For years, security programs have been about how to stop people from doing what they want to do. On top of that, we force users to take boring computer-based training, subject them to impossible password requirements, and punish them when they click on a bad link. It's time to rethink the security user experience In this talk, Grant Sewell will walk through some of the worst user experiences we create in our security programs, and provide some examples on how to fix them. Creating a positive security culture requires understanding your business and employees, treating them with dignity, and thinking with a mentality that puts the user first.

1. Get Out of Your Own Way
Building a
User-First Security Program

2. Grant Sewell
Columbus, OH
Head of Global Security
The Scotts Miracle-Gro Company
@grantsewell
grant.sewell@scotts.com
2

3. Disclaimer
These are my opinions.
You might not agree.
That’s okay.
We can talk about it over a beer.

4. A Brief Introduction
Security is a mean game for mean people.

5. Humans are the Weakest Link
in Cyber Security.
5
- Every Security Practitioner Ever
(and that game show host)

6. THIS
IS BADWe’re better than that.
6

7. We
Need
Balance
Security
Risk Culture
7

8. Do you
know your
Business?
8

9. Can you explain your
business?
9
In two sentences or less.

10. Know the rules of
the game.
10

11. Do you know what
security costs you?
11

12. All-Time, Top 5
WORST
Security User
Experiences

13. 1. Computer-Based Training
▪ It’s soooooo boring
▪ Ineffective
▪ Expensive and hard to manage
CBT is most effective when it’s well thought out… but it
usually isn’t.
13

14. 2. Passwords
▪ Too Complex
▪ Change Too Often
▪ Too many of them
In a world of technology, using a Post-It note might actually
be more secure.
14

15. 3. Remote Access VPN
▪ Complex
▪ More Authentication
▪ How’s that segmentation working?
Bad remote access strategies lead to data loss.
15

16. ▪ HR is making us the bad guy again…
▪ Poorly designed
▪ Invites shadow IT and circumvention
Nobody likes getting pulled over for speeding,
don’t be the traffic cop
4. Web Filtering
16

17. 5. “Managed” Phishing
▪ Intimidates People
▪ It doesn’t help
▪ Hurts productivity
There’s no better way to disengage a user than making
them feel stupid.
17

18. Why is User Experience
Important?
Adoption
Equipping users with the
right tools for the right
job increases efficiency
Transparency
Building trust with your
users to gain better
visibility
Security
A better experience for
the user reduces
circumvention of controls
18

19. How Do We Do
Better?
Training
▪ Engagement
▪ Talk to people
▪ Make it Fun/Relevant
Passwords
▪ End Complexity
▪ Reduce Change Frequency
▪ Use Breach Lists/Dictionaries
Remote Access
▪ Know your apps
▪ Know how people work
▪ Make it seamless
Web Filtering
▪ Don’t block so much
▪ Design a decent block page
▪ Brand yourself better
Phishing
▪ Focus on awareness
▪ Get Better Tools
▪ Use Rewards
19
And above all…

20. STOP
BLAMING
THE USERThis is supposed to be fun.
20

21. The result?
Unprecedented
Visibility
21

22. THANK YOU
Grant Sewell
Columbus, OH
Head of Global Security
The Scotts Miracle-Gro Company
@grantsewell
grant.sewell@scotts.com
22