Cyber leaders emphasize usability in security
A successful cybersecurity system not only protects a user’s information — it also improves the user’s experience, a group of information security experts said at a cybersecurity summit Wednesday.
Donna Dodson, the chief cybersecurity adviser for the National Institute of Standards and Technology, explained that using of personal identification verification cards — a security solution her agency helped develop — is a solid start for access management. But she questioned how relevant a smart card would be for a workforce that increasingly accesses sensitive information on mobile devices.
“How well does that work in our daily mobile world? How well does that work with Apple iPads and mobile phones and those kinds of capabilities? What kinds of user experience are happening out there?” said Dodson, speaking as part of a panel at the 2015 Cybersecurity Innovation Summit in Washington, D.C.
Too often, cybersecurity systems prevent users from accessing the systems and information they need, Dodson said, deriding systems that count on the average person to do things like verify a PKI certificate “when they have no idea what that even means.”
“If we don’t bring in innovations and usability to understand key management, we’re going to create a system where people who need to access information won’t be able to, and perhaps people we don’t want to be able to access information can access it,” she said.
Cybersecurity systems must be useable, agreed Malcolm Harkins, global chief information security officer for Cylance Inc.
“A hero security solution … improves your user experience,” Harkins said. Protection should enable users, not weight them down, he added.
“Cybersecurity is a supportive function of your mission,” he said. If not, “we are encumbering people and data and business … and distracting them from what they’re attempting to do — we might be generating more systemic business risks.”
Usability should be built into a system’s security from the beginning, so that doing the right thing should be easy, said panel moderator Matthew Scholl, NIST’s chief of the computer security division.
And even in the greater scope of the cybersecurity issues the federal government faces today with continuous attempts from a variety of malicious actors to breach federal systems, Dodson said it’s still critical to put usability in the spotlight.
“If we don’t think about the usability aspect of the cybersecurity capabilities that we’re looking at, we will not be able to address the challenges that the nation faces,” she said.
