5 tips to enhance security without sacrificing productivity or user experience
Security often gets a bad rap for slowing down productivity and hampering user experience (UX). At Okta, we know this couldn't be further from the truth. Today's CISOs are deeply committed to creating frictionless experiences for employees and customers, and we recently spoke with two of them to get their take on balancing these crucial business objectives.
The challenge lies in finding innovative solutions that bolster security without sacrificing efficiency or satisfaction. Armed with practical strategies, a holistic approach, and user feedback, CISOs can enhance security posture while improving productivity and enabling seamless UX. Here’s how.
1. Prioritize user experience in security design
A user-centric approach to security is paramount for fostering adoption and minimizing resistance. Whether for employees or customers, CISOs should design security measures with end users in mind to create a smooth and intuitive experience. For example, secure login features like multi-factor authentication can frustrate users, but with options like biometric or passwordless authentication, you can keep the security without causing inconvenience.
Jane Domboski, CISO at OneMain Financial, says it’s also important to communicate security risks and requirements in clear, concise language. Offering helpful explanations and guidance — and avoiding technical jargon — will ultimately empower users to make informed decisions around security design.
“One of the first things I did as CISO was align with our CTO to make sure that the applications we build are secure by design,” Domboski says. “Getting his team to use that terminology helps keep security top of mind as they build new products.”
2. Leverage automation and AI
Automation can significantly enhance security while freeing up human resources for strategic tasks. By automating routine security workflows — such as password resets, vulnerability scanning, and incident response — organizations can improve efficiency and reduce the risk of human error.
CISOs can also use AI to analyze vast amounts of data and identify potential threats in real time to enable proactive threat hunting and faster incident response times. And when an incident is detected, automating routine incident response steps such as containment and eradication can help minimize downtime and damage. As Cory Musselman, CISO at Kyndryl says, it’s about using security as a business enabler instead of a blocker.
“When we consolidated our Identity and Access Management processes with Okta, it was a huge win for our employees and the business,” he explains. “It highlighted that security teams aren’t just implementing things that make life difficult. We are actively working to make their lives easier and make the business more agile.”
3. Adopt a Zero Trust architecture
A Zero Trust model shifts the security paradigm from implicit trust to continuous verification. Adopting this approach can help organizations significantly strengthen their security posture while maintaining productivity.
“We want the speed bumps to be in the right place for the right reasons to balance employee experience with security,” Musselman says. “Risk management is a huge part of that evaluation. You have to understand the risk tolerance and threat profile of your organization so that you can make smart decisions and not put in more speed bumps than necessary.”
Start by implementing strong authentication and authorization mechanisms to ensure only authorized individuals and devices can access resources. Isolate sensitive data and applications by segmenting your networks to reduce your attack surface and limit the potential impact of a breach. And lower the risk of unauthorized access and data exfiltration by adopting the principle of least privilege, granting users only the necessary permissions to perform their job functions.
4. Create a culture of security
A well-informed and engaged workforce is the first line of defense against cyberthreats. CISOs can build a security-conscious culture by investing in interactive training sessions that cover topics like phishing, social engineering, and password hygiene. Regularly testing employees’ ability to identify and report phishing attempts will further reinforce security best practices.
“Education is incredibly important, and we invest in ongoing training to teach our developers how to code securely,” Domboski says. “We even play cybersecurity tips when customers call in and are waiting on hold. We truly believe that cybersecurity education shouldn’t just be for employees but our customers, too.”
To really drive home the value of security initiatives, Musselman says it’s important to recognize and reward employees for their efforts. “We highlight the wins when we collaborate with parts of the business to increase security in a way that doesn’t bring friction,” he explains. This helps promote a culture of shared responsibility for security.
5. Continuously evaluate and improve
The security landscape is constantly evolving, so it's essential to maintain a proactive approach to security management. Regularly assessing your security posture and staying informed about emerging threats will help identify potential weaknesses and power proactive decisions.
Gathering feedback from employees is a powerful way to understand the impact of security measures on productivity and UX. By involving everyone in the process, you can make necessary adjustments and evolve your security strategy for the future.
As Musselman says, “It’s important to partner with business leaders in different parts of your organization to understand how their teams work. This helps shape how we implement security controls and drives our risk decisions to create the appropriate balance for our users.”
By implementing these strategies, CISOs can significantly enhance their organizations’ security posture while creating a positive user experience and boosting productivity.
Watch our on-demand webinar with Jane Domboski, CISO at OneMain Financial, and Cory Musselman, CISO at Kyndryl, to learn more about how they’re making Identity a key part of their security organization.