honest, end-users are not the only ones who are willing to sacrifice security because of bad user experience. CISOs and security experts who have too many tools on their hands, can find themselves not using solutions they acquired at all, or at least not in the best way they can, just because the user experience is not good enough and requires them to work too much for what they need.
The immediate conclusion from what was presented above is that if the user experience is not thought upon from the very beginning, a service could fail, or even not be deployed. Rendering the users less protected, and ultimately exposed to breaches.
So, what do we mean by “User Experience”?
User experience is everywhere. While most of us think of user experience as the user interface, this is only a fraction of the user experience one is exposed to when working with a product or a service.
User experience starts with the first deployment of the service and goes to the ongoing interaction points with it. For example, enabling your customer to interact with you on any problem and get a fast response, or helping you to be proactive and reach out to your customer even before they become aware that a problem exists.
Experience is also about how fast your service operates, how agile it is, and for the topic of our discussion, cybersecurity, – how “behind the scenes” it really is, making the user feel like it doesn’t exist but is still doing its job!
Below, I mapped some key points which one should consider before purchasing a security solution.
Seamless & Fast
Without proper security, your business can get harmed. There’s no question about it. But it’s not enough. The solution has to be seamless and fast. The phrase “time is money” is key also in the cyber-security world.
If your service is aimed at analyzing information that needs to get to the end-user – for example, information on recent changes in stock prices or new regulations that have to be implemented, there should only be a minimal delay. What is a minimal delay? – this is always based on the specific scenario, but as a rule of thumb, the delay should either be unnoticeable for the user, or one that doesn’t cause them to raise an eyebrow.
For emails, delay should be measured in seconds, and not minutes. Just think how many times you have told someone you just sent them an email, and they started punching the refresh button again and again… and again!
For web browsing or instant messaging, the delay should be even less than a second as it is a very interactive and immediate process. In addition, if you do cause a delay for the user in such a case, you must tell them that you are doing so – and then you are required to share what you are doing.
The service has to be seamless also for the CISO, who is already swamped with way too many dashboards. You need to make sure that alerts are provided only for real threats (otherwise real alerts will be ignored) and your specific interface needs to provide very dissected and insightful information that can actually help the security personnel do their work properly. Don’t prefer the “cool-looking” view over the practical one.
Speed has another effect on user experience. Many detection and protection services, are too slow and are not scalable enough, requiring them to check threats selectively or randomly. For example, due to the fact that many security email gateways need up to 20 minutes to dynamically scan an email, they are forced to employ statistical analysis on the data and take a risk/choice to not scan all emails. You can imagine for yourself the potential risk this causes the organization.
This also creates a very misleading experience to the CISO. The CISO has a notion that their organization is protected, and may even get reports of all threats that were discovered during the scanning. But the reality is that those detection services do not even know how good or bad the situation is because they are not dynamically scanning 100% of the email traffic.
There is no excuse. If you want to protect your network, or cloud storage, or email, everything must be scanned. You should ensure that the service you choose can meet your scale and speed. This is the only way that Security will not cause a conflict with the business enablement you are expected to deliver.
“Non-intrusive” is viewed from two perspectives: The user-level and the Security/IT teams- level. From the user perspective, the solution has to feel like it’s part of the original service, e.g. their Office 365. It has to be active whilst not taking any focus off the business needs. From the non-security world, a good example is an integration of instant messaging services (e.g. Zoom) that can automatically add conference details to a calendar. In the world of security, a “Report Suspicious” button as an add on in Office 365 or G-Suite apps is also a good example. In Perception Point we simply added a small button, that is weaved into the known existing toolbar – The user sees it as part of the core email service and is then open to use it.
As mentioned, the second element is from the perspective of the security and IT teams. The burden of integrating and managing too many security solutions lies heavily on the shoulders of the CISO. This burden causes them to be too hesitant when selecting new security services. Resulting many times, with the CISO electing to stay with old services, which are not protecting them properly, just to not “rock the boat”.
Good service makes life easier. A good service allows a CISO to ingrate and checks it with a few clicks in less than an hour. This enables the CISO to check everything themselves and makes sure they take only the best of the breed. A solution that is simple, will also look simple, and most importantly, will be simple to use in the most efficient way.
Your service will probably have access to a lot of personnel information.
Make sure to respect user privacy and apply the proper controls to ensure no data is shared with unauthorized personnel. In addition, try and use aggregated views and meta-data related information where possible.
This will make sure that the administrators, and subsequently, the relevant personnel only receive relevant data they need in order to perform their jobs. At Perception Point we have created views that show statistical and analytical information without exposing private and sensitive information.
It is very easy to give excuses as to why something is hard to do and provide a partial solution to your users, but you should ask yourself: do we have the best option out there? We see some vendors out there that are trying to market the problem as a feature. Do not fall for that. A good example is post-attack detection. You should ask yourself – do they offer it because it actually improves the product or simply because scanning takes time and it is hard to scale?
Don’t compromise. Think out of the box and strive for perfection. There are no shortcuts. Good service with a good user experience needs to be (or should strive to be) perfect across any channel it covers.
Empower your users
The best experience of a security service is when the CISO never interacts with it but still gets the feeling that it is working and he is receiving a service. In such a case, the CISO may get a feeling that everything is good and that his users are not under attack. Sometimes it is important to communicate to them what the solution does, why and how (in a short, to-the-point manner), and if possible, give them feedback on good behavior and help educate them when they are lacking in certain areas.
In the security world, users can also be simply security experts. You need to find a solution that suits their need. For example, make sure that the solution is easy-to-use, shows results and insights in a clear manner, and how they can access/act upon these insights if they ever need.
Protection as a Service
Experience is also about the level of the service you provide. It is no longer enough to give a platform and let your users figure out how to protect the organization using your platform.
A good solution provides protection services. With a good Incident Response team and automation of processes, a good service can pro-actively adapt itself to new attacks and always make sure the customer is most protected.
This is a good experience because it means the customer does not need to work for your product. Your product works for the customer.
User experience is key in every service, and for a cybersecurity service, the best user-experience is, in a way, to just feel as if it is not there.
Be fast, seamless, comprehensive, uncompromising, privacy-aware, and non-intrusive. Give your CISO the power they need to properly protect their users.
Your service should feel like magic to your users, with no friction at all.