This blog was originally published by Forbes
Security lives at the intersection of people and technology. Throughout my cybersecurity and product management career, I've witnessed a concerning trend: Our industry can often prioritize technology over human elements.
As a CEO who emerged from product development, I believe we can reshape this narrative using principles from product design. We cannot expect people to assimilate into our confined security culture—nor should we want to, as our field exists to help people in their business habitat. We have to open security to them and make it accessible regardless of their backgrounds and degree of digital literacy.
It is no longer the case that IT specialists alone leverage cybersecurity tools and control applications. A growing array of people and various environments within any corporate model must now heed security requirements. Today, everyone from C-suite executives to entry-level employees plays crucial roles in maintaining digital security, and our approach has yet to adapt to this new reality successfully. This shift isn't just about awareness; it's about democratizing and humanizing security.
Making security universally accessible and understandable represents a significant evolution in security paradigms:
• From centralized control to distributed responsibility.
• From complex, jargon-filled policies to intuitive, user-friendly practices.
• From security as a specialized field to security as a basic digital literacy skill.
My previous experience in a product management position at Duo Security—a cloud-based security company where we revolutionized two-factor authentication—taught me that effective security isn't about an authoritarian, top-down implementation of stricter controls or more complex systems. It's about understanding and working with human nature—not against it—as a core principle of sound product design.
I've relied on five strategies that apply product design principles to create a more collaborative, human approach to cybersecurity:
1. Design for seamless integration. Security measures should feel like a natural part of the workflow, not an obstruction. Consider Apple's Face ID, which improves security while being virtually invisible to the user. At Duo Security, we disrupted the two-factor authentication space by making the process simple and user-friendly. We encouraged collaboration rather than resistance by designing security features that complemented rather than disrupted natural workflows.
2. Efficient deployment and scalability. In today's evolving environment, security solutions need to be up and running quickly. This principle of efficient onboarding is crucial in product design. When security tools can deploy efficiently and scale easily, organizations can collaborate on security implementation without lengthy, top-down processes.
3. Empower through education. Replace static annual training sessions with interactive, real-time learning opportunities. Effective product design aims for intuitive interfaces that guide people. Apply this principle to security education by creating engaging, context-aware learning experiences that empower people to make secure decisions independently.
4. Collaborative policy development. Involve employees in establishing security policies. For example, creating a bring-your-own-device (BYOD) policy that addresses both employee needs and company security concerns mirrors the user-centric design process in product development, where user feedback is crucial. By involving people in policy creation, we shift from an authoritarian approach to a collaborative one.
5. Build security from the ground up. As we shift from an authoritarian to a collaborative model, security should be "baked in" from the start of any product or process design, not bolted on as an afterthought. This principle of "secure by design" is fundamental in product development and should also be applied to organizational security practices.
Is it possible IT security teams are not always the only voice to be heard on security? Is it possible the collective intelligence of dozens or hundreds of employees might create insights and solutions that elude the pros? My experience and observation of hundreds of companies say yes, which is why we must focus on collaboration-based products for the future of cybersecurity.
In organizations where I've implemented these product design-inspired, people-centric approaches, I've consistently seen substantial reductions in security incidents and increases in proactive threat reporting. More importantly, I've witnessed a shift in attitude. Security teams are viewed as collaborative partners rather than authoritarian obstacles to productivity or, worse, as the "mistake boogeyman" employees fear interacting with.
The future of cybersecurity isn't about building higher walls or more complex systems. It's about creating a culture where everyone feels empowered and motivated to contribute to the organization's security. As we move beyond the outdated paradigm of security versus usability, in an era where the lines between personal and professional technology are increasingly blurred, the most optimal security is sustained when technology and human behavior work in harmony.
Investing in relationships and communication channels between security teams and the organization can drastically improve the effectiveness of existing procedures and set new initiatives up for success. This collaborative approach can lead to tangible benefits such as improved mean time to detection (MTTD) and mean time to response (MTTR), which are critical factors in effective security.
As leaders in this field, it's our responsibility to champion this approach, ensuring our security solutions are technically robust, human-centric and collaborative by design. The interdependency of different departments in an organization to maintain excellent security underscores other areas of mutual dependency for the optimized success of any business. Collaborative models in security pave the way for other collaborations that can advance the organization.
Let's dissolve the antiquated technology barriers that mute user intelligence and recreate realistic cybersecurity for businesses by drawing upon human-centered systems that invite our collaborative nature.
