When I got my start in design, cybersecurity wasn’t necessarily on my radar. But it’s something that began to pique my interest more when I founded Pinoccio, an internet of things (IoT) startup. Our product made it easy to create IoT projects using basic web development skills. A popular project amongst our customers was a web-enabled garage door opener. Once customers were opening and closing their garages from our web app, we realized we had to make sure our system was super secure, and safe from bad actors. This opened up an interesting, entirely new world for me: Security.
Now, as the head of product design and user research at Cisco’s Duo Security, I understand a lot more about the thought-provoking design challenges intrinsic to security. When I joined Duo five years ago, I was hired to build the company’s product design and user research competency. Stepping into security, I assumed that the challenges in security were mostly technical in nature. But, something I learned along the way, and that I like to relay to designers, is that security is fundamentally about human behavior.
The majority of breaches we hear about in the news, for instance, originate as an e-mail phishing scam, which happens when you mistakenly give your username and password to a site that disguises itself as legitimate. Phishing isn’t very technically complicated—it simply takes advantage of human behavior. And while it’s easy to blame the user in these situations, phishing schemes have become incredibly sophisticated and believable. So, instead of blaming the user, we want to instead bring an empathetic lens, and understand more about their needs.
At Duo, we have a user research team that’s tasked with doing ethnographic and observational research. This team goes out in the field to conduct interviews so we can build up a body of research that helps us grasp how everyday consumers think about privacy and security. We’ve found that even people who are fairly technical, and who are sensitive to security matters, are often inconsistent in their behaviors and don’t adopt strong, unique passwords or use two-factor authentication.
As a designer in this space, we task ourselves with understanding: “How do we make the right thing to do the easy thing to do?” We want to know exactly how to create security tools that are so easy that any company or organization can use them. At the heart of our research, we’re asking ourselves: “How do we make sure that people who are not security experts can use this effectively and understand it.”
The future of security requires merging technological innovation with a rich understanding of human behavior.
A particular challenge in my industry is that we want to be forward thinking, but we can’t get too far ahead of ourselves because security is incredibly dynamic. In security, we talk about how the “threat landscape” is always changing — bad actors are always creating new ways to hack into systems. Sometimes these are criminals for-hire that are waging cyberwar. It’s actually really exciting to use our design skills to fight cybercrime! And the most effective way to do that is to design easy to use security products.
One of the core philosophies that our design team has is “don’t blame the user.” If people have bad security behaviors surrounding passwords, for example, that’s because there’s too much friction. We want to think about how to eliminate that friction. We’re now working on creating a future without passwords, which has the potential to eliminate one of the most common causes of security breaches (getting phished). It’s a win-win because it also reduces the burden on everyday people, who struggle to use strong, unique passwords.
The thing is, we can’t do all this work by ourselves. We need design thinking advocates across the entire product organization. One thing that has been particularly revolutionary for us is that our design team is involved in vetting candidates for engineering leadership and product management. We sit on their interview panels, and ensure that they will bring a human-centric lens to our work.
Also, Cisco’s acquisition of Duo has further accelerated our growth. We have a design thinking curriculum that Elayna Spratley, our design thinking program lead, makes available to our entire organization. Elayna has trained folks in sales, customer success, and site reliability engineering to help create a design thinking mindset at Duo. Some go through the entire training series to become design thinking facilitators themselves.
I think Duo’s investment in design is unique in the field of security, and I’m happy to be a part of it. But I don’t want our efforts to be unique: The cybersecurity industry is one that’s lagging behind in terms of design maturity, and sadly the consequences are dire. From election security to cyber warfare to securing critical infrastructure across the globe, designers and user researchers can play a pivotal role in building a more secure future. It’s a really exciting time to be working in security, and a unique opportunity for designers who want to have a genuine positive impact in the world. If you’re a designer who’s thinking about what’s next in your career, I hope you’ll consider security for your next role.
by Sally Carson
Sally Carson is the head of product design and user research at Duo Security, now a part of Cisco. Sally's mission is to radically redesign Tech by amplifying diverse voices.