esign thinking is applied now in every field of business but does it have relevance for a CISO? There are lots of buzz words around design thinking and I tried to get clarity for myself on how it applies to information security.

To me, design thinking is simply how designers think about building a solution. It is not really about creative arts, although creativity is definitely a byproduct of this process. It is not about creating stunning visuals in product GUI or out-of-this-world solutions. It is a different way to solve a problem with humans at the center of a solution by applying a different set of cognitive processes. In my opinion, new management models or thinking is a continuation of older models with incremental changes or a different emphasis. This applies to design thinking also.

Design Thinking Applied to Infosec

While there are many aspects in design thinking, I will choose three ideas and apply them to infosec programs.

1) Design thinking begins with empathy for the end user. Customer focus has been the theme of every management model and whether you build a product, run a program, or implement a process, you need to think about your customer needs. Design thinking takes it further by really forcing us to make users the center of our solution. This means not only thinking about the functional and technical needs of the user but also considering their behavior, beliefs, and emotions as well as visualizing them in their own environment. It goes beyond the dry scientific and quantitative analysis of user needs to a more nuanced thinking about users as humans, observing people in their environments, and developing empathy for their needs and motivations. After all, designers, architects and others build products that blend human needs and beliefs and are not just based on mathematical surveys of people.

  • In infosec, we all know that people are the most critical aspect for any program or any control. While we talk about people-centric security, do we really build a control that seamlessly blends in the environment people are working in, that empathizes with their problems in adhering to controls, and that takes into consideration their motivation for adherence? Do we put ourselves in the shoes of users and think from a human angle while designing any program, putting in any controls, or rolling out any product? If we do that, we are doing design thinking.

2) Design thinking is focused on the solution and not on the problem. The analytical problem solving model focuses on defining the problem, analyzing all of its ramifications, and then building a solution. Design thinking starts with defining an end goal or a future solution and then works towards that to solve the intermediate problems. Every situation requires two types of thinking: intuitive and deductive. Both are needed, it is just that in design thinking you start with the intuitive process and follow with the deductive. A painter always starts with an end vision and an architect probably visualizes the end before starting. Again in management thinking, the idea of starting with a future solution is not new. Steven Covey said as one of his 7 habits, “start with the end in the mind.”

  • In infosec, we often focus on fixing a current issue such as closing a risk, stopping a threat, or deploying a new product. Design thinking asks us to think about our long term end goals and how current problems can be solved while achieving those end goals. That way we will be designing integrated solutions where each program or product we roll out adds to the whole and does not become an unmanageable fragmented jigsaw puzzle.

3) Design thinking is iterative in nature. Design thinking assumes that you may not reach your final solution in one go but that you need to iteratively build it. All artists iterate their creation, building smaller prototypes, breaking up what doesn’t work, and refining things that look good. With design thinking we use more experimental approaches to prove ideas early on and then adjust based on user feedback. Again this is not new management thinking, we all know the adage, “fail early, fail small to succeed.” You don’t want to build the full product or program at one go.

  • In infosec, we have an existing iterative cycle: PDCA (plan-do-check-act). However, that is a very definitive model. It assumes that you know what you want to achieve upfront and then you plan (P) for it; you execute (D) your planning; you check (C) for minor variations; and you act (A) to close those variations. Design thinking says you will not have a definite plan upfront but instead is better to do iterations before reaching this PDCA cycle. The iteration is similar to PDCA in concept but on a much smaller level: Ideate (unlike planning, this is more open and not definitive); Prototype (unlike do, this is smaller and easier to reverse); Test (instead of check which is more focused on checking adherence, here you are checking whether the idea works at the human level); and finally Refine (change the idea or prototype). After several iterations, you are ready for roll out and to apply PDCA. Would your next user awareness program use PDCA or the ideate-prototype-test-refine model?

Design thinking in infosec will lead to building solutions that aid user adherence. It will promote a human-centered approach to security and move away from rule enforcement into natural adoption. Are you ready for design thinking in infosec?