April 15, 2020

Every year, private industry and government increase their spending on cybersecurity. Just last month the U.S. federal budget designated a whopping $18.78 billion for cybersecurity spending in 2021. Despite increased investment in cybersecurity, the frequency of insider incidents has actually tripled since 2016; careless employees or contractors were responsible for over 60 percent of internal breaches.

Why is this happening? Because pouring money into digital defenses means little without thinking about how they might affect end-users and the organization’s operations. If something is too complex or cumbersome to use, people are more likely to ignore it. 

COVID-19’s arrival has wrought two huge challenges on organizations’ cybersecurity frameworks: the sudden, increased demand for the technological capability to power an entirely remote workforce and the influx of malicious actors looking to capitalize on them. Now is the time to consider security risks in tandem with workflows at all levels of the organization as COVID-19 is changing those workflows in unprecedented and unpredictable ways. 

Taking the user-focused steps below will ensure that the cybersecurity products you invest in will:

  • Decrease cyber vulnerabilities
  • Adapt to your work rather than the other way around 
  • Be used by your workforce

The two biggest factors that affect the success of deploying cybersecurity tools are whether customers will want to use the products and whether the organization and its leadership will support and commit to using them. Before purchasing a cybersecurity product for an organization, leadership should ask two critical questions to determine what obstacles they may encounter: 

  1. Will your workforce actually use, and not abuse, the tools?
  2. Will the cybersecurity tool disrupt existing organizational processes? 

To answer those questions accurately, team leads should meet with co-workers and ask:  

  1. What pain points have they had in the past with security products? How did they disrupt workflows?
  2. How might this specific security product impact (for better and for worse) daily workflow?
  3. What won’t they be able to do because of this security product, if anything?
  4. Who else should be a part of this exploratory discussion?

What should this interview process look like? During interviews, team leads will need to explain what the security product does, and how users will interact with it. This doesn’t   need to involve everyone – target at least 10-20 people from each subgroup within the organization.  (In this case, define a subgroup as the employees who will experience the security product in similar ways, such as a subgroup of analysts or engineers.) You may find that there are more -- or fewer -- subgroups than expected. This is normal and will become clear based on the consistency (or lack thereof) in responses within and across subgroups. 

Next, identify people in the organization that could disrupt the execution of this product’s deployment. This could be a group that will not allow any downtime of their systems to have security upgrades done, or a group that has not received any cybersecurity training. Focus on mid-level personnel since they are often the people who will deploy the new tool. 

After compiling a list of names, ask them the following questions about the product’s viability within the organization:

  1. Will deploying this tool disrupt any major organizational processes or timelines?
  2. Does this disruption correlate with mid-level (not senior-level) leadership priorities? Is there a specific mid-level champion behind this product?
  3. Who else should I talk to about this?

 This information will help IT leaders confidently customize a deployment plan for a cybersecurity product within the organization without worrying about anyone standing in their way. 

What would this foresight do for your organization? It may seem like this process is great for deploying simple solutions, but would never work on hard problems or tedious processes. We have many examples of how it has worked repeatedly and at scale – here is just one:

Government analysts were faced with the mundane task of sorting through terabytes of data to prioritize what to analyze later. Not only was this time-intensive, but no matter the level of human effort, some data was always left unexamined.  After working with the analysts to understand how they did this task and how it fits into their greater workflow, we explored how industry approaches similar problems. Using this information, we developed a prototype solution that enabled the analysts to scroll through files like a popular dating app (Tinder). Not only did users enjoy the simple interface, they proved to be 230% faster with a few repetitive tasks removed from their workflow. 

The security challenges of coronavirus and mass remote working are already apparent - 71 percent of security professionals have noticed an increase in security threats or attacks since the beginning of the COVID-19 outbreak. As your organization adapts its cybersecurity posture and considers acquiring new cybersecurity products, striking a balance between security and convenience has never been more attainable. Knowing your users and understanding your organizational obstacles will enable a more secure organization.