Enterprise security is about protecting data, data loss prevention, and providing a good reputation for the organization’s brand. Compliance is also a factor, depending on the organization’s industry. The goal is to create an effective, consistent, and ongoing IT security process throughout the organization. Most address security needs in three vital critical systems and data areas: Integrity, Confidentiality, and Availability.
All this while millions are happening right now. Cyber attacks have been rated the fifth top-rated risk in 2020 and have become the new norm across public and private sectors. In 2022, businesses around the globe face a ransomware attack every 11 seconds. Check Point Research (CPR) has found that global attacks increased by 28% in the third quarter of 2022 compared to the same period in 2021.
Typically, security policy enforcement consists of two components: detecting violations and taking action when a breach occurs. Traditionally, detecting violations is accomplished using an appropriate rule for more straightforward cases or a plug-in for more complicated policies. Taking action when a violation occurs depends on the local security policy and how threatening the breach is.
While every company wants “security,” the workforce doesn’t like the appearance of working in a jail cell, nor do they want to “feel it” when performing their everyday tasks. Even security professionals hate security. So why do we all harbor so much dislike for something we need so much? And what can we do about it?
Often, we ignore the fundamentals and focus on the latest toy. Lack of a holistic approach, lack of adequate visibility, or missing security in business processes hamper our efforts. Then, ineffective Change Management, focusing on the Production Environment only and ignoring the protection of the Test & Development Environment, and lack of data identification and classification issues start to creep in. And last but not least, those ineffective policies become just-in-paper-only!
See, most folks don’t want to bomb the buy-in, fumble the funding, or appear to lack leadership. There are troublesome technologies to worry about, legacy architecture, policy enforcement pain points, and the dreaded Cyber Security Culture to combat. These worries are typical; what you’ve read and what you may have experienced is similar to most companies. But a new form of implementation is popping up; preparing folks for a change and creating the right experience for people are at the forefront.
Many organizations apply change management to specific projects and initiatives. The most innovative organizations, however, are looking beyond project-by-project application and asking: how can we develop an enterprise-wide change management capability? At the same time, user experience (UX) is a primary focal point for most digital initiatives.
Not only is user experience a critical element in the design process, but it also remains pertinent as product evolution keeps pace with business scale. As online interactions have exponentially grown during the pandemic, it has become startlingly clear that seamless and secure user experiences are necessary for success.
Shouldn’t we make Enterprise Security a product that solves problems for its users, then? Shouldn’t we utilize formal Change Management to correct the Cyber Security Culture and adopt the new security products? And should we not then deploy UX techniques to package and deploy said security products? ADKAR, Journey Mapping, & Persona Development are examples of these.
With that in mind, we could find the barrier point and start from there when helping members of the organization make a change. Ensure we utilize executives to communicate company changes and supervisors to communicate role changes. Simultaneously, we develop personas for user types and critical stakeholders. We would also conduct empathy mapping to fully understand the experience and where we can solve problems and build in touch points.
When applied at the right time by the proper personnel, change management enhances the eradication of unexpected risks and threats related to information security. Each person has their part of the load and, thus, will be able to understand the areas which require change. The link between user experience and security is closely studied academically. It is known as HCISec (also called HCI-SEC or Human-Computer Interaction and Security). Security professionals should understand that while they must give utmost precedence to system security, they cannot overlook user experience.
Remember these two things if you want to achieve goals sustainably and enjoyably. First, communicating with employees about cybersecurity is no different than communicating with employees about an ERP implementation. Both require strong leadership that fosters trust and two-way communication. Both entail precise timing and personalization. Both necessitate an organizational change management team with defined roles and responsibilities. Second, customer demands are explicitly re-designing the authentication and authorization experience now and for the future. Whether or not you accommodate UX demands will be pivotal for ensuring user loyalty and continued growth amidst an incredibly competitive digital (secure) landscape. The choice is yours.