Subscribe
Share
Share
Embed
Cybersecurity is complex. Its user experience doesn’t have to be. Heidi Trost interviews information security experts about how we can make it easier for people—and their organizations—to stay secure.
Human-Centered Security In the Wild: Jordan Girman and Mike Kosak On Security and Product Team Collaboration at Lastpass
Heidi: [00:00:00] Welcome everyone to Human Centered Security. I am your host, Heidi Trost, and I am joined by two fabulous people from LastPass today. So I have Jordan Girman, who is the VP of User Experience at LastPass, and Mike Kosak, who is, and hopefully I got this right, because I actually didn't confirm with you before this, Mike Senior Principal Intelligence Analyst at LastPass. Does that sound like what you do? Okay, great.
Jordan: ha. Yeah.
Heidi: Well, so we have kind of like the two, the two houses, that's how you talk about yourselves at LastPass, right? Like the two houses, security, UX, right?
Mike: Sure.
Heidi: Game of Thrones.
Mike: Yeah. Yeah.
Jordan: ha.
Heidi: Okay, good. I'm glad I got that right. Okay, so you have the two houses or, you know, different disciplines within LastPass. Maybe for folks who might be living under a rock. What does LastPass do? Just give us like the one, the one in one [00:01:00] sentence intro to what LastPass does. Maybe Jordan, I'll let you take this one.
Jordan: Yeah, LastPass is a simple password manager. Simple is a, there's a lot more features than that on top of that. But basically it's a security device that allows you to maintain and create really good password hygiene. You don't have to remember your passwords. It has a password generator built in. So we auto fill your passwords for you. We take it everything in house so that you just have to remember one master password and not every single password in your life. Lets you set up a situation where you're not reusing passwords. You're able to have really complex passwords that you don't have to remember.
And it follows you everywhere you go through extensions and browsers or on your phone for that matter. So no matter what device you're using or if you're setting up a new computer or something like that, do that. We also have a lot of business to business products. So companies can use a really good password manager within their organization. Share passwords, work through different account scenarios that make them more secure. [00:02:00] then as well as we have an MFA product, which is a multi factor authentication product that people can validate who's accessing their information in any form.
Heidi: Awesome. Thanks for that intro. Okay, back to, back to our two houses, back to security UX. This, this cross disciplinary exercise that I hope we're going to dive a little bit deeper into. What does that look like at LastPass? So what does cross disciplinary collaboration look like at LastPass? So Mike, I'm going to let you take this one.
Mike: Sure. As you said at the top of the call on the threat intelligence analyst, the senior threat intelligence analyst for what we call our threat intelligence mitigation and escalation team. So Our job, as you'd expect for a threat intelligence team, is to look walls out from LastPass, see what's going on as far as threats targeting our customers, threats targeting our company, and then bring that information back in, in a way that's useful for our internal teams to protect our company and customers.
Part of that then includes taking that information [00:03:00] and briefing it out to teams like Jordan's, so that they're aware of what sort of threats our customers are facing. How can we educate them on that? How can we protect them against that and incorporate that into the product?
Jordan: Now on our side of the fence, like having that expertise in house means that when we're designing our products, we can bring our interfaces directly to the security team to review, make sure everything's kosher, that they're we're taking in account the needs and expectations of what's happening out in the real world to our designs for our users. So what kind of information do we need to provide for them? How can we design the interfaces that allow for more security? And that collaboration comes back and forth.
Heidi: Yeah, I love that. Can you give me a sense of what that actually looks like? So for teams who are maybe thinking, how do I implement this at my own organization? How do I foster this cross disciplinary collaboration? And like, what does it actually look like?[00:04:00]
Jordan: Yeah, so we had an offsite just before Christmas where we actually brought the security and team in, we're talking about how we want to be a design, security design focused organization. How do we do that in terms of building principles and practice. And we actually brought some members from Mike's team in to talk about security and what interfaces mean to security situations. So learning from them, understanding what they're looking for, understanding how they go about their craft, and then applying it to the design team in terms of how we're thinking about the product is a big factor in that. So the ability to communicate back and forth on that. We also bring them in specific situations where we want to review a particular product. So we have early designs and mocks that we want to put in front of them and ask if there's any situation or scenario where this could be exploited and want to make sure that what we're producing is in line with what they're thinking about in terms of the security of our organization and our customers. And then also it's gone as far as [00:05:00] one of our designers is actually shadowing some people on the security team, working directly with them, learning about threat hunting. He's, he calls himself a little bit of an ethical hacker and he's found some exploits in other companies that he's gotten paid for. And is really in tune with what the security team is doing. And he brings that knowledge back to our team as well, and allows for a lot more understanding on the design team.
Heidi: I love that. Was that just something that kind of naturally happened? Was that something that this designer was encouraged? Like how, how did that actually work?
Jordan: Yeah, a little bit of natural, a little bit of oh, you want to do this? Let's hook it up kind of scenario. So just, having strong communication with the team every designer has goal documentation. One of the things that he wanted to do was learn more about security. So just, having tight collaboration between teams allowed for that to happen, just to make it something we could afford to do on that end both sides.
Heidi: Yeah, that's really awesome. I, as I have [00:06:00] been able to kind of sit alongside security practitioners, I feel like I can be a much, much better designer because I understand how they think and what they're doing and how I can more effectively design for them. So that's really, really awesome to hear.
Jordan: That's awesome. And there's one other way to the research team. Like we have a, our product is really wide scale. It's like a convenience product. And then it's also like a security product for businesses. We have a, like a big line of users that are anywhere from security unaware to massively paranoid. So our research team definitely communicates quite a bit and with SOCs, talks with different admin scenarios, but also talks with the regular people who are just using the product from a day to day basis. So that communication is a huge deal in terms of us finding out who is actually using our product and how they're using it.
Heidi: Yeah.
Jordan, this question is for you, Mike, I promise, my next question [00:07:00] is for you, so don't, don't fall asleep yet. Jordan, you mentioned in a previous conversation that you have a set of principles to help you guide security. Can you tell us maybe examples of what those principles are, how you developed them?
Jordan: Yeah, actually so we do they're quite long and I won't list them all out here. But one of our, one of, one of the guys that I've worked with in the past, his name's Jason Cyr. He's actually the VP of design at Cisco. Helped us actually identify and work through a lot of these. There are things that you might think that you should do every day, but you might not like actually realize that they're there. Specifically from a security perspective, I think a lot of designers don't necessarily think about making something secure by design, but also private by default. So like security and privacy must be inherent in every solution that we design. So having that as a specific principle is a huge one on that end. I think also when you talk about content and communication [00:08:00] with the users that's big, as well. Where you want to speak natural language to the most of the users that are, so you want to explain security actions in some form. And that's basically the principle, is explaining security actions.
So Users need to understand the reasonings behind what they're doing. Because we're asking them to complete tasks on a product, a lot of times there's friction or things that inherently get in their way, but if they don't understand the benefit from that, it becomes a frustration, simple user experience on that end. So you want allow, to allow the users to understand what they're doing so they can make informed decisions. Also in that scenario is humanizing the security language, right? An example of this is we might have a warning label that says SSL certificate invalid. The user is gonna, most users are gonna be like, I don't even know what that means.
But if we say we couldn't verify this website security, that makes a lot more sense, and they understand the reasoning behind that situation. [00:09:00] Clear language is a big thing about that as well. You also sometimes need to create intentional friction. And this is something that's very not... this is something that my design team has to really work through... because you inherently want to make something easy and simple for the user. But that's not always the best way in a lot of different situations. It prevents a lot of accidental or malicious mistakes, I guess is the way to describe it. In dealing with sensitive actions. Disabling your MFA, for example. You just really want to make sure that the users understand the intention behind what's happening. And, yes, they can make that decision on their own, but they need to understand the consequences behind that decision. So those are just some of the examples that are different from a normal e-comm site that just wants users to get to the funnel as quick as possible.
Heidi: Yeah, that's really helpful. So to recap, it's, you know, like, it seems like broadly speaking, you're saying to embed security and privacy [00:10:00] into any design that you do. You talked about intentional friction. So friction isn't a bad word, especially when you're trying to prevent something bad from happening.
So there are certain moments in time. In the user journey where you might intentionally want to introduce some friction to slow the user down to make them think so that they don't do something maybe inadvertently and that they're aware of the risks of doing a particular thing like your example of turning off MFA.
Jordan: Exactly. I
Heidi: Awesome. All right, let's talk... this is kind of a great segue to talk about security and usability, which sometimes seem like they're at odds, right? Like the security team wants to implement certain controls and the user's like, "Oh, I don't want to do this. This is another hoop to jump through." I mean, passwords are a perfect example.
Like no one, including security people, like passwords. And for the user, they, you know, having some, something in between them and accomplishing their goal. Like [00:11:00] signing in, logging in, is not exactly, you know, what they would, what they would describe as a great user experience, yet, yet here we are, right? So, it's, it's a tough balance, it's constantly shifting, right?
As threat actors do one thing, the user responds, then the system designer responds, then the threat actor responds, you know what I mean? It's just this like, ping pong match of, You know, everyone one upping each other, but every every action impacts everybody else in the ecosystem. So any insights you have on striking this balance?
So Mike, I'm going to pass this over to you. Maybe some of the things that you're thinking about from the security side.
Mike: Yeah, I think a lot of it comes down to, and echoing what Jordan said, a lot of it just comes down to helping people understand why. Yeah that there can be these bumps in the road, these speed bumps, but if you understand that it's there because there's a school coming up.
And you're doing this to help protect children, [00:12:00] children out there, like people understand. Okay that's why the speed bump is there. And it's the same type thing. Okay we're putting up this notification because if if you turn off MFA, you're making yourself less secure, you're exposing yourself to risk.
And here's why. And that's an approach we take on the threat intelligence side, too. So we've got LastPass Labs, which we've stood up on our site, which is our blog, where we share our threat intelligence and stuff we're seeing generally around the cyber threat environment so that both companies and individuals can be aware of what's out there and what's facing them. That helps explain why we're taking some of the steps we're taking. And then we also use that to highlight campaigns we may see that are impacting our customers. So phishing campaigns, just over the last year, we've seen phishing campaigns, we've seen smishing campaigns. We saw an audio deep fake that targeted actually one of our own employees, and we went out and went very public with this again, with that intent of helping people understand, this is what's out there.
This is why we're taking some of these steps. Like it, with one of these campaigns, we even went so far [00:13:00] as to include a banner in the product so that as people were logging on, this popped up in the product so that they could see it right there. And that, that really, I think if you can
Heidi: When you say they could see it there, is that there was some sort of like warning or hey, watch out like this, this stuff is happening. Okay. Yeah.
Mike: Absolutely. Yeah. Within the platform itself. So so there is no, no avoiding it if you're checking in, because this particular campaign was asking people to try and log into their accounts. So it's right there to say, Hey, if if you're seeing this activity, and and this may be why you're logging in, just be aware.
And so again, getting back to that why and being able to explain that, and in a way that people understand, there's a time and a place and we walk this balance within threat intelligence as well. There's a time and a place a time and a place to do that really break down into the technical details of, say, an info stealer and how it works. And that's super useful if we're talking to other threat intelligence analysts, malware analysts, our own internal teams, if we're looking at how to, develop countermeasures for some of this stuff. But if we're also [00:14:00] informing, the general customer base and larger audiences, it's, you want to be able to explain why in plain language that's easily accessible. So again, just so they really have an understanding of why they're taking these steps or why they're seeing these actions and why it's important to them so that it resonates personally.
Jordan: Our product is very task based. You've come onto the product to do a task. It's whether to copy a password, change a password. to add a note or save some information. And that's what they've come on to do. They've not necessarily come on to basically understand security. So really, subtly teaching them good hygiene in terms of what they should be doing with their passwords and allowing them to use the tool in a way that makes them safe and effective is really what we're trying to accomplish in those, in that informational package kind of scenario.
Heidi: Yeah, and we've sort of touched on this, like, the words that you use are very important. Like, there's all of these different terms that we use, [00:15:00] and even, you know, people who live and breathe this stuff every day get messed up with what, what the words mean.
So, Mike, your team is, is looking at these threats, is, is uncovering them and is deciding, you know, which ones to communicate to end users. How are you and Jordan communicating so that you're taking that information and then putting it and packaging it in a way that people can understand? I, do you package it in different ways for security people versus?
You know, end users and, and how are you thinking about communicating that?
Mike: Yeah. So for us, it really does. Internal conversations like between the threat intelligence team and Jordan's team we're perfectly comfortable speak and we need to speak in as much detail as possible, when necessary. And so that's if the occasion calls for that, we'll share as much and as much detail as we need to But there are also times, when we've got [00:16:00] threat intelligence team likely has a very wide variety of audiences that they need to be prepared to speak to, especially if they want to do it effectively. So that a lot of that responsibility then falls on us is Okay how do we break this down in a way That is meaningful to Jordan's team. And then, we'll work with not just Jordan's team, but also the PR team. We'll work with the care team, like our customer service team. So that we can package that same information, that same distilling it down to the core threat and the steps that you can take and the behavior that you can expect to see from us, to your point around. We will never ask you for your master password, we will only contact you in these certain ways. This is the only email address or, the only domains you'll see activity from us from. Distilling that down and then being able to communicate that out is a separate a separate sort of lexicon that we then have to use. But, we know that responsibility is on us, so we're just prepared to speak to those different, using those different languages depending on who we need to target it to with the same core [00:17:00] information at the center of it so that it's consistent and, the integration across all of those different aspects is consistent.
And
Jordan: On the design side look when I started getting into security design, I took a bunch of SANS courses and it is acronym hell. It is hard to get through all those scenarios. So on the content design side, what we really do is focus on human language over technical jargon. That's really important.
So that's. That's part of one of our principles and that's what we focus on across the board. There is an aspect of writing for trust and not fear. Now, I'm not a writer. I don't know how to do that very well. Because you it's like intuitive to just shock people into doing things. But the reality of it is that you need them to do an action. Explaining what they need to do is almost more important than the what. And, a little bit more on the why and what the outcome of that is. So you're almost like creating remediation from a situation. All the words matter, I think is a, is something to pay attention to, too. So you really want to make sure that [00:18:00] there's lot more clarity in the communication structure because lack of clarity leads to mistakes or people doing rash decisions. then the big thing for me, especially because I mentioned before, we have that wide range of user base from knowledge base to high end technical admins, progressive disclosure becomes very important. Where not all users need all the details. So you want to inform them of the base scenario, and if somebody wants to click in further and get more information, they can do that, and they can access more as they learn more moving forward. those would be the big chunks for us on the design side, taking Michael's work and applying it to what the users are actually seeing.
Mike: I want to call out to one of the things that you've said that I think is really important and within threat intelligence as well. But, it's easy to scare people. It's harder to relay a message in a meaningful way. That, separates the signal from the noise, really, and, I think oftentimes it's one of my [00:19:00] pet peeves as a threat Intel analyst to see people just hyping stuff up and taking that boy who cried wolf approach of, hey, this is awful, and it's terrible, and it's really easy to do that. Because as a threat intel analyst statistically, then you're probably not going to be wrong about bad threats because you're saying everything is a bad threat, so you're not going to miss anything. But you got to put a little skin in the game. Otherwise, you're just typing everything. And I could, you can build an LLM to do that to make scary language about every security article that comes out.
So being able to distill it and put it in context is really important and say, no, you don't need to freak out about this. There's a lot in there. What do I need to know from this? And to your point, it's okay here's this, here's the tactics they're using, but fundamentally, if you're still doing X, Y, and Z, you're good, like that's, if it can be framed like that, I think it's a lot more useful for people and that helps build that trust, in language that Jordan was talking about as well.
Heidi: Yeah. Not to put Mike on the spot here, but I think in a lot of the research that I did [00:20:00] for my book, I realized that security people need to be really considerate about how they are communicating. Right. And I'm curious if that's something that you emphasize with, with your own team, like how can we improve our communication skills?
It's almost like, like a branch of like technical communication. Like, I don't know if you guys took technical communication in college, but I did. And it, it really kind of resonates with me. Like, how do we, what is it that we're trying to communicate and what's the best way to communicate that? So just curious if that's something that you emphasize, like within the security team.
Mike: Yeah, absolutely. It's certainly from the threat Intel side. Like my background is I was a government analyst before. Getting to how to distill a message down in a way that is still clear. But manageable, understandable and actionable is at the core of everything we do when we write this stuff, which is why it's so important.
It's not just here's what the threat is here's what it means. Here's what it means. And here's what you can do about [00:21:00] it. That's really important for us and is, and it sounds kind of cliche, but it's really baked into everything that we do, particularly if it's going to be externally facing because, again, getting to that, you want people to be able to digest it. Even when we talk about threat intelligence programs in general, we write about that in plain language. Okay, if you're a company and you're trying to figure out what your threat environment looks like, here's how to do it. without using all of the terminology of analytic trade craft. And, you can start going, you start digging into that and it gets intimidating for people really quickly. Whereas if you just distill it down to, okay, think about what you're, what you have in your company that you're worried about, think about what other people might be interested in, figure out what questions you need to ask to protect yourself and then start figuring out how to ask those questions. That's a lot easier to understand. And it's actionable in a way that anybody can use that. So yeah, we absolutely consider that. And it goes into everything we write.
Jordan: Mike's team is actually pretty phenomenal at this. Having been in this game for a while they presented at our sales kickoff a couple weeks ago. And not only did they distill [00:22:00] some really complex information out, but people weren't running out of the building saying everything's on fire. It was like they were generally excited, more knowledgeable about what's going on in the industry as a whole. And his entire team has the ability to communicate in clear, concise manners that allow for people to understand and then figure out what they need to do for remediation. And that makes a massive difference across the board, not just internally in our company.
Heidi: Yeah, it kind of has a. I don't know, like a waterfall effect or, you know, it, it improves communication. It improves cross disciplinary collaboration because it's easier for the UX and product teams to collaborate when they actually know what the heck you're talking about. And then that, you know, trickles down to the end user.
So, you know, now the UX designer, now the content designers understand what's going on. The marketing people understand so that they can communicate that message too.
Jordan: And the sales people too. I
Heidi: And the sales.
Jordan: informed sales force makes a big difference in terms of the trust that happens early on. And if they're able to [00:23:00] communicate those complex scenarios and seem, be really informed about what's happening it makes a big difference as well.
Heidi: So, one of the other things I wanted to touch on in this episode is, is iteration. It's so important, every, like I said at the very beginning, like it's this ping pong, right? The threat actor does one thing, the user does something, the system designer changes because It changes the design of the system to account for the actions of the threat actor and or the user.
And then the cycle just repeats over and over again. And of course, they're all part of an ecosystem and they're impacted by geopolitical pressures, technology, all the different things that are going on. So iteration is important because even if we get it right, or right ish, you know, tomorrow, the next day, it's not, you know, the threat actor is going to find a different way.
So how do you embrace iteration at Lastpass, and what does that look [00:24:00] like?
Jordan: That's a massively complicated question in terms of
Heidi: Oh, you can't just answer it in 30 seconds or less.
Jordan: Exactly love the question. I think iteration is massively important, especially from a UX perspective. Designing good products inherently requires iteration. You're never going to get it correct right off the bat. And I think that's part of the scenario. Our product has been around for 15 years. There has been a lot of changes in direction in that regards. I think we're constantly evaluating our security protocols, what's out there looking at different ways to approach being secure, not just from a company level, but for the users as well. So iteration is to be honest, constantly evolving. There's some product areas that are going to require more and some require less. We are moving towards much more faster front end scenarios where we are building on a design system that we can [00:25:00] switch components out really quickly. We can evaluate what users are doing on the product, whether they're being successful, how many tasks they're completing. Um, we do things like UX Lite. For example, which allows users to provide quick feedback about what is how usable the system was in the particular action that they're currently doing. That gives us a lot of ability to pivot and change in that regards. From the backend security scenarios we're constantly evaluating and not just that, but certifying what our systems are doing so that we have the ability to make sure we're ahead of the curve, I guess is the best way to describe that. Probably be best to talk to some engineers on that scene. I don't know if Mike can speak to that a little bit more, but the engineers are the ones that are really focused on how we're changing the backend to really be secure. We have a zero knowledge architecture. Which means that we don't know anything that our users save, and that's very important for us. Because that means that threat actors can't find that information as well. And that [00:26:00] structure we're constantly evaluating to be as secure as possible across the board.
Mike: Yeah, and from our end, the iteration is a couple of different things. There's and there's two aspects to it. There's the external iteration. So we're looking at what threat actors are doing. What tactics are they using? So that means, so what what do we need to look out for? At the core of this, all I should say are our priority intelligence requirements that we put together in conjunction with the rest of the organization.
We go to, we think about it internally within the threat intelligence team. We talked security team. We talked to the other teams about what is it that keeps you up at night? Is that fundamental question? And then we try and capture those in our priority intelligence requirements. feeding into that.
And then that feeds into, okay, so here's what our threat actors, what threats do we actually need to monitor. What tactics do they use? What sort of alerting do we need to set up and everything else? iteration of that then comes as, both at a minimum annually, there's a deep dive into our priority intelligence requirements, but also regular check ins [00:27:00] with all of our component and partner teams within the organization around what's keeping you up at night, but also What changes might be made to the product?
What are we thinking about? What changes might be made to our architecture? So that we can update our priority intelligence requirements around that, too, and then make sure that the reporting is useful. We're feeding into that front end of the priority intelligence requirements, changing those is necessary based on that feedback and iterating on those and then pushing out the reporting back to everybody as consumers and saying, is this useful to you?
And then iterating on that as well. Because if the answer is no, then we're not doing our job and we need to make those changes.
Jordan: And from a roadmap perspective, what we do is evaluate by halves of year, H1 and H2. And then each quarter we look at what we are tackling and based off of information that Mike's team is providing, based off of basic scenarios like that. We evaluate what's the P0s and P1s, moving them up and down the chain, depending on what's needed in that end. So it allows us to be flexible in our decision making process, depending on [00:28:00] what actors are doing out in the real world.
Heidi: If I'm, say I'm working at a startup. And I'm not at Lastpass, but I, you know, I'm gathering customer private information. Maybe I'm gathering financial information. Maybe I'm gathering health information, which almost every, you know, you think about just about every app these days, right? Or every company these days is capturing sensitive information.
So I'm thinking, Getting back to my question, I'm thinking of, you know, I'm, I'm someone who has very limited resources. I'm working at a startup. This all sounds really interesting to me. I want to make sure that my product stays secure. I want to make sure that my customers are secure. How do we, how do we start like you know, on a, on a small scale to implement this into our own product?
Mike: I'm
Heidi: make sense?
Mike: Yeah, it does. No, I'm so glad you asked that question, Heidi, because I feel super passionately about that. Like we've actually I've written a couple blog posts up on our last past labs blogs. One [00:29:00] about how any organization can stand up those priority intelligence requirements. And then another two blog posts on how to stand up a threat intelligence organization, irrespective of the size of your company.
So it doesn't matter if you're a, a three person company where you've got one person and this is their other duty is assigned. Or, you've got a full team. Really it does come down to, at its core, figuring out the priority intelligence requirements, the PIRs, which is just a fancy word for a fancy phrase for what questions do I need to answer to protect myself? And then there's a thought exercise that goes along with that. And again, going back, it doesn't matter how big your organization is. It's just sitting down and thinking about what assets do I need to protect? Is it data? Is it, availability, just sitting and thinking about it from your perspective as the company. And then it gets, a little bit more fun where you have to take some time and thinking about and think about it from the threat actors perspective. So what might you have that you don't even think about as one of your assets that could be valuable to a threat actor? For instance, if you're [00:30:00] a small company who does business with critical infrastructure or something like that, but you might not think you're a big part of it, A threat actor could see you as the entree into that larger sector.
So that becomes important as well. So you've got to understand that too. Once you think, once you go through that exercise, then you can think about, and then just basic research. You look at, okay if this is the sector I'm in, this is what I'm trying to protect. Everybody's got to worry about ransomware and info stealers.
There's certain things that are just free spots on the bingo chart. In the center. They're all going to be there for everybody. But then you you can get a good sense of what else is out there, what those threat actors are, and then there's so much free information out there, just as far as how these groups operate and what they do that you can get a sense of, okay then I need to protect myself against. Cyber criminal groups that are going to try and find their way in through exposed credentials or vulnerabilities, okay, that's what I need to look out for. Those are the steps I need to take. These are the questions that I need to answer for [00:31:00] myself. And it's, it really can be just as simple as that.
And then it's just, setting up good free threat Intel feeds. If you don't have, money to put into a dedicated service, there's a ton out there. We make reference to some of those in the blog posts to reaching out to partners. There's a lot of really good communities out there. You can leverage public sector does some really good work with this too, where they push the information out. So there's a lot of really good free resources out there where you can get this stood up relatively quickly and easily. And then it's just just reading the reporting as it comes out and setting yourself up for success.
Heidi: And then being very clear on how you're communicating that to the rest of your stakeholders and teams, right? Taking a cue from people. Yeah, that's awesome.
Jordan: from the design side too, I think there is a scenario where there's a lot of good information already out there. It's just hard to apply in some situations. I know the design community in general is really apt to providing mentorship and communication, you just need to find the people who are doing these types of things and figure out what you need to do [00:32:00] and apply it in your side of the fence. The big thing though, honestly, is just talking to guys. I think in a lot of organizations, they might have a security expert on their team, but nobody talks to them about the product. So that's a big thing from design side is reaching out across those lines. Learning from them, understanding what they need and what help they can provide to the overall design that makes a difference to your users.
And then building that inherent trust in the product across the board.
Heidi: So I have several recommendations and thoughts on how to collaborate with security teams or the security guy, right? Like who, who's relegated to the basement and no one talks to him. But Mike, my question to you is like, if So I'm a UX designer, like, maybe I feel a little intimidated, I don't know what the acronyms are, I don't, like, speak the security language, and I'm just really not sure how to approach you.
What advice would you give me?
Jordan: Honestly, like every designer should have some understanding of [00:33:00] research ability and maybe a little bit of moderation skills. Treat it like you're doing a user interview. Have a conversation. You're learning about that user. Be very open and empathetic. And ask questions that revolve around what they do and transition into what they might need.
It's not a scenario where you have to become a security expert. That's not the expectation. I think a lot of people end up thinking that way. But the reality is you need to be able to communicate back and forth and understand the goals and motivations of that particular security individual and apply it to what you're doing as a product as a whole. That's the important part.
Mike: Yeah, and I'd say from the analyst perspective, if you're reaching out to your security person, funny thing is it's analysts just want to talk about this stuff. They love talking about the stuff that they're researching. They love sharing that. So it's really just as simple as just reach out.
I know it can be intimidating. And I know, especially like I've been in organizations to where, the threat intelligence team was like, Yeah, kept in the [00:34:00] basement and everybody thought they were super secret and everything. And it's really funny because, being with LastPass now for just about two years, I have never been in an organization that was so hungry for this information.
And as an analyst, that's even when I was in the government, you'd write a report, you put all your time into this report, and you'd zip it off into the ether, and you didn't know if anybody read it or not. That was just the end of it. And now it's like you get real time feedback, you build those relationships and you know what you're doing makes a difference. So it just builds this really mutually beneficial relationship. So Yeah just reach out to your local nerd and ask him those questions and you will learn more than you ever wanted to know about security.
Jordan: And it's utterly fascinating. Mike's job is so much cooler. I just draw boxes and arrows for a living, and he's full on into it. Talking about state actors and stuff to that effect. It's really, it's just nuts on that end. The amount of learning you get is really cool. I think to a lot of companies, Actually, I'm a little bit majority of companies that are [00:35:00] even listening to this podcast might be going through an MSP a service provider for the security those situations. Those you're basically their client. There's a lot of opportunity to learn from them. There's a lot of opportunity to communicate with them because they want to keep you happy. So that's another avenue is if you have an MSP, they might not be in house. But you can definitely leverage them to gain more information and understanding. And those MSPs are probably working with, thousands of companies that are similar to yours. So you can understand where you sit in, what you have to improve, what other companies might be doing that give you a little bit more competitive advantage on that scenario too.
Heidi: That's great advice. Alright, last question. This one's a fun one. So I like to ask guests to share an example of building safer systems that they've seen maybe in a movie, maybe they read it in a book, and it, you know, it can be funny. In fact, I give extra points for funniness for humor. And creativity is, is encouraged.
So, it could be something where something went wrong or something interesting where you're like, oh, [00:36:00] that was so cool, I wish that we could do this in real life.
Jordan: So I had one in my head and I forgot it, but I'll relay one. I remember in an e-comm situation, like way back, like probably 2015. We were talking about a more of a funnel to get people to hit, the just conversion rate was an issue. And I remember putting a lock icon next to the credit card input and then up conversion by almost 5 percent which is a massive number. Literally did nothing in terms of the security of the product but there is a scenario where the reality of a user's intention on your product is dictated by how secure and how trusting they are. So you have to think about it as a holistic scenario. You can't think of it as just like one interaction.
It's multiple interactions. And when you think about UX as a whole, it's not just the interface that you're designing. [00:37:00] It's the interaction with a YouTube video. It's an interaction with a CSM or it could be even like in the product itself, all of those things pertain to the interaction and the experience is built off of you dealing with that company.
They're not thinking about, Oh, I'm dealing with the mobile channel right now. They're thinking I'm dealing with this company. So those small details actually mean quite a bit. And what I find a lot of product designers, especially in larger companies, is they're just so narrowly focused on this small little piece. That they don't realize that those small influences build over time and develop that trust. So building safer systems isn't just about the back end technologies. It's about providing the user with a lot more information so that they feel trusted in the system that you're actually building for them.
Heidi: Love it. Underscore. Trust. That's so true.
Jordan: 90% of good experience is just building trust on that end. Yeah.
Mike: Yeah. So I, I'm trying to think of movie [00:38:00] examples. I can't come up with anything particularly good, but I can use meme examples. Since that seems to be the medium of communication these days anyway. It's certainly how I communicate. 98 percent of the time. Jordan can attest to that since he's in a lot of the same slack channels I am.
So it's memes and gifs like 90 percent of the time to make the point.
Jordan: a lot
Mike: But one of the funny things within the threat intelligence community and among analysts in general is these memes about. People sending you stuff saying, Hey, I'm a threat Intel analyst today, and this is something, like this, and I'm a bit of a threat intel analyst myself, like kind of the take off on the Spider Man meme and stuff like that with with Willem Dafoe. And, I see that and I get to some degree where you see people acknowledging that can be a little irritating because, like an instant expert type thing, but I got to say.
Jordan: a Reddit article and
Mike: Yeah, exactly. Yeah. Yeah. Yeah. I gotta say, I love seeing that stuff like those conversations when we, when I see him in slack, when people reach out to me with that stuff, I think it's so fantastic because it means [00:39:00] you and the royal you here, like your threat intelligence program and your security program has now bled into everybody's brain enough that they all see themselves as security people and they are Seeing the world through that lens, but I love it when that happens.
If I get a email at two in the morning that wakes me up, that's actually about something that I already answered. I'm probably not wild about it, that from that perspective of Hey, people are thinking like that. That's great. Like I'm the dog who caught the car. I've done something.
So yeah.
Heidi: I love it. I can't wait to send you one of those memes.
Jordan: Be prepared for a flood of them back. I think
Mike: Yeah.
Jordan: Yeah.
Mike: Challenge accepted. Yeah.
Heidi: Thank you both, Michael and Jordan. I, it was such a pleasure to talk to and learn from you both. Thank you so much for taking the time and kudos to you. Thank you for all the great work that you're doing.
Mike: Thanks for having us. Yeah. Thank you, Heidi. [00:40:00]