Despite being defined as a function at the mercy of constant change, security typically runs on a set of well-established principles. Getting the basics right can mitigate a large portion of underlying risk. These foundations are shaped by glacial changes at a macro level. One such trend is how the fragmentation of users and devices has driven user experience to prominence. Security leaders recently gathered in a Central London location to discuss what this meant for risk strategy.
A defining event for user security
Without question, the pandemic was an epoch defining event in user security. Previously centralised employees were taken from easily protectable locations and scattered to bedrooms and kitchens globally, seemingly overnight.
Years later, many remain. Despite the pleas of Governments and big companies, given the choice, the workforce remains remote using the applications and devices they want, where they want. Freedom of choice has deep roots.
The security leaders present agreed that the trend for users to dictate experience has become so irreversible that, rather than imposing themselves, they must adapt. Indeed, one attendee indicated that getting the right balance of UX and security has become a board level issue.
Get the right feel
It was raised that people don’t want an invisible security experience – they like to know they are protected. Conversely, however, overly noisy controls which ask too much cause unnecessary friction.
This means getting the right balance between security and user experience is key. One compared this to the ‘feel’ of closing the front door or locking a car. The muscle memory of securing oneself is important – however it shouldn’t be too obvious. MFA was praised as a control which has worked hard to get this necessary mix of subtlety and security.
Achieving this requires walking a fine line between what the business requires, both in terms of productivity and risk reduction, while not ‘boiling the ocean’ for the user. In addition, a level of workforce familiarity with the control being used gives security teams an advantage from the outset, which is why browsers are an obvious choice.
The importance of personas
Security leaders admitted this is a hard mark to hit and have traditionally ended up erring on the side of caution – leading to blanket conditional access policies.
However, with more granular data, this is changing. Better segmentation of users based on information such as device type, job role, needs and pain points is increasingly leading to a more detailed set of personas – for which more relevant controls can be created.
An example was provided of customer-facing roles in the transport industry – where there is a focus on getting passengers seated quickly. In this scenario, user friction is a killer. To avoid this, policies give employees access to important data, on mobile devices, using third-party WiFi connections in a variety of geolocations.
Those present also outlined that creating user policies based on personas is only the tactical part of this journey. From a strategic point of view, transparent conversations must first be had at a senior level to understand what level of risk the business is willing to tolerate to achieve specific outcomes.
The outcome of these discussions should form the basis of policies for each persona set. A byproduct of these conversations is that security teams get senior level, cross functional, buy-in for such initiatives – providing a fillip for rollout.
Expect change
Like much in cybersecurity, it was agreed that delivering a consistent and secure user experience based on personas is not a process with a defined beginning and end. Rather, it requires mastery of the details and the ability to adapt accordingly.
For example, an acquisition may throw the security team an entirely different set of personas or a subset of existing users might even find ways to subvert new controls. For this reason, revisiting segmentation at regular intervals is important.
In conclusion, those gathered concluded they must understand where business and user context converge to meet aspirations for secure, yet seamless, experience. Armed with clear and regularly updated personas and senior buy-in, security leaders are moving towards finding a better way to maintain this vital balance.