Design thinking has emerged as a new area in cybersecurity. Chief information security officers (CISOs), in particular, need to know how to apply design thinking to deliver more user-focused security solutions in their organization.
What Is 'Design Thinking' Anyway?
While design thinking can produce creative solutions, it is not primarily about being creative in an artistic sense. It's not about making great visuals for a product's graphical user interface (GUI). It’s not even about unlocking creativity to come up with a totally out-of-this-world solution.
Instead, at its heart, design thinking means one thing — breaking down a designer’s approach to building a solution and then applying that approach to fields we traditionally don’t consider “design” or even “creative.” Specifically, design thinking places humans — not technology — at the center of both a problem and that problem’s potential solutions.
For cybersecurity, we can break design thinking into three principles:
1. Begin with empathy for the end user.
2. Focus on the solution, not the problem.
3. Iterate.
Design Thinking Principle One: Begin With Empathy For The End User
Focusing on the customer sits at the center of every management model out there, but design thinking takes it one step further. It places the user at the center of the solution. It considers their “hard” technical and functional needs, but it also considers the user’s “soft” behaviors, beliefs and emotions. Finally, it thinks about how they will deploy their solution in their unique real-world work context and not in a best-case environment where everything goes right and where they could perfectly implement a complex solution.
This design thinking principle fits naturally into information security. After all, nearly 90% of breaches are caused by negligent user behavior. Design thinking tells us to seamlessly blend cybersecurity controls into a user’s environment and to pay particular attention to smoothing out any complications or personal considerations that might complicate adherence. It takes these concerns seriously and designs a solution that corrects them, instead of wishing users would just follow technically perfect security controls that never survive contact with the real world.
Design Thinking Principle Two: Focus On The Total Solution, Not The One-Off Problem
As information security professionals, we tend to deploy an analytical problem-solving model. We define the technical problem, break out the technical ramifications and then devise a technical solution to solve that problem. This is a powerful, and necessary, approach to information security. We need to “firefight” and put out the crisis of the day. We need to quickly develop and deploy new products and security measures. This approach creates its own problems, though -- namely a constant state of reactivity and a pipeline of one-off products and programs that add up to an unmanageable jigsaw puzzle where no piece fits perfectly with any other.
Design thinking encourages us to think beyond the crisis of the day. It helps us develop long-term end goals for our security actions and a long-term roadmap to reach that state. It tells us to develop thoughtful solutions that add up to an integrated whole, where each product and program works in harmony with all others.
Design Thinking Principle Three: Iterate
Don’t mistake developing a long-term vision for taking years to develop and roll out solutions. Design thinking teaches how to act small and fast. To build small prototypes. To refine what’s working. To break what isn’t. To embrace experimentation to prove (or disprove) ideas quickly and to constantly adjust to user feedback. Design thinking asks you to think long-term, but to then focus on quickly building small steps to reach that goal.
This principle also fits nicely into information security. In risk management, there's already an iterative cycle — PDCA (Plan Do Check Act). This model is built on many rigid assumptions. Design thinking replaces it with a more flexible model: IPTR.
• Ideate -- think up what might work
• Prototype -- make a small version of that idea
• Test -- determine if people will actually use it
• Refine -- change it based on user feedback
IPTR gets you to PDCA, but with the confidence born from first proving your solution in the real world with real humans.
Bring These Design Thinking Principles To Your Information Security
Design thinking comes down to one central idea: Build solutions that users will actually use. Imagine a security posture held firm by natural adoption and not by rule enforcement. If that scenario looks favorable to you, then you are ready to apply design thinking to information security.
