Focusing on the customer sits at the center of every management model out there, but design thinking takes it one step further. It places the user at the center of the solution. It considers their “hard” technical and functional needs, but it also considers the user’s “soft” behaviors, beliefs and emotions. Finally, it thinks about how they will deploy their solution in their unique real-world work context and not in a best-case environment where everything goes right and where they could perfectly implement a complex solution.
This design thinking principle fits naturally into information security. After all, nearly 90% of breaches are caused by negligent user behavior. Design thinking tells us to seamlessly blend cybersecurity controls into a user’s environment and to pay particular attention to smoothing out any complications or personal considerations that might complicate adherence. It takes these concerns seriously and designs a solution that corrects them, instead of wishing users would just follow technically perfect security controls that never survive contact with the real world.
As information security professionals, we tend to deploy an analytical problem-solving model.
We define the technical problem, break out the technical ramifications and then devise a technical solution to solve that problem. This is a powerful, and necessary, approach to information security. We need to “firefight” and put out the crisis of the day. We need to quickly develop and deploy new products and security measures. This approach creates its own problems, though -- namely a constant state of reactivity and a pipeline of one-off products and programs that add up to an unmanageable jigsaw puzzle where no piece fits perfectly with any other.
Design thinking encourages us to think beyond the crisis of the day. It helps us develop long-term end goals for our security actions and a long-term roadmap to reach that state. It tells us to develop thoughtful solutions that add up to an integrated whole, where each product and program works in harmony with all others.
Don’t mistake developing a long-term vision for taking years to develop and roll out solutions.Design thinking teaches how to act small and fast. To build small prototypes.
To refine what’s working. To break what isn’t. To embrace experimentation to prove (or disprove) ideas quickly and to constantly adjust to user feedback. Design thinking asks you to think long-term, but to then focus on quickly building small steps to reach that goal.
This principle also fits nicely into information security. In risk management, there's already an iterative cycle — PDCA (Plan Do Check Act). This model is built on many rigid assumptions. Design thinking replaces it with a more flexible model: IPTR.
IPTR gets you to PDCA, but with the confidence born from first proving your solution in the real world with real humans.
Design thinking comes down to one central idea: Build solutions that users will actually use. Imagine a security posture held firm by natural adoption and not by rule enforcement. If that scenario looks favorable to you, then you are ready to apply design thinking to information security.