12-12-19 - It'll Be Too Hard for Me to Make It Easy for You

It'll Be Too Hard for Me to Make It Easy for You

December 12, 2019

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

UX in Cybersecurity

Defense in Depth: UX in Cybersecurity

 On this episode of Defense in Depth:

Co-host Allan Alford and our guest Rakesh Patwari, UX lead, Salesforce and UX instructor at UC Berkeley Extension, discussed:

  • There is the path to security you create and the path that your users take, or the desired path. As a security and UX professional you should plan to make those two the same path. If not, your users will take the simpler route and circumvent your security controls.

  • Users will always choose the easier path which is not necessarily the most secure path.

  • Security is an "ask." You're requesting users do something, but it's hard to get them to keep doing that "ask" if you don't give them feedback as to the reason or value of the ask.

  • Error messages historically provide little to no information to the user and thus no guidance to solve the problem. We often have to go outside of the environment (a search engine) to find a solution.

  • Security professionals need to take on the role of a UX designer which requires defining work processes by interviewing users, not deciding what you want those processes to be.

  • Creating a simple process is far more difficult than creating a complex process. Secure processes don't require users to constantly turn functions on and off or go through additional unnecessary steps to get their job done.

  • View your users as customers where you're trying to sell them on your process rather than dictating which will eventually be avoided.

Special thanks to this week's Defense in Depth podcast sponsor, Enzoic.

Enzoic

Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed username and password combinations to identity accounts at risk and mitigate unauthorized access. Learn more about Enzoic.

Allan Alford on making sure candidates want to gain skills if they don't have them.

TOMORROW! CISO Series Video Chat (Friday, 12/13/19 at 10 AM Pacific)

Hacking the Greatest Risks:

An hour of critical thinking about protecting where we’re most financially and legally most susceptible

Join us tomorrow for this super fun weekly event, where everyone can participate. Either in text chat or on video. We're going to talk about do's and don'ts of pitching to CISOs via email.Go ahead and register. It all starts at 10 AM Pacific tomorrow.

Jeff Hudesman, head of InfoSec, DailyPay on how to handle scams that may seem real.

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.