Usability vs Security – The myth that keeps CISOs up at night

Written by: Peter Hesse, CSO at 10Pearls

As I write this, we are halfway through the fifth month of the COVID-19 pandemic. All of us have had some amount of upheaval in our lives including restricting travel and our contact with friends and family. Some have had even more difficulty – loss of jobs, businesses, and the downturn of entire economic sectors. An uncertain future remains before us. 

The rapid move by many businesses to support teleworking has caused a boom in technology fields. Some organizations like Amazon, Twitter, Teledoc, and Siemens are treating working remotely as not just a temporary change, but as a more permanent shift. Tech adoption, disruption, and digital transformation are all on the rise. As a result, the CISOs that are lucky enough to remain employed are facing a greater challenge than before. Do more with less. Move from the tactical (implement this tool, remediate this vulnerability) to the strategic. Tackle the challenges of not just working remotely but onboarding new hires and creating team camaraderie remotely. And do not let this turbulence affect the security of your organization.

The False Tradeoff

Everyone is navigating uncertainty, and CISOs are being asked to quickly implement or approve new technology solutions to simplify working from home. They are asked to sign off on a new tool that will make sharing information easier—but find that the solution doesn’t have even the most basic security principles in place.

“There’s a tradeoff between security and usability,” someone will inevitably say.

People believe that there must be a compromise between how easy something is to use, and how secure it can be. This simply isn’t the case. In fact, the best security measures should allow for seamless protection while enhancing user experience.

Look at the rise of new online ordering systems that have taken off to enable small restaurants to survive the shift to take-out only. Many of these do not require a complicated signup or registration process at all. Instead, they leverage your email or phone number as an identifier, and a browser cookie to remember you between visits. There is no log in with a username and password, just a link by text or email.

These solutions focus on improving the online ordering experience without compromising on security. They use HTTPS to protect transactions, secure their browser cookies, and don’t even save your whole credit card number. The only risk if your email or SIM is compromised is your order history! It’s ok with me if someone can crack my Gmail that they will find out I love my local restaurant’s Pad Thai.

Apply Design Thinking Principles

In these times of volatility and uncertainty, it is important realize that everyone is facing the same challenges, and some are having a tougher time than others. There is already so much change going on in everyone’s lives, and introducing new security controls or solutions may be met with more resistance than usual.

This is actually a great opportunity for security leaders to leverage human-centric design thinking principles.

Start by empathizing with your user community to find their pain points and get their feedback. Ask questions. See how it impacts their day-to-day process.

In uncertain times like these, you shouldn’t expect individuals to be willing to accept holistic changes. You need to prioritize the most important goals, and clearly define them. This may slow you down – but a little patience will go a long way to ensure that the solution will be embraced, and not something to “work around”.

And of course, you will need to test and iterate. Roll out your solution to small groups. Get their feedback, improve, and test again. Ensure the solution works for everyone. Value everyone’s feedback – not only executives and the security team.

Make it Easy to do the Right Thing

User experience (UX) professionals use a method called “choice architecture” to carefully design the way a choice is presented. People’s decisions can be influenced based on the context of the choices provided. For example, bolding or outlining a button that should be the default choice.

By working together with UX teams, you can make it easier for users to make the safe choice.

Let’s take the example of a tablet-based system to view medical records. Replacing the clipboard at the end of a hospital bed, it allows the nurse or doctor to view medical history, recent vitals, allergies, and other important medical information. It must be very easy for a nurse or doctor to view key information quickly – perhaps without even logging in. In an emergency, quick access to this information could make the difference between life and death for the patient.

However, if you wanted to use the same tool to view the information of a different patient, it should be more difficult. Perhaps you should have to log in, go through a menu, confirm that you will erase the current record, search for a new record, and confirm you want it to be available in emergency situations. Where the original use case involved only one tap, in this case we use choice architecture and to make it more difficult to make a more risky choice.

Work Together

Too often, efforts to create or adopt new technology either ignore security or usability until too late in the process. Security is asked to approve a new product which has already been purchased, or security tools are rolled out to the whole company without any user feedback.

By working as one team, UX/UI designers, user researchers, and security professionals can create a customer experience that helps and encourages users to make better security choices. 

The notion that security and usability are a tradeoff is a false premise. Coordinating the two disciplines is the key – and leading technology companies that embrace this co-creation process are seeing quicker adoption of their solutions.