A strong cybersecurity posture is hard to get your arms around. Just talk to the operational team. Security challenges and personnel burn-out arising out of complexity, notification fatigue, resource scarcity, and convoluted security protocols is rampant. The number of reported breaches have increased about three-fold between 2013 and 2019 even while cybersecurity spending has doubled in that same approximate timeframe (2012-2018).
In a red-hot market such as this, it’s little surprise that a very chaotic marketplace has taken shape with over 1,200 technology vendors selling to largely unsophisticated buyers. In this market, everyone is buying but no one is feeling safer.
One of the root causes of this seemingly futile state of affairs is a lack of human-centered design when managing an organizational cybersecurity posture. Human centered design is simply the ability to use empathy to be able to imagine yourself in others’ shoes, and see things as others do. When well-executed, a human-centered approach fuels the creation of policies, procedures, and end results that resonate more deeply with employees and other stakeholders — ultimately driving engagement and growth.
As someone that ran a customer engagement-as-a-service company prior to my current work in cybersecurity (and a then-buyer of cybersecurity services), I felt first-hand that we lost the big picture to checklists, spreadsheets-full of controls, and focusing on the latest cybersecurity tech. If we had done cybersecurity “right”, we would have started, instead, with looking at the jobs to get done by our people. We would have considered closely how to make life better for them while “baking in” security instead of slapping “modify-some-template” procedures and tools-du-jour in a mad dash to meet external pressures like achieving SOC 2 compliance.
As cybersecurity experts, we often fall prey to the same issue. Our starting point for solving for lack of security is by looking at external factors like threats in a sometimes misguided belief that everyone has the same priority as us – to protect themselves. Not true. Organizational motivations are much more varied than that.
Consider the basic fumbles that drive us up the wall – users clicking on things, vulnerabilities going unpatched, or a proclivity towards creating weak or duplicate passwords. An empathetic approach to cybersecurity forces us to acknowledge that these issues exist for a good reason and security hygiene often subordinates to countervailing priorities.
So, what are some starting points for being more human-centered in your design of cyber defence?
Set aside your cybersecurity bias. The need for security is obvious to those in the field. Therefore, it is natural to project the same point of view onto others. When someone acts insecurely, we assume that is because they are making conscious tradeoff decisions. Unfortunately, that’s not often true. More likely, their action stems from being totally unaware or not understanding the impact.
Acknowledging our bias allows us to see things from the end user perspective, making it more likely that the final solution is aligned with the values and workflows of the user.
Ask the right questions. In one of my prior lives, we asked questions like “How do we increase customer utilization rates by 12%?” Unsurprisingly, we came up with staid answers that didn’t impact revenue growth. When we re-framed the challenge with more empathetic questions like “How do we help our customers make the payment process more frictionless,” we suddenly were bursting with ideas that ultimately drove more utilization. The same holds true when thinking about the role of cybersecurity in an organization.
Actively Seek Out User Feedback. Cybersecurity is a high-pressure challenge. You don’t get to screw up too many times before you find yourself out of a job. In the bustle of planning and implementing, getting user feedback may feel like an unnecessary luxury. However, if you test out proposed security changes and study how it affects people’s workflow, the insights are priceless. The learning will uncover areas of improvement, inspire creative problem-solving and, ultimately, drive better implementations.
~ Akash Desai, Partner & Head of Channel.
