A CSO explains how to reduce risk by improving user experience

What if people weren’t the proverbial weakest link?

By rethinking how we develop the solutions we rely on, it’s possible to make it easier for people to do their jobs while reducing risk.

Peter Hesse (LinkedIn, @pmhesse), CSO of 10 Pearls, recently published why the answer to “Can you reduce risk by improving user experience?” (link) is yes. (He then discussed his experience on a panel I moderated).

Here are some of Peter’s insights into why and how benefits our pursuit of reducing risk in a way that works with — and not against — people.

Why we need to consider the user experience to reduce risk

Less than a generation ago, electronic information was housed on huge, dedicated machines with limited, controlled access. Today, the average organization relies on 200-400 applications — specifically designed to capture, access, and process an expanding amount of information. We access and act on that information from devices we store in our pockets.

As we grapple with the implications of accessing more information from more devices and in more locations, the user experience gains importance. Peter explains:

It is incredibly powerful to understand where people are looking, where they are clicking, and what paths they are taking through an application. With this insight, you can reduce friction and create the best experience. Knowing how people use applications helps you to understand what information should be protected. It’s also valuable when something goes wrong during testing of an application, to know where someone was in the application and what they had clicked on in order to cause an error.

What stands out for me is the ability to use the actual experience of people to determine our priorities. To gain insights that inform our prevention, detection, and response efforts.

Three immediate ways to reduce risk by studying the user experience

Peter breaks out three powerful benefits that come from understanding how the application is used:

We can create different user types. Then, those that do not need access to the sensitive information can’t retrieve it.

We can change flows through the application to make it easy to get access to sensitive information only if needed. And make sensitive information harder to access otherwise.

We can help users understand the potential consequences of their actions. Give them steps they must acknowledge to access sensitive information or execute risky operations. We can also record these riskier operations for further review without overloading our systems or administrators.

This is the difference between guessing or polling people and basing decisions on the evidence of what people actually do. It has the added benefit of allowing us to share what we learn with other teams, helping them to gain a deeper understanding of their own processes and actions.

How to get started

The best way to get started is to ask someone else for help. Chances are someone in your organization or a partner has the necessary experience and tools. If you’re not sure who to start with, consider what other groups in the organization have an interest in understanding how people use applications.

With a focus on the specifics of what people access, the paths they follow to get and process data, and the actual clicks and commands, you’re likely to find someone in application development already has what you need.

Schedule some time to learn from them. Find out what and how they capture their insights. Learn how they feed it back into their processes. Ask if they’d be willing to share with you in an effort to better protect the information.

By working together, everyone gains insights into how the work of the organization gets done, and where we need to focus to reduce risk — even as we make it easier for people to do their jobs.