Share article
01
Cybersecurity efforts frequently don’t take end-user experience into account.
A good start for security UX:
More than half of cybersecurity professionals (57%) say their company’s security user experience (UX) is “very good” or “excellent.”
But still a low priority:
Yet just 13% of security professionals we surveyed say UX for end users is a mission-critical priority when adopting cybersecurity tech interventions.
Is it really possible to have a high-performing security UX when an organization doesn’t highly prioritize it?
When companies disregard security UX — expecting employees to use unwieldy tools — it can lead to unsafe workarounds.
1 in 2 office workers say they use personal devices to log into work networks and software — and within that group, 32% say their employers don’t know they’re doing this.
Why the risky behavior? In large part, people don’t choose unapproved devices and software to cause problems; they use them because they’re easier to use and more reliable. And because sometimes they have no other option.
Companies should take steps to understand their employees’ workplace behaviors — good and bad — and design experiences that minimize friction, frustration … and risky behaviors.
Security UX is about designing actions and workflows that blend in seamlessly with the way employees prefer to work, enabling them to make and execute decisions efficiently. It’s a balancing act: enacting robust oversight and controls to protect the organization, while ensuring these interventions do not create unnecessary obstacles and slowdowns.
Dr. Srinivas Mukkamala
Chief Product Officer, Ivanti
02
The downside risk of poor security hygiene — unsafe workarounds, unapproved devices, etc. — is about to get a lot worse with the skyrocketing use of gen AI.
Adoption of AI-driven tech is exploding. The proportion of global knowledge workers who use generative AI nearly doubled over 6 months in 2024 to reach 75%, according to Microsoft’s 2024 Work Trend Index.
Yet, most companies are not moving quickly enough to lower AI risk.
81%of office workers report they have not been trained to use generative AI. |
32%of security and IT professionals have no documented strategy in place to address generative AI risks. |
When employees have unfettered access to gen AI tools and other advanced technologies, the downside risks can be massive:
Ivanti’s research shows that among office workers using gen AI at work, 15% are using unsanctioned tools — a number we expect will rise. All of these are “unforced errors” — employee missteps that can be minimized with proper training, oversight and a well-designed technology stack.
03
Employees want to work anywhere, anytime. Many companies are still not providing the tools and processes that make Everywhere Work productive and secure.
Everywhere Work is not a temporary state. Even companies that are rolling back remote working policies must equip employees with technology and workflows that keep them engaged, productive and safe — no matter where work takes place.
In Ivanti’s year-over-year studies, we are noticing a shift in leadership’s perception of remote work, with more and more leaders wanting their employees back in the office.
60% of executive leaders in 2024 believe employees need to be in the office to be productive, compared to 44% last year.
Even if employers are pressuring employees back to the office, it does not mean remote working is no longer a priority or concern.
Your in-office employees may bring work devices home in the evening, take conference calls on the road, or sign in to work apps on their personal phones. Whether half of your employees work remotely or just a small fraction do, there is still a profound need to ensure that the company supports all the ways employees work — even moments that fall outside the bounds of a traditional work day.
Kristen Kamp
SVP, Global Human Resources, Ivanti
04
Security leaders are often not consulted about investments in digital employee experience (DEX).
Just 38% of companies consult the CISO for input on DEX strategy, investments and planning. This is despite the fact that DEX tools can make significant contributions to security.
DEX tools can automate security interventions proactively, without interrupting employees’ daily work patterns. For example, companies can scan for device noncompliance and automate fixes to routine cyberhygiene issues — all without requiring any effort or intervention from end users.
Employees are unlikely to follow through on security practices that are cumbersome, confusing or inefficient. Investing in the right tools can close the gap.
DEX-informed security minimizes the need for employees to change their typical behaviors at work. Ivanti’s research shows, 96% of leaders and 93% of security professionals say that prioritizing digital employee experience has a positive impact on an organization’s cybersecurity efforts.
Currently, most security professionals (89%) say they have invested in the right security-related UEM tools to automate security practices. What’s needed in addition to tools may be a mindset shift.
CISOs need to be a part of delivering a stellar experience – and we are beginning to see modern CISOs take DEX very seriously. Security is much more than the aggregation of tools and processes. It is a team sport. That’s a massive cultural and mindset shift.
Dr. Srinivas Mukkamala
Chief Product Officer, Ivanti
05
Many CISOs are so focused on security that they overlook the user experience — deploying overly complex authentication processes, highly restrictive access controls or other user-unfriendly options. And when employees encounter tech friction or feel frustrated with the tools they are asked to use, they will find a workaround.
CISOs need to take time to understand employees’ work habits, workflows and preferred tools — before companies invest in new security tech. That way, new investments in security tools and interventions will more closely align with how employees prefer to work. Ultimately, good UX reinforces good security.
To avoid potential security risks when using generative AI, employees need to be trained appropriately, not only on the tools, but on what type of data is appropriate to use within that tool. They need to understand both the tool itself and where the data will be stored and utilized.
First and foremost, organizations need to determine which AI tools they're going to permit their employees to use. Second, establish guidelines and policies around what type of data can be imported into those tools and used within those tools. Sensitive company, customer or even personal employee data should not be entered into an AI tool that isn't controlled by the company. Storing data outside of the organization's boundaries can lead to various problems, including data breaches and violations of regulatory requirements.
The best security interaction is no security interaction. Ideally, you want to limit user interactions and user involvement with cybersecurity tools. What happens when people start bypassing security controls and tools is that they create unintended consequences and risks for the business. Don't ask the user, “Do you want to update?” Instead, build in automation and deploy updates proactively and automatically in the background. That’s a simple example, but a model for how security should be inbuilt — and to some degree, invisible — within daily workflows.
You don’t need humans to be taskmasters. And that’s really when you look at gen AI and modern automation tools. The number one thing they’re trying to solve is limiting human triage, limiting human interaction, limiting humans having to get involved in the mundane tasks.
Hybrid work and Everywhere Work are a fact of life today. How do we make sure we are protecting our assets — no matter where employees work? Security has to go beyond your perimeter to the edge. That’s where you see a rise in technologies like SASE and zero trust. We don’t have the luxury of protecting just within four office walls or even defining a perimeter. Today, the perimeter is your browser. The perimeter is the user who’s using workplace devices, wherever those may be. Think of it as a perimeter-less network: you can’t trust anything. It’s a big paradigm shift.
CISOs really need to proactively understand how their security initiatives and policies are impacting business productivity and employee engagement. Ensuring security leaders have access to digital employee experience (DEX) information helps CISOs be more proactive about how they decide and implement security policies — rather than needing to adjust after the fact if users are experiencing friction or circumventing the security methods.
Configuration changes are one of the leading drivers of technology change within organizations — required, of course, by the need to respond to the evolving threat landscape. Unfortunately, change is a major drag on user productivity.
It’s critical for CISOs and other security leaders to be involved in DEX strategy for a number of reasons, including:
This report is based in part on three surveys conducted by Ivanti in late 2023 and 2024: 2024 Everywhere Work Report: Empowering Flexible Work, 2024 State of Cybersecurity: Inflection Point, and 2024 Digital Employee Experience Report: A CIO Call to Action. In total, these three studies surveyed over 20,000 unique executive leaders, IT professionals, security professionals and office workers around the globe.
Get key findings and survey results, including charts and graphs, in a presentation-ready format
