How can software and our security programs better be architected to get users involved?



Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Adrian Ludwig, CISO, Atlassian, a customer of our sponsor, Castle.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Castle

Castle is helping businesses keep customers’ online accounts safe from targeted account takeovers, automated credential stuffing, and risky user transactions. Castle’s user-centric approach to account security allows organizations to fully automate threat response and account recovery in real-time with risk-based authentication, granular access policies, and custom workflows. Learn more at www.castle.io

On this episode of Defense in Depth, you’ll learn:

  • It’s impossible to create a security system that removes the user from the equation. They are integral and they have to be part of your security program.
  • Security is defined by the individual.
  • The minimum expectation you can have of your users is that they’ll operate in good faith.
  • Avoid complexity because as soon as it’s introduced it drives problems everywhere.
  • Instead, keep asking yourself, how can I make security more usable?
  • Individuals are suffering from alert fatigue. If you’re going to send an alert to a user, make it relevant and actionable. And always be aware that your security alerts are not the only alert the user is seeing and deciding or not deciding to take action on.
  • Think about all the alerts you completely ignore, like the confidentiality warning in a corporate email.
  • One of the main problems with security is the party who suffers is not the one who has to act.
  • The user often does not have any stake in the goods he/she is protecting.