Balancing security and usability

by Brian Katz on September 5, 2014 · 2 comments

I spend a lot of my time talking about mobility and enablement. When I’m not doing that the talk usually turns to security. So I had to pause today when someone asked me how do you balance mobility and security. I didn’t really understand the question. Why were people worrying about balancing mobility and security? Then I realized this was one of the basic issues that most companies face. It’s not a new issue either.

seesaw 2The old question used to be how do we balance security and access. It’s what led to draconian measures on owning laptops, requiring them to be encrypted, have antivirus software, anti-malware software, and a firewall installed as well. This legacy approach reminds me of the bubble boy, who had to be protected from all pathogens, so an impenetrable bubble surrounded him. When you put so many protections around people all that they want to do is experience the outside, hence the rise of shadow innovation. When the iPhone entered the business, security took the same stance. These mobile devices had to be completely owned. It was the rise of Mobile Device management (MDM).

The fundamental question though is wrong. It’s not how you balance mobility or access with security but rather how do you balance usability with security. People have to get their work done. It’s a fact of life. In this day and age of the itization of the consumer, where there are 50 apps for every task, you have to provide an easy way for people to get their work done or they will move onto the next app. The user experience is paramount. As Google found “Average increases in response time of only a tenth of a second have a negative effect on search usage.”

Yet as important as user experience is, we still need to find a secure way for people to get their work done. This is where the balancing act occurs. The security of the transactions that occur during the user experience must be weighed against the effect of that security on the user experience itself. This balancing act becomes a risk assessment that must be made by security in consultation with the business. It will be a rare occasion, if ever, that something can be completely secure and at the same time have a great UX.

The goal of enablement is to follow the FUN principle (focusing on the users’ needs) and meeting those needs in a simple, efficient and productive yet secure way. This is what a great UX is all about. The only way to provide that secure yet transparent experience is to start with security from the beginning. Only when they are involved in the design of the app and understand both the business requirements and the user needs can they contribute to secure yet seamless user experience.

Security isn’t really an IT function, it’s a business function. It involves understanding risks and seeking ways to minimize and/or mitigate those risks while still enabling the business to function. This is why it makes sense to get infosec involved in design and encourage them to become design thinkers. The ability to say no disappears when the business needs a job done. As those infosec people start working on projects from the beginning and embed themselves within the business and the developers, it no longer becomes an us for them mentality. The focus isn’t on saying no to an app or project when it is submitted right before it is to be rolled out but rather on designing it securely from day one.

It becomes very easy for infosec to become the department of no when they are focused on the audit at release time and checking off boxes to make sure an app is compliant and secure. Instead, they become the department of know, that helps to make great secure design decisions because they have considered the risks and found ways to minimize or mitigate them through good design decisions. They are also training the developers to develop and incorporate security into their design process. The audit at the end becomes pro forma, because the app wasn’t designed to meet the audit, it was design to provide a safe and secure, yet awesome user experience.

When everyone follows the FUN principle, and design isn’t limited to just developers, but incorporates infosec, the balance between design and usability is easy. The first step on the road to enablement moves from competition to cooperation between security and developers.

{ 2 comments… read them below or add one }

Wh1t3Rabbit September 5, 2014 at 12:24 pm

I think I found something we disagree on. Security absolutely *is* an IT function, but it is *also* a business function – when it works the way it should. You essentially have two components – governance/architecture and engineering/operations – one is IT the other is largely a business function ( you can probably guess which is which ).

Otherwise, good piece, the balancing act is extremely difficult. Most fail at it, because the balance isn’t trivial to achieve and like that app where you’re trying to balance out the drunk cartoon character walking – once you lean too far to one side you’re lost.

/WR

Reply

Brian Katz September 5, 2014 at 12:30 pm

Raf –

Isn’t that IT function just part of that business function? I know where you are coming from but I find many in IT security divorce themselves from the business end and you need to always take that into account. Then again, I’m not a trained security professional… 😉

BK

Reply

Leave a Comment

Previous post:

Next post: