In New Delhi: There has been a good deal of griping lately about what "us security people" are calling the "dumping down" of products in whatever product space.
By this of course I mean products that seemingly drop advanced features to make themselves "easy to use" by the general end-user.
While almost every single product's marketing page has "ease of use" as one of the check-box features, it's rare that this actually manifests itself in the real products. The end result of difficult to use security products is clear - security breaches are rampant. You don't have to take my word for it, do a search.
Even though simplicity isn't the end goal of product development teams, it's important that the end user's ability to do something meaningful in the product with as little confusion, keystrokes, mouse clicks or "RTFM" as possible be weighted just as heavily as the product's ability to perform its advertised key functions. In the end if the product has amazing features no one can figure out - they won't be used.
I have some experience with product teams, so i thought I would weigh in, and impart some of the things Ive learned in my years with interacting directly with, and supporting product teams.
Dumbing Down Security?
First and foremost, I don't think that products that make themselves simple to use are necessarily "dumbing down security" in any way. In fact, I would argue quite the opposite. In a well-done product, simple to use features make security more accessible, more usable and therefore - more consumable by a wider range of people. In the end, doesn't that benefit everyone?
If you want "dumbed down security" you can certainly find it throughout the products out there. I won't argue that there aren't products that have become so "simple to use" that the added value to security is minimal, but i wouldn't blame that entirely on the simple to use principle.
In fact, I would blame the product teams for not working hard enough to make those features that are required to make security potent better activated by all that simplicity.
Transparent, Simple
Ultimately, Ive debated over and over that in order to have a meaningful impact, security must be transparent to the user, and as simple as possible. Complexity doesn't enable the user, and we all know what happens when we give end-users too many knobs, buttons and switches ... they either freeze like the deer in headlights and make no decisions - or make poor ones based on guesses ... either way things go poorly.
In the case of security administrators (or analysts) the more complex we make products the more we force people to specialize. This specialization makes it almost certain that when a company needs to hire that 1 person who understands their firewalls, IPSs, DLP devices and everything else that they will be good at one product and have to read manuals for the rest. That's not a very good sign...
I'm not saying we have to have interfaces for security devices designed for the 6th grader in all of us - but it would help if the many devices and mechanisms out there didn't require a master's degree and a vendor certification to operate properly. "Out of the box" things should be usable ... and if they're not we should ask why, rather than simply accept that we're too dumb to use them properly.
Transparent security is the pinnacle of the security mountain because it's a true test of simplicity and design power. If your anti-malware widget on your laptop can install simply and give you warnings when "things are going amok" with an intelligent analysis that doesn't require you to be a PhD in security jargon - then it's a win because you'll know whether to hit the "block" or "accept" buttons ... right?
It's even better if those decisions are made for the end user without intervention, all while not interrupting legitimate work or play. While I know we're not there (yet) and maybe we'll never be ... it's something to aspire to.
Striking a Balance
In the final analysis - it's really all about striking a balance. Making products simple, transparent while making them powerful and giving them meaningful positive impact on security posture. While it's cool to be a command-line ninja, let's face it - there aren't many of them out there... and enterprise as well as personal security shouldn't be directly proportional to one's ability to perform script-fu at the machine level.
Every security product should aspire to be the "easy Button" but without losing too much capability to actually perform security tasks and do the things that need to be done to protect the user, the system or the enterprise from threats.
How does that balance happen?
Careful research combined with extremely seasoned security products managers combined with a team that performs usability testing and provides frank and honest feedback to those products teams.This balance also gets feedback from people that use these products everyday.
Remember, it's not OK to be told to go read the manual because you're too dumb to understand "product X"... if it's not readily evident (and not some super-advanced feature like teleportation) and the vendor can't tell you why it's not readily evident - then maybe they're doing it wrong. Voice your opinion and tell them.
Simplicity and transparency in perfect harmony with capability - this is the secret recipe for the perfect security product... ensuring uptake (adoption rates), usage (end-user use), and ultimately a safer experience.
Rafal Los is Security Evangelist, Blogger, and WebAppSec SME at Hewlett-Packard (HP) Software. Rafal also owns Boundariez Consulting.
Add new comment