Making Security More Usable: A Podcast with Todd McKinnon

Usable security. Does it exist?

That’s a question our CEO Todd McKinnon recently sat down to discuss with a16z’s Michael Copeland and Pindrop Security’s co-founder and CEO Vijay Balasubramaniyan. Whether it’s through an experience that’s almost invisible in a user’s workflow or the promise of simple security with an added authentication layer, security-minded companies like Okta are working to make solutions that are both powerful and easy to use. Recent high-profile breaches have heightened overall market awareness of security, not just within CSO and CISO communities, but with CEOs and boards of directors everywhere.

The full podcast is below – but if you don’t have 30 minutes to listen in full, here are a few of the highlights. (If you want to catch a colorful discussion on the difference between a good and bad enchilada, a short history lesson on steam shovels and a convincing analogy on why bank robberies never stopped the Mint from printing more money, you’ll have to give it a listen.)

An office memo only goes so far: It’s a losing battle to ask users to do something that’s inconvenient to them. It just won’t happen. New solutions must not only make the experience more secure, but also easier on the user. With so many options available outside of the corporate-endorsed framework, a well-written email (no matter how nicely worded) doesn’t cut it.

Avoid call center comparisons: You’ll get hung up on if you ask your users to repeat their mother’s maiden name or their first car 20 different times. Companies either need to make authentication methods almost invisible to the user (i.e. no friction or unnecessary delays) or make the resource they’re trying to access better than the consumer application that’s available without it. The best companies are doing both. (Cue Michael’s enchilada metaphor at 6:28.)

Find inspiration elsewhere: More people now lock their iPhones than ever before because Apple made it easier than ever with Touch ID. It’s a great example of tethering security to an individual user, and in doing so, also making it almost effortless for them to secure their devices. It’s a win-win.

How to measure “winning” in this new world: Just as keeping your email organized isn’t always about “inbox zero,” security isn’t about achieving “breach zero.” Winning is more tied to a company’s propensity to use technology to make its operations more efficient. Implicit in that, of course is the need to take risks in some areas, but also the understanding to guard certain things and be more deliberate in areas that demand it. In a world with some much opportunity, it’s a failure for companies to be risk averse for everything. It’s about getting that risk-reward balance right – and that’s a recipe unique to each organization.

Securing the expanding world of things and data: Okta is building a network that securely connects people to the applications, devices, data and organizations they need. What’s interesting is that the person and their identity becomes the common denominator with a field of constantly changing variables, context and policy. This expands well beyond tablets, laptops and phones and has massive potential for things like connected devices, key card systems and smart thermostats.