Redesigning the Security Narrative
When I joined Duo’s creative team back in 2017 as a junior designer, I recall the dim panic of feeling completely out of my element and fearing that I would end up getting the boot once my colleagues realized I had no idea what I was doing. A more technical phrase for that is probably “imposter syndrome.” Luckily, it would pass. A couple of months into the job proved that all I needed was some patience, to practice active listening, stop being afraid to ask “dumb” questions, and most of all, relax and have fun.
As I immersed myself in foreign concepts around the information security industry, marketing, and business practices at scale, I grew to appreciate not just the technology we were building at Duo, but the people who built it, the diverse audiences that we addressed, and the unique problems-to-solve around security at large. My new role as a designer became less daunting and more of an exciting challenge in storytelling. But where to begin?
Defining “storytelling” in an InfoSec context
“Storytelling” is a word that you will hear frequently within Duo’s creative team — now part of a Brand & Strategy unit for Cisco’s rebranded security organization Cisco Security. As with other terms within the security industry, “storytelling” on its own can become a bit of a buzzword. What does it really mean? Do we need a more passionate sales pitch? Do the marketing materials need to “pop” more? Should we host flashy improv sessions at our booths during technology conferences? What is the intrinsic purpose of “storytelling” in the context of security, and how could it help solve the myriad problems and complexities facing the industry?
“Stories help solidify abstract concepts and simplify complex messages. Taking a lofty, non-tangible concept and relating it using concrete ideas is one of the biggest strengths of storytelling in business.” — Allie Decker, HubSpot
Several more months into the job at Duo, what I came to understand was the idea of storytelling from a business perspective. This was a way of strategically and authentically engaging the audiences that we needed to reach. This would involve building cohesive narratives around our company values; our users, customers, and employees; and the information security industry at large.
In the infosec landscape, this story-driven approach was somewhat unique to the Duo way of doing business. Rather than hanging our efforts solely on a product pitch, we built our story around our value differentiators and the real world perspectives of customers, employees and industry experts. By doing this, we could effectively show — not just tell — our audiences who we were and how our solutions did what they said on the box.
But where did visual design fit into that storytelling strategy?
A new player has entered the game: The “security designer”
As I continued to learn more about being a designer for a security company, I came across an intriguing idea: reimagining information security through visual design and design thinking. Duo’s co-founder Dug Song spoke of security being “the biggest geopolitical issue of our time. …When governments can’t keep their secrets safe, what hope does anyone else have? We want to make sure we provide security that everyone can use.”
The implication of that perspective, at the time of learning it, was surprising to me. It meant that security had sociopolitical impact equivalent to some of the biggest issues at hand in the mainstream vocabulary, such as climate change and economics. But if security was a concept that influenced or even determined the nature of our privacy, autonomy, and independence, then why wasn’t it given a more considered and mainstream approach? Where was the attention to detail and image? The endeavor to develop a global standard-setting design system for security products? A broader initiative to support varying scales of modern IT expertise, or educate a public whose identities were becoming inextricably digital?
The broader problem-to-solve seemed to be how to convince the security industry of its need to embrace design as a key strategic tool.
“[At Duo], we wanted to redefine how we communicate across every interaction — not just in the experience of using our product, but in the experience of interacting with our company. All of this combined into a single mission: to democratize security and make it accessible and simple for everyone, not just those with unlimited resources.” — Peter Baker, Radical Simplicity: Creating an Authentic Security Brand from Within
Traditionally, visual design in the infosec industry has been more of a topical treatment often fulfilled through the ad hoc support of marketing and creative agencies. When present in-house, creative roles will almost always sit within a marketing structure, and there is generally little strategic collaboration between visual design and other organizational functions such as product marketing, sales, engineering, or product design.
One of Duo Security’s unique advantages was having a design thinking perspective at the strategic table early on during its inception. The idea was that towards the end of making security simple (but not simplistic), design thinking needed to be integral to building the brand narrative. This meant that future architects of that brand (content writers, web developers, videographers, designers, etc.) would ideally sit in-house, and not only be responsible for the stylistic direction of the brand but would additionally be encouraged to think like strategic contributors within the context of a security business.
For me, this newfound understanding meant taking a step back from what I originally believed a designer’s primary responsibility was — making things look aesthetically pleasing and supporting a client — and instead coming to embrace a more (buzzword incoming) holistic approach to design. Beyond the “pixel pushing,” my role for this company would span being a strategic creative partner, rather than ticket-taker, for my colleagues across teams. I needed to make an effort to understand and empathize with customer and business issues so that I could develop bespoke, rather than assumptive, creative solutions.
Why information security needs design thinking
The idea of design being an integral part of business strategy isn’t new. In 2006, Tim Brown, CEO and President of IDEO, wrote for Fast Company that “...design thinking is indisputably a catalyst for innovation productivity. …Where you innovate, how you innovate, and what you innovate are design problems. When you bring design thinking into that strategic discussion, you join a powerful tool with the purpose of the entire endeavor, which is to grow.”
Much earlier in 1973, a heavily researched and detailed Design Necessity compendium was published with support from the National Endowment for the Arts. It was created to help encourage the application of design thinking practices and strategy to the complexity-challenged federal government.
“...Design [is] an instrument of organization, a medium for persuasion, a means of relating objects to people, a method for improving safety and efficiency, and way of coping with [] complexity.” — Diana Budds, Nixon, NASA, and How the Federal Government Got Design
One takeaway here is that design really isn’t merely the sum of its stylistic parts. Rather, it functions as a necessary problem-solving tool, invaluable for persuasion, communication, and community-building. By having modern design principles fundamentally built into a company’s strategic architecture, a cohesive brand vision, voice, and aesthetic can then be customized as needed to help encourage audience engagement, communicate effectively, and set overall expectations for everyone who engages with the business’ touchpoints.
But the question remained: what were the specific problems-to-solve for security? Though the security industry typically serves the B2B space, there is increasing nuance in the types of clientele served. Traditionally the realm of technologists, computer engineers and academics, information technology’s applications are no longer limited to their specific use cases. With the advent of open API, cloud based applications, IoT (the Internet of Things), and the realities of being part of an exponentially growing remote workforce, security products begin to necessitate more considered, simplified interfaces and user experiences — on the admin side and the end user side — in order to facilitate implementation and adoption.
Another problem-to-solve is the issue of how to communicate the practical and philosophical value of security to its diverse audiences in a similarly nuanced way. Security and networking audiences have different but adjacent cultures, processes, needs and perspectives. Likewise, every day end users such as students, employees, or friends and relatives have a different take on the immediate value of digital security. Both audiences are often inundated with product pitches laced with fear, uncertainty and doubt (often shorthanded as FUD), emotionally provocative marketing, and are potentially pliable to a variety of assumptions flavored by media clickbait.
With those realities in mind, how could design be used to introduce a solution, or at the very least, a new way of approaching problem solving in security?
Using design to set the tone
The values espoused by both design and computer technology are closer than they seem from a high level. Though separated by technical expertise, application and overall use case or context, they are both mediums that rely on constant iteration, collaboration, and close attention to context. Ultimately, both mediums are the vehicles for analog and digital experiences that attempt to deliver — at varying scales — enablement, productivity, and satisfaction.
Of being a designer, renowned industrial designer Charles Eames had this to say: “The role of the designer is that of a very good, thoughtful host anticipating the needs of his guests.” This was his philosophical approach to design and the act of being a designer. What is that first impression that someone has of a thing that’s been built? What is the mood or tone that the designer wishes the guest to have? What will the guest be expecting — and how do we build to meet that guest’s desires or expectations?
To return to the earlier inciting idea of design and storytelling strategy in the context of the security industry, let’s consider six “characters” that share architectural responsibilities for security’s narrative. What do they do, what are their needs and perspectives. How might we build better experiences for them, and in doing so, tell a business story that puts them at the forefront?
A product designer works on the look and feel of a component. They are tasked with considering the most effective way to implement elements of a design system — graphics, images, shapes, typography. The design has to be executed in a way that is scalable to iterate on as the product develops, that is accessible across a broad array of touchpoints, and that won’t result in confusing user behaviors.
An engineer (specialty intentionally vague for the needs of this paragraph) is responsible for building the component with clean and effective language. Among many other things, they may seek to minimize bloated code, ensure that the architecture is built in a scalable, modern way, and help the final shipped experience be as frictionless as possible.
A security buyer is tasked with navigating a daunting gauntlet of offerings, and must separate the wheat from the chaff. What software suites are trusted and reputable? Easy to manage? Secure by design? Will the solution solve compliance issues, and help keep their infrastructure from costly audits? What will the solution cost to implement, and will it work at scale?
A security administrator is responsible for implementing the component, interpreting a CISO's policy requirements, configuring the component to implement any number of actions and policies, and effectively dealing with the support of and reactions from end users. With the support of simple, effective documentation and assorted educational materials supplied by the products vendor, the administrator’s life is made just a bit easier.
An end user (specialty also intentionally vague) needs to log in to their account or product interface. Ideally, thanks to a convergence of design intentionality from the beginning, all they deal with is an easy-to-navigate interface. They’ll be able to scan their options easily because the UI has been thoroughly tested and quality checked to ensure it meets a variety of accessibility requirements. They’ll be able to intuitively hook up an integration or third party tool. They’ll also be able to painlessly put in a support ticket, with no long waits or communication issues. And they will feel like their feedback is being heard when they see detailed patch updates that confirm how the product is being continually iterated on with feedback they volunteered or submitted.
Out in the world, the product’s marketing effectively communicates the value and purpose of the product through customer-centric anecdotes, live demos or free trials, and the expertise of easily accessible sales representatives. The consistent public-facing experience with the brand cultivates a level of trust and enthusiasm that encourages audiences to explore further.
In the spirit of Charles Eames’ philosophy, empathy and design intentionality for our guests — or rather customers and users — should come together to present an excellent first impression. Not all their problems will be instantly solved—all things come with time. But the act of putting ourselves in our guests place, iterating on the experiences we build for them, and using design thinking, will be a strong step towards the security industry no longer being stifled by complexity, confusion, or legacy processes.
The necessity of redesigning security
I would never have expected that, nearly six years after those first few months with Duo’s creative team, I would find myself invested in something as seemingly far removed from the creative realm as security. What my work within this industry has revealed is that neither creativity nor the craft of design are binaries of geometry, color and abstract ideation. Rather they are natural problem-solving processes that can and should be applied to every possible function that will be engaged with by humanity. An early paragraph in the Design Necessity says it best:
“It should go without saying, but unfortunately doesn’t, that design is directed towards human beings. To design is to solve human problems by identifying them, examining alternate solutions to them, choosing and executing the best solution.” — The Design Necessity, pg. 8 - 9
As both a product and a feeling, security has an imperative to become accessible and achievable for the broader market. With concepts like remote work and data privacy here to stay, the need to provide frictionless, scalable security for every network, user, device and application is more critical than ever. One of the best ways that the industry can ensure that solutions are enduring and innovative is by consistently including design in the security architecture conversation. Security for our modern world should be built to be timeless, and a security narrative created without the inclusion of design runs an unacceptable risk of not standing the test of time.
Want to work with a forward-thinking design team?
Duo security is hiring! Check out our job postings today to learn more about how you can help push cybersecurity design forward.
For further reading
On marketing as storytelling: The Ultimate Guide to Storytelling
On design and the federal government: Nixon, NASA, and How the Federal Government Got Design
On design in the federal space: The Design Necessity
On the history behind NASA's branding: The ‘Meatball’ vs the ‘Worm: How NASA Brands Space
On how Hewlett Packard and OpenIDEO challenged designers to visualize cybersecurity: Reimagining Visuals for Cybersecurity
On how users fit into the cybersecurity industry: We the People: Democratizing Security
On how Duo uses simplicity to create an authentic brand: Radical Simplicity: Creating an Authentic Security Brand From Within