User-centred design and design thinking isn't a new discipline but its application in cybersecurity is emerging as a new trend that will reshape the industry in 2020 and beyond.
For CIOs and cybersecurity experts, it means championing a culture shift to constantly ensure we're looking through the lens of the user's perspective and thinking about what they need, how they use the technology and how to keep up with the pace of rapid change.
A user-centred design approach starts with users and asking them what they want to gain a deeper understanding of their needs.
Collaborating together, we can then generate ideas with prototypes, which gives users something tangible to interact with and provide feedback on.
This enables us to define the user's needs more precisely and test assumptions made during the initial stages of the system's development.
It is a continuous and iterative process to refine ideas and create something that is desirable, viable and feasible for the user and the business.
The human side of agile
This might sound a lot like an agile software development methodology.
But while user-centred design is related to agile software development, its focus is strongly on the user experience rather than the development process.
Every step of the process is dictated by the needs of the user, solving their problems and giving them the information they need at the right time in a desirable form.
It's not unusual for a business to be using up to 100 different Software-as-a-Service (SaaS) solutions.
Each of these will have its own security settings.
Answering a simple, but important question, such as “is two-factor authentication active for all my SaaS applications?” can be extremely difficult.
Most users will be after a simple yes or no answer.
Or perhaps a red or green indicator on a dashboard with other important questions.
In the past, answering cybersecurity questions resulted in receiving a data-rich, but often an inscrutable response.
By reducing the reliance on dense data and delivering information in a more accessible way, organisations can make better decisions.
Dealing with escalating threat levels
Cybersecurity has always been a data-rich field and the sophistication of threats has escalated.
The number and complexity of security compliance regimes increase and we now collect more data from more places than ever before.
We have moved from having limited visibility of the threats and actions of malicious actors to information overload.
The attack on Target in the USA might have been the first mega-breach to reach the public eye but that event put the spotlight on boards and executives and their responsibilities in protecting organisational data from cyber attackers and it completely reshaped the cybersecurity industry.
The information security industry has always struggled to translate its messaging from complex, technical terms into information that's useful to boards and management teams focused on risk.
The traditional users of information security-related information have been the technology team.
In order to distil this complex flow of technical data into useful information and insights, a new approach that starts with the users of the data is needed.
While all these changes have been taking place, businesses have been turning their technology stack inside out.
Cloud services, whether they are platform or infrastructure services or applications that are developed and operated by third parties have created increasing complexity.
CIOs are also struggling to deal with dozens of external providers whose systems may make it challenging to monitor the various settings and options they have for securing data.
As the volume, velocity and variety of security-related data continues to increase, making wise decisions is becoming harder.
Focusing on the questions business leaders want to ask and solving the problems they have require putting their needs first.
User-centred design constantly tests assumptions in order to ensure the right questions are being asked so we create a desirable, viable and feasible outcomes.