The Tradeoff Between Security and Usability
Transcript
Dave Cole:
Andrew, welcome to plain talk.
Andrew Peterson:
Thanks for having me, Dave.
Dave Cole:
We're going to have a conversation today that started in Seattle, Andrew's new home after he abandoned me in Los Angeles. I got no hard feelings, man.
Andrew Peterson:
I'm coming back!
Dave Cole:
Awesome. Well, we're counting on it, but until then I'll continue to go up to you. I love Seattle, but we're going to kind of take everyone inside a conversation, continue a conversation we had, seemingly years ago, but I'm pretty sure it was just weeks, in Seattle, over lunch, around usability and security and the kind of instigating comment and events all come back to Twitter and two factor authentication. So with that lead in, I'll hand over [inaudible 00:00:50] to you.
Andrew Peterson:
Yeah. So what we were talking about, Bob Lord, who's the CISO, I think now former CISO of the DNC. Had this comment on Twitter, about Twitter, being complimentary to the fact that they were, transparent about reporting their two-factor authentication adoption. And I basically wrote back down well, why are you excited about this? And he was encouraging other companies to do this stuff. Because I was like, why would you encourage that? And why are you excited about it? Because my sort of point of view on this is, the numbers they shared, And by the way, the numbers that they shared are, I think it's around two and a half percent of users at Twitter actually adopt that two factor authentication. Which in some ways is surprising because of how many problems that they have with account take over, in other ways, not terribly surprising because I think we all know if something's opt in feature, people use it. If it's an opt-out feature, people don't use it. I'm sorry, if it's an opt out feature, they use it. If it's an opt-in feature they don't use it.
Andrew Peterson:
And so, Bob's point back was I think if we make these things transparent, then it will create, clarity around the disconnect between the attempts to solve these problems, which things like two-factor authentication are trying to do around account takeover. And the reality of what's actually happening, even though these features are there. And this is, I think there's a bunch of, sort of layers of this that I find interesting. And that I think you and I had an interesting conversation about, but I think at least one of them was [00:02:37]. There's a real disconnect, I think sometimes with the security community of saying, hey, these are clearly easy solutions that we can all implement and why aren't more people doing these things. And then there's the business side and you made points around well, it's probably not that surprising that they haven't sort of mandated this for all users to adopt this because I'm sure they've tested it. And I'll let you sort of take it from there in terms of those pieces.
Dave Cole:
I mean, it's fascinating. I did consumer products for five years at Norton. You've dabbled in that too, given your time at Etsy and so forth. And so you put yourself in the shoes of Twitter here and you look at it. So you basically want to put an obstacle in front of a whole bunch of your customers, who are going to have problems with logins. So you're going to spike your help desk calls for a period of time. Some people are going to give up and abandon, very few. But there's going to be people who log in less because you inconvenience them in a way where they probably don't even fully ascertain the value of why they were inconvenienced. What does all that mean? Less ad views. What does that mean? Less revenue.
Andrew Peterson:
Less dollars.
Dave Cole:
So basically. Yeah. So, in Twitter shoes, you're looking at it.
Dave Cole:
So you want us take a big revenue hit for real security value, but how much of it relative to the very well known revenue hit? Screw that noise. And I remember, at a period of time, I was responsible for a toolbar business. We had inside the Northern products and toolbar, God bless their souls. Maybe they still do. And it was very interesting to see how even seemingly incredibly small changes could either spike revenue, based on user behavioral and lost hundreds of millions of people, or could, tank revenue based upon something innocuous. So you look at this with Twitter's lens. This is not innocuous. This is clear, pain that I'm taking on for value that can't be easily quantified. So you look at through their shoes and yeah I can see why you wouldn't do this on the reverse.
Dave Cole:
You're asking to consumer, a person, who ranges wildly in terms of risk aversion and capabilities. And you're saying, listen, here's what I need you to do, I need you to be more inconvenienced every time you want to use Twitter, for the chance that something bad might happen. And they say, "let me get this straight. Every time I log in, this is going to be more annoying on the chance that something bad might happen?" So I have certain annoyance versus potential badness. This ain't hard math. I'm going to roll the dice, throw that dice baby. And I think that's what this comes down to is on both sides. On the business side, you're asking them to make a terrible trade off.
Andrew Peterson:
Yes.
Dave Cole:
And on the user's side, you're asking them to make a decision that they can't really make out of their own best interest. Or if they do, they're going to make it on the side of rolling the dice every time.
Andrew Peterson:
They really can't, the third side of this is the security team. Right? I think you and I can both clearly empathize with the position that they're in because they're trying to solve some of these problems that feel almost impossible. But then they're sitting there being if I have two factor out, I know I'm actually way better, in a way better position and more safe than, 95%, 99% of the rest of the users that are out there. And yet I explain this to a lot of people. Look different passwords, two factor auth. Those are kind of two building blocks of what you have to do as a consumer [inaudible 00:06:17] to just protect yourself. And, I've tried to get my wife on this stuff.
Andrew Peterson:
I've tried to get my parents on. There's sort of a list of people that you have in your life that are really important that you want to get on these things. And if it's hard for me, founders, CEO of a company working in security to get my closest family members onto this, who are enlightened, motivated, care about technology. I think it's really hard for anybody in the industry to assume that the adoption rates for any of these types of technologies would be higher than they are on Twitter today. And honestly, even, let's call it two and a half percent, even at two and half percent, I'm actually kind of impressed it's at that rate, right? Given the effort that I've gone to, to try to get people onto these things. Now I think the other piece of this that's sort of interesting is I've had people that have had their Twitter accounts hacked.
Andrew Peterson:
And of course, the moment that that happens, all of the potential risk becomes very real. And then people become actually much more motivated and they say, okay, great. Like now it's actually time for me to learn about these features, because most of the time they don't even know about two factor auth or different types of they might have heard about it. They might have seen it in the preferences, but they don't, take this stuff seriously, but it really is a solution.
Andrew Peterson:
And then we're just kind of back in the same, in the same world where it's like, okay, well, whether it's consumers or it's organizations or anybody, you don't get serious about this stuff until after the earthquake happens and then you get your earthquake insurance. And we're back to, kind of the same chicken of the eggs thing, which is, well, how do we actually fix this? How do we fix that problem? That's an inherent problem to me. Right?
Dave Cole:
So I, as an internal optimist and I am, I consider myself an optimist as most entrepreneurs are.
Andrew Peterson:
Hey, there's one, we got one in security people. We have one internal optimist that works in the security industry. I'm glad we got one, Dave.
Dave Cole:
Yeah, yes, yes. Well, here's, here's who I look at it, these trade offs. So we've always talked about the trade off between security and usability and it's real. But having said that, part of the reason why I'm still building products after 20 years, is it's an incredibly cool time to be building products because I feel like increasingly the choice between security and usability is a sucker's choice. I do. And I think we say, "oh, well, if the security's better than the usability has to be worse." I don't know about that. Look at what Duo did, high five to Jono and Doug and the people at Duo. All of a sudden, we got a great authentication experience that was multifactor. And I think a lot of the stuff that's happening in our space with, the way that CSPM products deploy, we borrowed that for Open Raven, because it was awesome to be able to say, look, you can connect the accounts, you connect your org, you don't have to deploy anything.
Dave Cole:
And we're going to do all the analysis through Lambda, which you pay for by the millisecond. It doesn't require anything permanent, no agents, nothing. And I think we're at a time, and those are just two examples. Right? And I remember you guys, I'll never forget. I was sitting, in the before times in 2019 at RSA, I was sitting in a room full of people. Oh, the horror, none with mask on. And, I remember a gentleman from PayPal came up and gave you guys crazy props at Signal Sciences. Not because the protection was so amazing, but because you guys deployed so fast, and it was so easy. And I think we're really in kind of an age of wonder for building products where this sucker's choice of security, usability.
Dave Cole:
I actually think it's a failure of the imagination and of effort and design power, not to challenge that, and come up with stuff that's vastly better before because we have way better tools than ever before. And candidly, there's a lot of crap we don't have to do in product land anymore because we get it through open source. We get it through cloud service providers and managed services. Where should be putting that energy? We should be doing it in breaking painful paradigms like the security and usability paradox.
Andrew Peterson:
Yep. When we started Signal Sciences, we came out of a company called Etsy before Etsy's a consumer brand. And so a lot of the features, the feature work that we did on that side, it was part of it was internal, but part of it was external. We launched two factor auth. We launched a bunch of different sort of security features specifically for users. And so we actually went, we kind of went through Twitter's same thing. We tried some of these things by defaulting, and saw how it impacted the business, but also saw that, we still felt we had a responsibility to get those features out there to help protect and try to educate our users, to try to make sure that they were actually doing the best thing that they could possibly do for the usability that they were willing to deal with.
Andrew Peterson:
Right, and that ends up being sort of a personal choice for the consumer. Now, I'll give you my sort of optimistic and my pessimistic view at the same time of these things. The optimistic view, I totally fall in line with you, which is it's easier to produce products more than ever. I think that the types of security companies that are coming out now are really focused on usability. They understand that's a really important part of how to drive adoption. Perfect solution actually is, and I've been making this argument for a long time, is a premium solution actually should be really easy, also. And I think there's a lot of times a consumer would say, "oh, if it's easy, it's, or if it's simple, then that means that it's not terribly effective."
Andrew Peterson:
And actually simple and effective can actually coexist. You can have those things together. Right? Which is a very powerful concept that I think we're really just being able to get into now with, really just modern development and modern tool development plus a focus on understanding how much of an impact security issues can actually have on the bottom line and the top line for businesses right. Now the flip side to me, and we've also been very inspired by Duo seeing how they took something that was quite clunky and mundane in the sort of two-factor space, and actually made it very easy to use. And just sort of, it felt seamless compared to the previous solutions that were out there. And I'm sort of thinking about, okay, well, I talk a lot about the enemy of perfect is good. Right? Or I'm sorry, the enemy of good is perfect.
Andrew Peterson:
And I'm wondering, and you're sitting here sort of thinking about, okay, well, if we come back to that two factor authentication, two and a half percent number from Twitter, if they go from two and a half percent to 5%, that would be a huge win from just a pure numbers perspective. But does that actually make a big dent in the actual core underlying problem of account takeover or not?
Andrew Peterson:
Right. And so it's, we can make these things incrementally better, but there may be just some areas and maybe two factor is one of those areas where it's just, it needs a rethink. And I know there's tons of smarter people and tons of companies that have been thinking about how to make authentication better. But, I think we still have a long way to go in some ways.
Dave Cole:
Without a doubt. And, it's funny, the rants not funny, haha. But it's an unusual kind of trend with security so much in that headlines with ransomware, and everything else that's going on. It creates these opportunities where it's more top of mind for people than ever before. And they're consciously thinking about it and the more open to it. And I think, and I know, in security we need to be opportunistic, right?
Dave Cole:
There's an old saying never let a good crisis go to waste. I think that was an Obama thing. It's as a security community, we need to be thoughtfully opportunistic about these moments when consciousness is heightened, not to sell people more stuff. But to help them make better decisions to help mom, dad, loved ones and so forth to make better decisions. Hey, I know you read this, would you like to do something about it instead of just being concerned? Great. Let's get you set off on one password or whatever. It's awesome.You're good. You don't to any be more than that. That's going to work. I think we can use those moments to get wins, but we have to care about it. We have to care about it deeply.
Andrew Peterson:
So, you've worked in products and design on security products for your whole career, essentially, Right? And you started Open Raven relatively recently compared to your tenure in the space. How does that manifest itself into how you guys think about building product, how your team builds product and, and how you're trying to address some of these very practical issues around design and usability to making things, just make it let's make it simple. Right? How do you think about it? I'm just curious, given your background in the space.
Dave Cole:
Yeah. So first of all, I'll end up that, at any point in time there's 17 things in our product that I hate. So
Andrew Peterson:
Any good product person, Mr. [crosstalk 00:16:10] Eternal optimist, I understand, until it's your own product.
Dave Cole:
Yeah. There's still that punitive side and demanding side.
Andrew Peterson:
Correct.
Dave Cole:
It's, oh God, it works like that. How fast can we fix this? Can we make that [inaudible 00:16:23] sucks? No. I think for us [crosstalk 00:16:25]
Andrew Peterson:
Apologies to all of Dave and my team, because we've been in this position of of being very critical on the team.
Dave Cole:
Yeah. It's just, like I said, it's [crosstalk 00:16:36]
Andrew Peterson:
By nature. Yep.
Dave Cole:
It's by nature. Right. And, but there's some things that are amazing. Our interactive map, I am so proud of, we've done great work with so many people and there's a bunch of things. Every time we nailed the design it's a feeling like none other, and it takes time to get design right. Especially, in an early category where you're trying to work out the right use cases and flows and so forth. So the first thing we did is our very first hire was our creative director, who is now head of CX, Brady Boyle. And, so getting the brand right and having the brand play out inside the user experience. We also contracted and hired in UX early. But having said that, Mark, my co-founder, spent a lot of time using the product and I spent a lot of time in the product as well.
Dave Cole:
So again, part of this is just caring deeply about how the product looks, about how the whole customer experience looks and feels. And, I think that goes a long way. Some of it is in the SDLC is how you build products. And it's kind of funny, there's little things like making sure that the design person is coupled with a front end engineer and a backend engineer, where they're working on a project so that they actually work out a lot of the issues together. They're not just throwing stuff over the wall.
Dave Cole:
And then, at the end of the day, you look at it, you're like, what the hell is this? So there's that, there's bringing customers in and showing them wire frames and working through with them. So a lot of it is, people think it's all Jony Ives and the Apple. It's actually a lot more Demi, it's a lot more processed to a degree.
Dave Cole:
Also, some of it comes down to willingness to take pains with cost of good soul too. Are you willing to make your product more expensive to develop, to deliver something that's awesome?
Dave Cole:
We recently licensed Splunk. Something we did at Crowdstrike as well. Why did we do that? I didn't want anyone having to learn anything new. Like, you know, KQL for Kibana, which we had. I'd rather have them just using SPL. Which is very familiar to most security people in many cloud people, which they can do now since we licensed that and the ability to interact with dashboards and things in a way that's the delightful and familiar. When you're a young company, you want to move all those barriers out the way and make that super easy. So, it's kind of a holistic mindset. We've made mistakes, other folks who made mistakes, but if you had the mentality, I think you end up in a great place over time.
Andrew Peterson:
I think that's right, though. And I think that's honestly, I've talked to your team about this and actually I've talked to our teams about this a long time, which is just, a lot of these things come down to focus and motivation. And it's not about having the best designer or, although I'm sure your design team is fantastic, but it's more about prioritizing it into the flow of what you're doing, and making sure that your team is structured, like you said, your team is structured correctly and then your process is structured around making sure that's a priority. And it sounds simple, but it's really kind of blocking and tackling and discipline around making sure that, that's part of the process.
Andrew Peterson:
Again, sounds simple, but I think it can be a really, really big differentiator. And we knew it was a differentiator when Gartner told us that that was a different. The Gartner analyst that we have in the space. I think the exact quote was "when customers see your interface, you already won." And I was feeling, like wow.
Dave Cole:
How good was that?
Andrew Peterson:
I mean, if you're hearing that back from, from any analyst, let alone from the Gartner folks, I was like, all right, then that, that must be a competitive advantage for our team. Right. And for our product.
Dave Cole:
I'm going to go out in a limb and say that it wasn't any one breakthrough moment that you all had, but it was a commitment and an empathy and a care you had with it. And you just got better, with constant iterations and so forth. And you as the founders had to care about it. And that's really what it takes.
Andrew Peterson:
Our first hire was a design intern also, in the company. And she ended up coming and staying with us for a long time. But that wasn't by accident, right?
Dave Cole:
Yeah.
Andrew Peterson:
At all. And we knew that was going to be an important part of how people, and here's the thing, it's not that it's just a competitive advantage for being able to win a deal or something against your competitor. It's a competitive advantage for the security teams because it makes their job easier to actually perform the stuff that they're trying to perform. And so we heard this a bunch from folks and this guy, you sort of mentioned on this, which is it about a cost of sale thing, or I'm sorry, a cost of operation of the technology. And we have people be like, what do you mean I don't have to hire a full-time person to run your technology.
Andrew Peterson:
And I was like, well, what do you mean? What do you mean? You don't need that, right? You don't need a team of people knowing, well, every other piece of technology that we bought in your space is required. We've at least needed three people, four people to, to run and maintain it, to get the right output from it. And we said, well, that's not the case. And they're like, well, we then assume that it's not as good as the other technology that we had. And we're like, well, we're willing to put our money where our mouth is.
Andrew Peterson:
And we had so many of those customers come back a year, two years later. And they were like, you weren't full of it. You were actually, you were right. And this is a game changing thing for our team, because we got to put those same people onto the same headcount that we actually had within the organization, which we all know in the entire industry is so thin across these companies. And we got to put them onto harder problems, that we couldn't solve a technology.
Dave Cole:
A hundred percent. I mean, when we talk about the cybersecurity staffing shortage, which is real, and it is a huge problem, people always talk about automation, managed services, which are important. We talk about training programs, and recruiting more diverse people, and more people in general into the space, which is critical. The thing that so often doesn't get talked about is building better products that are easier to use that require less people. We've got to do that as well if we're going to get past the critical shortage we have. It's paramount. So.
Andrew Peterson:
And that just to finish, this comes back to, I think that the thing that you brought up before, which is a focus on usability and a focus on that being of value of what it is that we're trying to do, and trying to make this stuff just easier for people to use in the first place. I'm really excited about the fact that there's so much more focus on automation and basically trying to use the new software tools and skills that we have, to be able to automate people out of having to work on things that honestly we can actually use computers to be able to do. And it's not automating them out of a job, right. It's actually automating them into another job. That's more important than it requires more human skill to be able to do.
Dave Cole:
It's eliminating toil so that they can do the task that actually they want to do. And they should be doing with their big, bad neocortex and frontal lobe. So, yeah.
Andrew Peterson:
Yep.
Dave Cole:
Awesome. This was so much fun. Thanks for being on, Andrew.
Andrew Peterson:
Thanks for having me, any time, Dave.
