Security operations teams deserve usable tools, data and workflows so they can succeed in their role
In the realm of software development, usability is defined as “the degree to which specified users can use a piece of software to achieve quantified objectives with effectiveness, efficiency, and satisfaction in a quantified context of use.”1
As software has changed, so has usability. Users now have multiple software systems to work with; some operate as standalone programs and others as integrated solutions. With the rise of application programming interfaces (APIs), developers try to fit as much capability into a single application as possible, creating a user experience that is more complete but also more complex at the same time.
Investments in usability research and development can help sell a product and result in a positive return on investment when large numbers of end users (or their companies) pay for the product. A well-designed product that is easier to use and provides an excellent end-user experience will typically work better, sell better and in the end, support better renewal rates for the seller.
However, these investments become harder for organizations and teams to justify when:
- The number of users they build for or sell to is small compared to the overall market. Consider the IT security team that sits in the operations department, not in the traditional end-user role; their numbers are a fraction of the whole.
- The product users are believed to be technical and, therefore, can “handle” and work through some of the nuanced workflow weaknesses, gaps or flaws that would otherwise be addressed, abstracted, or hidden, from traditional endpoint users.
- An internal team or a fresh startup’s time-to-market with a new product targeting a highly competitive internal dev environment or external infosec market doesn’t have time or resources for usability due to higher priority projects/requirements.
One could argue that there is value in creating a usable product, even for the security operations team, because of the potential benefits. When the security operations users are happy, they will likely create and maintain a more successful security management program that will, in turn, successfully protect the revenue that the company generates.
A usable security operations product will provide well-designed and thoughtful:
- Information and context: Security analysts and security operations teams need as much data as possible to help them make better and faster decisions around security policies and controls, risk management, incident response and more. This includes information from around the business that may not necessarily be “security” information but can provide valuable insights to help them do their job even better.
- Integrated workflows: It’s imperative to have the right tools for the right tasks that connect actions and team members so they can identify and respond to issues as quickly as possible. Shortcuts should be available to access core information and complete routine tasks. While a good UI is necessary, the solution still needs the flexibility for security users to access a well-documented command line and other more advanced features via coding and APIs. Understanding the end-to-end flow of tasks can help improve effectiveness and efficiency.
- Exception handling: Warnings and clearly described errors should be displayed in a manner so that users can figure out how best to work through exceptions in their routine. As many unplanned and unexpected things can happen in infosec, it will also provide mechanisms to deal with things that fall outside the core operating environment. Giving users the ability to handle errors with clear paths for working outside the norm ensures they can manage escalations securely and safely even when chaos ensues.
- Outcomes: When the product focuses on the results that security teams need to achieve, it can better serve them in reaching their goals. Rather than building and bundling a bunch of features and data sets together, focusing on a specific goal, such as “block financial fraud in our retail gift card business within 5 minutes” versus “block an IP address that appears to be on the malicious list and misbehaving while connected to our network,” then the team can work toward their goals instead of trying to map their tasks back to the expected outcomes.
- Measurement: Security teams are often asked to measure things they’ve accomplished, such as how many vulnerabilities they have patched, how many alerts they have closed and how quickly they respond to an incident. The applications they use should be built to help them collect and report on relevant metrics related to business outcomes. This will help them keep and expand their budget to help further their efforts to protect the business and its revenue.
Usable software is something that security operations teams deserve. The immense pressure for them to deliver outcomes that protect the business from malicious actors warrants investments in the tools to help them succeed in their ongoing cyber battle.
- Definition of Usability, Wikipedia, Accessed Nov 1, 2022