With twenty years in the SaaS space, I still get excited talking about the intersection of security and usability.
Remember the days when secure authentication felt like disarming a bomb? You had to plug in a long numeric code faster than your fingers could type. Now, we have multi-factor authentication at the touch of a button. Before we know it, security will be so advanced that we won’t even need passwords at all (I secretly wouldn’t mind being part of that movement).
A remote world is an open world for digital intruders
I recently was on IT Visionaries with host Albert Chou, and he told me a story about how his daughter would let in centipedes to the house and keep them as pets. When they “disappeared,” he asked her where they went. “I let them go,” she said. And Albert would spend the rest of the evening wondering whether one was going to show up on his toothbrush.
Data security is kind of like that. Our job is to not let the bugs in at all. But, knowing they are there and will always try their best to penetrate the house — we mitigate risk and keep them at bay, so they don’t end up on our virtual toothbrush.
Protect the customer to protect your business
Every time you connect to new technologies, there’s a risk. Integrating third-party apps or downloads unlocks new potential vulnerabilities over which you have no control. But more and more needs unlocking when you push the bounds of geography, devices, and remote work in an increasingly nomadic world. Users will always want more freedom, but they are also trusting us as security promoters to keep them and their privacy safe.
An app must be user-friendly enough to satisfy the customer, but also protective enough to guard against threats.
This is where security meets usability. An app must be user-friendly enough to satisfy the customer, but also protective enough to guard against threats. People are counting on the company to already do the heavy-lifting with security, so they don’t have to second-guess if it’s safe to download an app, click on a link, or go about digital life as normal. They trust the system will guard them automatically.
The problem is when the system does not set the user up for success. For example, our app Data Mask birthed from a story where a contractor was not supposed to have access to sensitive information. He needed, however, placeholders for that very sensitive information to do his job. He literally could not build his product without having data that mirrored this personally identifiable information (PII): names, addresses, and the like. So when we heard about this, we worked to create an app that would fill in “fake” fields of PII. It would take all of those phone numbers and replace them with jumbled numbers. It would “mask” the street names to be generic instead of specific. That way, instead of the contractor having to sign a thick nondisclosure agreement, he could go about his job without the company having to worry about leaked information.
Leaders set security expectations: Protect your team and your reputation
The role of the employer is more than just about oversight. It is also about communication. Once employees understand the important role they play in keeping company records safe, they are more inclined to rise to the level of ownership expected from them. This becomes increasingly important in a low-code and no-code world, where citizen developers come from every department to engage in digital app building.
Your products … are a reflection of your security.
Your products and all stakeholders are a reflection of your security, so it’s important to have a far reach with your conversations.
Practically, this may look like:
- Having conversations about security with new employees right out of the gate, including what the consequences could be for the individual or the company at large if data is compromised
- Getting extremely granular on who’s granted autonomy, so users never have to ask: “Should I have access to this?” because it is (or is not) automatically baked into their permissions
- Cordon off mission-critical information to protect accidental damage done to company data
- Make regular security trainings and refreshers part of your culture
Be proactive with hearing customer feedback from the source
Our responsibility also rests in our ability to communicate well with customers. We depend on a continual river of feedback to know what’s working, what’s not.
For example, at Salesforce we’ve developed certain checks and balances that help make sure our products are not just functioning for customers on a security standpoint, but also are well-liked by the user.
- Customer advisory groups
- Feature-enhancement boards
… all to make sure our security features intersect in productive ways for the customer.
Data security is ever-evolving for best results
Trust is our number one value at Salesforce. And, I must admit, there’s a bit of an art to it. With so many integrations and crosslinked data, it’s hard to determine at times who should have the “keys to the kingdom” with sensitive information. This is why we must go back to what’s best for the customer, what benefits them the most. Usability without security only serves on surface-level, and security without usability falls flat. Data cannot only be looked at as an inward thing, but must also be living and breathing with the external world.