Applying UX Design to Cyber Strategy
In 1993, Apple hired Don Norman to be its first User Experience Architect. Today, many consider Norman to be the father of user experience (UX) design.
Norman’s life mission is about making human experiences more useful, usable, desirable, valuable, and accessible. And over the last couple decades, UX has taken off in big ways. We’ve seen it most prominently in the software development world, and we most frequently benefit from UX design through smartphone apps (although, UX design can be all around us when makers care enough to do so).
Application to cyber
Recently, UX design practices have entered the cyber security realm. The goal being to improve cyber capability uptake amongst human stakeholders, thereby improving the cyber health of a given organization or delivering a more secure experience to an end customer. We can see UX design practices applied in cyber at two levels of abstraction: micro and macro.
Micro practices: This is what we’re most used to seeing. While UX design wasn’t a focus during the command-line firewall configuration days of yesteryear, today we most commonly see it applied in these ways:
- End user applications: Infusing security seamlessly into the business/consumer applications that end users interact with (e.g., single sign-on, simple multi-factor authentication) – basically, a new security control shouldn’t disrupt an employee’s workflow
- Security technologies: Providing at-a-glance dashboards and well-visualized datasets, and stitching together tools through APIs into a ‘single pane of glass’ (listen to Lyft’s CISO give an awesome rant against this here)
Macro practices: While the micro focus is certainly important, we’ve reached new heights where we need to pull in UX design for bigger, more sophisticated cyber problems. When we think about improving cyber strategy within an enterprise, it’s about earning trust, establishing more influence, and obtaining more “skin in the game†from a wide range of stakeholders to better execute the cyber mission. A cyber program can’t be successful in a vacuum and there’s a ton of inertia to overcome to ensure that all those capability investments truly pay off, so we’ve got work to do. Cyber is a complex adaptive system, and designing for UX is key in shaping the environment for success. Examples of applying UX design to cyber strategy include:
- Continuous capability refinement: Think about how CI/CD works in pushing code to production environments, and apply that to a consistent and frequent way of obtaining capability feedback, developing lessons learned, and fine-tuning your operationalized protect, detect, and respond functionality
- Operating model alignment: Work to really “know†your most important stakeholders, envision the experiences you want each to uniquely have, and drive towards how you’re going to continually engage them with your cyber program resources
- Culture shaping: Since “culture beats strategy…so much that culture is strategy†(thank you, Seth Godin), you need to design how people experience and perceive cyber security (e.g., get key leaders to exhibit certain behaviors that shift wide-scale mindsets on the “why†of cyber)
Implementing UX design for the “big pictureâ€
Start with imagining what you want the cyber security experience to be like. Imagine people are watching a live play on stage about your program – how do you want people to perceive and “feel†about it? Maybe cyber security is fluid and completely hidden, maybe it’s a decision point of every strategic business meeting, or maybe it’s a centerpiece topic of product and service development. Whatever you envision, you must design towards that end. We’re not simply here to fill in control gaps, live in a protected back office “bubbleâ€, and hope that all will be will. That was yesterday. Today, the challenge is far bigger.
Getting cyber strategy to a better place involves empathy, two-way stakeholder communication, and commitment to continual refinement. Tactically, I’m a big fan of Nate Walkingshaw’s (Pluralsight CXO) Directed Discovery four-step design method:
- VOC: Voice of the customer – use ethnography techniques to explore persona-based needs and sketch out specific desired experiences
- CPT: Customer preference testing – present design options to customers and obtain raw, authentic feedback
- CCT: Customer confirmation testing – exercise a “built†capability to obtain accurate validation of how the customer perceived the experience (e.g., did they like how cyber risk scenarios were communicated to them?)
- Launch: Full product deployment – bring validated capabilities online and then jump into monitoring mode to decipher what the next batch of refinements should be
We need to start thinking about UX design as a systematic capability in cyber programs – investing for the long term in the processes and people that’ll enable this. Simply digging into the same ol’ CISSP talent pool won’t suffice. Our cyber security journey requires that we remain creative and open to new ideas that’ll continually raise the bar.
Want to stay in touch? Please follow me on matthewdoan.com, LinkedIn, Twitter, and Medium.