As customers face a rising variety of authentication prompts, safety checks and compliance necessities, organizations must pay extra consideration to the friction — and safety dangers — these safeguards can create.
That is the view of Texas A&M College System CIO Vince Kellen, who argues that implementing high-security protocols on the expense of usability and person expertise now not serves as an efficient cybersecurity technique.
The problem, he defined, is defending customers with out creating a lot friction that they search for methods round safety controls.
“Until the [user] expertise is fantastic, you’ll be able to’t have excessive safety,” Kellen stated, in an interview with InformationWeek through the latest Cisco Reside occasion in Las Vegas.
With out reaching each excessive safety and excessive visibility into the community, along with a seamless person expertise, “the person will invent methods round you,” he added.
Why customers bypass safety controls
Kellen pointed to multifactor authentication as one space the place customers have gotten pissed off with the hoops they’ve to leap by means of to entry their accounts.
“You go to websites, and it isn’t simply two-factor authentication — in some circumstances, it is 4 or 5,” he stated. Layering a number of safety applied sciences with out contemplating the person expertise can complicate cybersecurity applications and diminish their effectiveness.
That concern additionally impacts how Kellen views zero-trust architectures, which he described as a crucial a part of his safety technique for Texas A&M College System. The community he oversees consists of 12 universities and eight state businesses — every with its personal CIO.
The important thing elements of zero belief safety are entry and motion — who has entry to purposes, and what’s taking place on the community (the motion), he defined. For instance, by utilizing real-time packet inspection for risk detection and software-defined networking, a corporation might flag an occasion wherein a person is trying to share non-public knowledge. This strategy additionally hastens response time to potential safety threats.
“The community will say, ‘OK, Vince, it seems such as you’re transmitting HIPAA knowledge. We’ll instantly begin to deploy real-time coverage round your flows and your pc to redirect and alter this,'” Kellen stated.
The purpose is to maneuver extra of the enforcement into the know-how itself, he stated — slightly than depend upon customers to acknowledge each threat or make the right safety determination.
AI brokers aren’t a particular safety case
Kellen applies an identical view to securing agentic AI. He stated he does not “fret about brokers” however views them in the identical approach as securing human customers.
“I strive to not get terribly freaked out simply because the factor is known as an agent,” Kellen stated.
For Kellen, securing agentic AI builds on most of the identical rules CIOs already apply to customers and gadgets. Brokers nonetheless want id, visibility, behavioral monitoring, and coverage enforcement.
He added that he does fear about “semantic drift” — fashions that regularly diverge from their supposed conduct — and what he referred to as “semantic malfeasance,” brokers that act opposite to their supposed goal.
Behavioral monitoring affords one strategy to establish agent or mannequin drift, Kellen stated, noting that organizations have traditionally utilized such monitoring to customers and gadgets.
In the case of encouraging behavioral modifications in people, Kellen stated that cybersecurity trainings are helpful for nudging customers to adjust to safety insurance policies, however coaching can not carry the total burden of cybersecurity.
“The technical controls should win,” Kellen stated.
Customers may chastise themselves for falling for a phishing try, however people are naturally trusting by nature, he identified. In consequence, robust cybersecurity coverage and applied sciences are wanted to compensate for human error.
Technical controls additionally carry out higher once they’re “as invisible to the person as doable,” so measures like biometrics can enhance usability.
However, Kellen added, “we’re nonetheless a few years away from an actual seamless [security] expertise.”
