Enterprise Security
The latest Jared Spool talk resonates with me in so many ways that I decided to capture my thoughts on Enterprise Security.
Jared M. Spool: Insecure & Unintuitive: How We Need to Fix the UX of Security.
I have been struggling with paranoia driven enterprise security for years. It does not always mean that the security restrictions are preventing me doing my job. But the energy and resources invested into mostly useless security policies and restrictions are then missing when attempting to intentionally design usable Enterprise apps and services. Obviously, security is one of the key elements of an intentional and structured design process, so it might not even require a separate theme when UX is deeply embedded into the organization.
The rendering of intent
Corporate security policies and restrictions are not coming from a structured design process. These requirements are not coming from ethnographic research, synthesized and mapped with the business goals into user journeys and scenarios. Its impact is not precisely measured, validated with the users & stakeholders and the usability is not tested prior the launch.
Most of the time, these policies are additive. They are added as an extra layer on top of the existing or legacy systems, creating another layer of complexity and adding more burden to the user. Internal security policies are not designed to be empathetic — it is OK to require employees to change their habits to become “more secure”. They are employees.
Insecure & Unintuitive
I loved how Jared M. Spool used the comparison to Amazon 1-click and other services, where it “just works”. It clearly illustrates that we are simply not innovating enough in this space. It’s funny that you can buy 30000$ camera in one click, but you can’t submit your travel expenses not even in 15 clicks, even that the system knows its you, sitting behind your desk and firewall.
Every time I see a new security policy ranging from password resets, email or data retention, software or app catalogue restrictions, network or wifi restrictions, I am thinking — what was the intention behind this? What was the design process?
And in reality, there is no design process. There are assumptions, that are very generic, and passed directly to IT and technological functions:
- Someone else does it, so it must be working. It was written in a “Research Paper X”.
- Restrictions equal Security. If something (Data, network etc.) is not exposed, it cannot be stolen.
The very specific problem these policies aim to solve is often missing, and not backed up with factual research data done on relevant user sample.
I am now happy to work in the company who recognizes these flaws and invest heavily into its own design processes. The only answer to the poor usability of enterprise security is the intentional design process that is empathetic to the users and takes into account business goals of the company.
