Over the past several years, terms like “passwordless,” “zero-trust,” and “digital transformation” have become popular as organizations look for new ways to approach security. The more jaded among us might dismiss the terms as buzzwords, but their prevalence means they are meaningful indicators of the industry’s focus.
Recently, another new term has entered the fray: “frictionless access.” As the world becomes digital, organizations want to ensure their employees can access the right systems and the right information at the right time, with as few barriers as possible. Of course, many of those barriers exist for a reason. Without log-in screens, multi-factor authentication (MFA), access requests, and other forms of “friction,” organizations would leave themselves open to cyberattacks.
So, when does frictionless access get too frictionless? How can security teams safely eliminate friction, and where can they make it less intrusive? Businesses have to find the right balance: figure out how to implement frictionless access without leaving the enterprise vulnerable.
Demand for frictionless access on the rise
The drive towards frictionless access reflects the expanding expectations of the CISO and security offices. It’s no longer enough to prevent bad things from happening – CISOs also need to become business enablers. Users have diminishing tolerance for controls that were established with the best of intentions, but obstruct normal business operations. Even the most basic security functions frustrate everyday employees. When was the last time people celebrated when they were told to change their password?
The era of justifying that frustration with “because: security” doesn’t hold water today. CISOs are expected to understand the business and enable it – not get in the way. Security teams should evolve alongside the business rather and remain perpetually cognizant of users. That means finding ways to implement security more intelligently and prioritizing tools capable of adapting to changing needs as the business evolves. Like “zero-trust” before it, think of “frictionless” as more of a journey than a destination: even if it’s impossible to deploy truly frictionless access, each step taken to reduce friction serves as a valuable business enabler.
Understand where friction exists
Organizations seeking to reduce friction need to understand where friction that exists. Help desk tickets are a great place to start. The tickets won’t always reveal what changes need to happen – users report symptoms instead of root causes, after all. But with minimal analysis, businesses can uncover great opportunities to improve the user experience. These tickets can offer a small but critical glimpse into broader problems.
People distributed beyond the borders of the CISO and the operational security teams are also important to understanding friction points. As organizations guide security operations toward business enablement, many are establishing business information security officer (BISO) positions. These positions are staffed by someone who dedicates their time to learning that part of the business, identifying pain points, and making bi-directional recommendations to both the business and cybersecurity.
But it’s equally important to gather feedback from employees who don’t have a formal security role. Actively seeking diverse perspectives from stakeholders with a range of seniority across different business units will yield a comprehensive understanding of friction points and will let security leaders best prioritize their remediation efforts. Find colleagues who are interested in security and work with them as liaisons, making them part of a robust security champions program. Such programs can help offer a “boots on the ground” view of how different security initiatives impact the day-to-day lives of employees.
A practical approach to frictionless access
Once the team has received input from the staff, prioritize the most significant pain points for a redesign. Again, the aim here isn’t necessarily to eliminate friction, but to minimize it. Employees may not like the current MFA implementation, but removing all friction from the interaction would mean eliminating MFA entirely, leaving the organization exposed. Instead, consider a low-friction MFA method like biometrics that companies can deploy fairly easily. We still may have some friction, but biometrics are far less frustrating and time-consuming than waiting for a one-time password to arrive via SMS or asking employees to input numbers from an authenticator app.
Once the high-impact, low-effort remediations have been implemented, consider improvement opportunities that the team can pair with broader security objectives. For example, if expired certificates or frequent and onerous access requests are the problems, maybe it’s time to reevaluate the organization’s approach to identity. Tasks like certificate management and entitlement management were once possible to perform manually, but even a modestly-sized business can have thousands of identities multiplied by thousands of enterprise applications. The math makes manual management effectively impossible and increases the likelihood of human error. Find a product that can address changing access needs to make it easier for employees to get the information they need without swamping the help desk with endless requests.
Finally, don’t introduce additional friction in net-new projects. Security teams need to adopt the lens of delivering services rather than a controls. Too often, security practitioners focus exclusively on stopping bad things from happening. While important, shifting that mindset to include improving the user experience and treating security as a business enabler can have a major impact. That subtle, but important change in perspective can help foster a collaborative relationship between security and business teams rather than a confrontational one.
Expect frictionless access to continue on as a hot topic. But it’s important to remember that we need some degree of friction —without it, organizations would leave themselves dangerously exposed to attackers. Companies need to strike a balance between securing and enabling. Moving toward frictionless access means deliberately identifying where friction makes sense and where the team can safely reduce it to make life easier for employees. By taking inventory of where friction exists in their organization and seeking ways to minimize it, today’s security teams can stop being the “office of no” and start being seen as true business enablers.
Rex Booth, chief information security officer, SailPoint
