If We Simplify IT Security, Maybe People Will Use It

By Javvad Malik

Complex problems don’t need complex solutions

My friend recently wrote about having personal details on your phone lock screen to make it easy for someone to return to you.

I think it's a great idea, and fundamentally, most people want to do the right thing. But perhaps, they only want to do the right thing if it is easy enough. While I don't have any data to support the hypothesis, I imagine the harder it is to do the right thing, the more likely people will ignore or flat-out refuse doing it.

I'll make my kids cheese on toast because it's easy, and feels kind of wrong to let them go hungry. But roasting a chicken seems like too much hard work, even if that may be a better option.

One of the barriers IT Security faces in its adoption is the complexity it represents.

Mitja Kelsey and Haroon Meer recently had a Twitter exchange on this very topic.

I think they're right in the need to simplify security and this thought merits further exploration. It's not quite as straightforward to say, "simplify IT Security" without looking at the broad steps involved and what needs to be simplified.

But it’s not just enough to say that something needs to be simplified without going slightly deeper to understand what this entails.

1. Evaluation

The first step is to simplify the process by which a potential user can evaluate the offering. Users don’t want to jump through endless hoops before they can get their hands on a working version to see if it meets their needs.

2. Procurement

Evaluation complete – how easy it is to proceed with procuring the product. This step applies just as much to free or open source technologies as it does to paid products. If it takes too long to get the software, or it needs some custom compilation, or has other weird requirements, it will lose appeal.

3. Simple to deploy

One procured, the question of deployment comes up. It’s all well and good testing in a demo environment, but the real test is when it comes to deploying in a production environment.

It’s not just about how easily a particular product can be deployed itself, but what dependencies there may be, or worse still, how it could clash with other security products already in the environment.

If a product requires a project plan lasting months to roll out, and a small army of consultants to ensure all features work as intended, it will likely lose steam along the way.

4. Simple to use

Is the product simple to use? While not every security product can be ‘set and forget’ it should be relatively easy to become familiar with using a product and acting on its output.

No matter how great the security functionality, if the use and management of the product is too great it will be used less, or perhaps not at all.

5. Decommissioning

There comes a point in every products life where it will need to be decommissioned. This may need it to be completely removed from an environment, or parts of it may need to be reduced due to external factors such as the sale of a business unit.

In such cases, the removal process should be as simple as, if not simpler than the installation.

Complex problems don’t need complex solutions

While enterprises may face many complex security challenges, it doesn’t mean the solutions that are needed to address these challenges need to be complex too.

A hybrid car which uses both an electric and petrol engine is a complex feat of engineering. Yet, from a drivers perspective, the complexity is hidden away, and is presented with a familiar and simple driving experience.

Security need not add to the complexity organizations are faced with, rather be simple and focused in its approach to safeguard organizations.

About Javvad Malik

Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security.

More About Javvad