Cybersecurity Is a UX Issue

My short career as a hacker ended the day two men in stiff government suits showed up wanting to know how I accessed a restricted US military network. That was a difficult day.

Before and after this turning point, cybersecurity, privacy, and identity access management (IAM) weaved their way into my career again and again. Except for one other uncomfortable incident, all that weaving has been on the white-hat side. From working on the security for a phone system used in the Clinton Whitehouse, to product managing the Microsoft Windows Core Security team, to my current job leading the End-To-End Experience (E2EX) organization for Sophos, cybersecurity and related projects just won't let me alone.

What is unusual about that is that I'm not a developer or a cybersecurity expert, I'm a UX person. My entire life has been about making things better. The UX approach is a set of portable skills that can be applied to any technology, any industry, any interaction any human being has with anything - including cybersecurity. I've been lucky to be able to apply these skills to many varied things, including complex enterprise software, consumer apps, the perception of digital audio, and even how soda is stocked in concession stands for the best user experience. And, repeatedly, to cybersecurity, privacy, and IAM. 

My End-To-End Experience job at Sophos

I wasn't looking for a job when Sophos reached out with an offer. However, I have been very vocal for years about how cybersecurity is a UX issue, and finally someone listened. When it first occurred to me that security needed UX, I applied the UX approach opportunistically. However, in 2004 it became a deliberate campaign when, with a small, intrepid group of UX people, I started the Windows Security UX Team, based on the tenet, "It isn't secure if people can't use it."

Since then I’ve presented broadly on the connection between UX and security. I’ve promoted the idea that security is a UX issue, spoken about how UX can make security more secure by ensuring that people can use it, argued about what to do with human error in security, and taught what the UX and Security approaches can learn from each other. I took the job offer from Sophos because their senior management team convinced me that they recognize the potential of UX to transform the cybersecurity industry. I've never known a company to invest more in the UX of cybersecurity than Sophos.

My job is to enlarge the Sophos experience design practice and then extend it from product UX to customer experience (CX), partner experience (PX), installer experience (IX), customer support experience (CSX), developer experience (DX), etc. until we’ve enhanced every aspect of the E2EX. Our remit covers any person who interacts with Sophos in any capacity at any point. Just like digital systems are only secure if every aspect of the end-to-end system is secure, the total experience with Sophos won’t be complete until every aspect of the E2EX is optimized. (Something Security can teach UX.)

What does UX have to do with cybersecurity?

Cybersecurity threats are increasing exponentially. IT security products have become as complex as the networks and devices they secure. With a significant, and dramatically increasing, shortage of skilled cybersecurity professionals, cybersecurity must become accessible to a broader group of people. More people with less training must protect more devices, systems, and networks in their enterprises, businesses, and homes in an increasingly complex world. Making the complex accessible to people is a UX issue.

At one point in the chain of events or another, human error is a contributing cause of over 95% of cybersecurity incidents. To reduce the risk of human error and increase user confidence we need to understand how people build mental models, make decisions, learn, and behave. UX solves problems based on understanding people. Human error is a UX issue.

Sophos is using machine learning and AI to provide protection that is equally available to cybersecurity experts, IT generalists, and end users. Sophos UX uses its understanding of everybody’s struggle with cybersecurity in order to make cybersecurity actionable at multiple levels. Augmenting human capabilities gracefully is a UX issue.

Many UX people shun opportunities to colonize the cybersecurity industry. They mistakenly believe that cybersecurity is a technology conflict. Technology is only the battlefield. Cybersecurity is a human vs. human problem. UX solves human problems. Cybersecurity is a UX issue.

 Cybersecurity needs more UX people

When a new technology or an emergent methodology comes to the attention of UX, we consume it. We explore it, we adapt to it, we assimilate it. UX people focus on that area, hammer out ideas, contribute patterns, solutions, concepts and direction. With a significant enough contribution, a platform develops and whole new fields of UX are built on it.

This happened with mobile phones and the emergence of Mobile UX; search and Search UX; lean and Lean UX, etc. We’re not there yet with Security UX. We need more talented UX people to dive in and mix up the evolving ideas around the UX of cybersecurity, privacy, and IAM. We need enough contribution to reach the tipping point – to build that platform.

What are you waiting for - Colonize! Now is the perfect opportunity for UX to inhabit the cybersecurity industry and bring the UX approach to building experiences that has benefited other industries. Leave your comfortable home in your well-established UX area and come to an uncharted frontier where UX does not yet have a strong foothold. Start your adventure exploring Security UX.

UXers in cybersecurity need to connect

Promoting that cybersecurity as a UX issue has brought attention and lots of great conversations over the years. I know that almost every cybersecurity company is starting to invest in UX. I know many of the UX professionals working in cybersecurity, privacy, and IAM. I’ve met you at security industry events, workshops, and conferences. And I know there must be more of you that I don’t know.

If you’re a UX person working in cybersecurity, privacy, or IAM, I’d like to meet you. Let’s connect and see where it will take us as a group. Together we’ll meet. Together we’ll disagree. Together we’ll share. Together we’ll collaborate and move things forward. Separately we’ll compete to attract the best UX people to join our teams.

Come join the Sophos UX organization

Even if you’re not looking to join our team now, if you’re a UX person interested in Security UX, I’d like to meet you. I’d love to hear from you, get to know you, and share the immediate and future possibilities.

Sophos has a substantial UX organization and we’re growing. We have a big mission and we need to expand. We need your help. I’ve got open positions now and will have many more in 2019 and beyond.

What’s that? Did you say that cybersecurity is not “cool”? You might be cool if you apply your UX skills to persuade people to buy more things. You might be cool if you use your accumulated expertise to bring more entertainment options to people. You might be cool because you create yet another mobile app. But if you think that using your UX talent to protect many millions of people worldwide from financial and real harm is not cool, then you don't understand what it means to be a real waking-day superhero. Cybersecurity is definitely cool.

What we’re looking for at Sophos UX

• You do not need to already know cybersecurity; you need to know UX and love to make complex things simple. You will learn and become very familiar with cybersecurity as part of your job.
• You need to embrace the fact that UX should not be limited. You need to see the potential for UX to extend to any interaction, not just products.
• You need to be prepared to be explorers, colonizers, and adventurers, because there will be uncomfortable challenges ahead and we need to depend on each other to succeed.
• You need to be assimilators and adapters. We will have to develop techniques and solutions, acquire methods from other disciplines and other industries, and bend them to meet the needs of Security UX.

Who we are

The Sophos UX organization is a multi-disciplinary, international team of UX professionals in eight countries, working with teams innovating in even more places, to serve partners and customers worldwide. We know UX is multi-disciplinary, not just design, and UX professionals are a mélange of skills and experiences. We have UX generalists and UX specialists in interaction design, content, translation, visual design, information architecture, UX research, UX evaluation, analytics, multi-media design, etc. To create our balanced teams, we pay more attention to that blend of skills than we do to titles. People like working at Sophos. Morale is buoyant. It is little wonder. It is easy to be positive knowing you are part of something bigger, seeing that you are succeeding, innovating busily, and experiencing the reward of protecting people.

Did I mention that we have design-geek benefits? You’re not required to wear them, but when you join Sophos UX you get cybersecurity socks. And if you’re lucky you get to meet the reason we’re in business, our customer Dave Malarky.

Does UX have a long way to go to create a Security UX platform? Yes, that’s what makes the opportunity worth being part of. Will we stumble and scrape our knees on this adventure? You know we will. Remember, there are very few trails where we are going. Gear up.