Successful Cybersecurity Solutions Engineering Means Focusing on the People, Processes, and Tech

Blog | Posted: 15-04-2024
Row curve

During my time at University, I did a product design course where we were tasked with developing an application and building a business model with it. One phrase that was drilled into us during the design phase was ‘easy to use’. An app that is easy to use helps drive user adoption and customer retention. A prime example of this is Amazon.co.uk – it is very simple to find what you are looking for and everything can be purchased within one click; this is one of the main reasons Amazon.co.uk is the biggest e-commerce site on the planet. The mentality being used here is ‘design things in a way that makes people want to use them’. 

But this blog is about internal IT, so why am I wasting my word count on explaining how to design a good UX for an e-commerce website? Because, when we start to view the internal IT network as the product we create for internal users, we start to see the issue. Internal systems are not created with the mentality of ‘design in a way that makes people want to use it’, but rather, because of external pressures, it turns into a tick box exercise and UX falls to the bottom of the priority list.

But when you place yourself in the shoes of an IT manager, given the task to improve the internal systems and processes, it doesn’t take you long to become sympathetic with their situation. So, let’s walk through, at a high level, the situation they are faced with when it comes to building their tech stack.  

You begin the year, after hearing all about the weird and wonderful ways your organisation could be breached, with a plan of attack. You walk into your board meeting and give a brilliant presentation on all the threats your organisation faces, and why you need more budget to protect those assets. However, when you see the budget for the year, it is not the amount you needed to execute your plan, but this is something you expected. The cost-of-living crisis is affecting everyone, and you are not the only head of department being delivered a tighter budget. This just means you will have to be more creative with your spending, take more time designing the architecture, and pick the tech vendor accordingly.  

Then you talk to your compliance guy, and the frameworks are changing and so you will need to adjust your current architecture and adopt newer strategies. You will need to act fast to make these changes to ensure you keep the certificate of compliance, because without them your business can’t work within the supply chain, and you’ll lose money.  

So where does this leave you? With a load of new regs you must meet, in a short timeframe, and a budget that will not stretch. As a result, when you’re trying to solve the problem, you will naturally fall into a tunnel vison mindset, looking to resolve the issue you are facing now and viewing any forthcoming obstructions as a problem for later. 

This method of solution engineering has been around for a few years, and, while this worked in the early days, the negative effects of this are now being seen. Regulations are changing and processes must be evolved at a rapid rate and organisations are struggling to achieve them (this is mainly driven by the cultural changes enforced by Covid-19, but there are plenty of articles on this, so I won’t dwell on it). Rigid architecture, outdated solution design, and a fear of how users will adapt are all blockers when it comes to adopting the latest and greatest technology on the market.  

There is no other topic of conversation in which this is more evident than the identity conversation. Stronger forms of MFA (Multi-Factor Authentication), IGA (Identity Governance & Administration), automation of the joiners-movers-leavers (JML) process, and the protection of privileged apps and accounts are all hot topics right now. These elements, if implemented correctly, can add to company’s cybersecurity levels and significantly improve UX, however, rarely is this the case. Often, MFA is implemented to solve an immediate issue, without looking at the bigger problem of ‘too many apps’ and a ‘complicated management process’. IGA and PAM (Privileged Access Management) are set up without looking at the poor password policies and hygiene that is ripe within the majority of organisations. Automation of the JML process (mentioned above) is achieved, simply automating a process that was bad when it was manual and now horrible when a machine runs it.  

This is why we created the Distology “Identity Sidekick” service. We have everything organisations need to create the best identity solution, fitting within their budget and ticking all possible requirements. The process is very simple through a well-rounded consultation and designing process, where the situation is assessed, and any underlying problems are discovered. From here, our expert architects will create a solution to solve the issues discovered, with technologies that fit the budget and refined processes that can be automated. The goal everytime is to create an architecture that addresses the issues of today and allows for evolution and scale of the future.     

Want to find out more about Distology’s Identity Sidekick service? Download our one pager here.