Cybersecurity often focuses on what’s technically possible—what’s most secure, what adheres to frameworks, what fits the textbook definition of “best practice.” But there’s a crucial question we often overlook: Is it usable?
Because security that isn’t usable, isn’t used. And systems that aren’t used properly aren’t secure.
At its core, cybersecurity is a balancing act between the science of secure and the art of available—between what protects best and what people will actually adopt.
The scientific side of cybersecurity is exacting. It’s grounded in:
- Defense-in-depth architectures
- Zero trust models
- Encryption, segmentation, and multi-factor authentication
- Compliance with standards like NIST, HIPAA, and ISO 27001
These measures are critical. They establish guardrails, create accountability, and minimize the blast radius when things go wrong. But they often assume perfect implementation in a perfect world.
This is where the art comes in—creating systems and workflows that people can actually navigate. It includes:
- Designing for real humans, not ideal users
- Simplifying access without creating vulnerability
- Understanding context and user constraints
- Communicating risk in plain language
Security that is too rigid invites workarounds. People will write passwords on sticky notes, share credentials, or find loopholes—not because they’re lazy, but because the system doesn’t work for them.
To build resilient security, we have to stop blaming users and start designing for them.
People First Doesn’t Mean Insecure
I’ve been there.
I once took over a small security team where the previous leader had been all hard science—by the book, textbook best practices, no room for nuance. He’d burned out three analysts in a year before he left the company, and by the time I arrived, everyone from the C-suite to the janitors hated him. He’d written a nearly 300-page policy book, filled to the brim with best practices—every framework box checked—but not a single section tailored to the actual organization. It was completely unenforceable.
“Security exists to enable the business” is a phrase pretty much everyone in cybersecurity has heard, but too many ignore. It took me almost a year to undo the mess he left and rebuild a program that actually worked. I balanced best practices, compliance requirements, and—most importantly—what was realistic for the people who had to live with those policies every day.
The art of compromise is not a weakness in cybersecurity. It’s a necessity.
I can’t tell you the number of security improvements I’ve had shot down because they disrupted critical workflows. So you identify the pain point. What about the workflow is insecure, and what about the security control is interfering with the workflow? Then you find the compromise—the point that reduces risk without being unworkable for employees.
That’s where trust is built. That’s where adoption happens. And that’s where real security begins.
There’s a myth that usability and security are opposites. That if we prioritize people, we’re weakening our defenses. But the truth is, people-centered design strengthens security.
When users understand the why, they’re more likely to follow the how. When controls are intuitive, they’re more likely to be used correctly. When teams collaborate—security, IT, and end users—we create systems that actually work.
So how do we reconcile the science of secure with the art of available?
- Engage stakeholders early in security design
- Test usability as rigorously as we test vulnerabilities
- Prioritize education and empathy alongside enforcement
- Remember the mission: security exists to enable the business and protect people—not to gatekeep.
Cybersecurity isn’t just about locking things down. It’s about building systems that are both strong and sensible—that honor best practice without sacrificing human practicality.
The most effective security programs aren’t the ones that enforce the most rules. They’re the ones that people can and want to follow.
Security is only successful when it’s both secure and available.
And that’s where the magic happens.
Leave a Reply