It is safe to assume that most IT professionals of all varieties find working with end users unpleasant at best and actively avoid them at worse.
As security professionals, we know that end users are the weakest link to any system we put in place. It’s easy to dismiss them as ignorant, reckless, untrainable, or just plain dumb. Working with and listening to end users is just as crucial in the install and implementation phase of any security component as it is after a breach has occurred.
We IT folks have a bad habit of simply telling end users how a product works, how they will interact with it, and running away as quickly as we can.
We may briefly train an on-site technician on the new product and then leave it to them to work with end users. How many times have we heard of an organization that had purchased security protocols and products but the end users weren’t using them or circumventing them and a breach occurs because the network or device wasn’t protected? Very seldom do we check back in with the end user on how the product is functioning.
If it’s easy to use, is it stable and functional in multiple environments 3 to 12 months after the initial install? The people involved in these conversations are important, a discussion between two IT professionals is going to have different content and tone than the conversation between an IT pro and a mental health counselor in a clinic.
The counselor’s perspective is all about the ability to engage and communicate with the patient and then chart the interaction for records and billing. Ideally the security measures don’t hinder that workflow. But if they do, it’s the responsibility of the security professional to understand and mitigate it so that the counselor can do their best work, keep patient records confidential, submit sessions for billing and so on.
The best security measures do no good if the counselor works around them to do their job effectively and efficiently. At that point the security measures may be technically proficient or even excellent, but practically worthless.
In our workplaces, with our customers, with our friends and family we need to focus on what end users say about security products, and why they are or aren't being used appropriately and what we can do as professionals to ensure compliance.
It is up to us to implement products, procedures, processes & policies that enable end users do their best work while saving them (and their networks) from themselves (TWEET THIS).
We must advocate that these conversations happen in the pre-sales engineering phase; folks that listen to the end user and translate their needs to the technical team and vice versa are critical for successfully securing a network or entity. This work must be built into the price and time allocated for the follow-up, documentation, then changes.
We must advocate to our sales team, our project manager, our marketing department that this work is as important as the initial sale.