Making an appointment
Making an appointment

Security and user experience: why you can’t separate them

Security and DEX: why you should look at them together

8 minutes

You know the drill. The CISO announces a new security measure. Multi-factor authentication is tightened, a VPN update rolls out, or there will be an extra step when logging in. And within a day, ten tickets are open at the help desk. Employees complain that it doesn’t work, is too slow, or just too complicated.

That’s not a coincidence. It’s a pattern. And it is more expensive than most organizations realize.

Security and user experience are still treated as two separate worlds in most organizations. The CISO makes sure it’s secure. IT makes sure it works. And the employee is in between trying to get their job done. But that separation is exactly what causes security investments to yield less than you might expect. And that users find ways to work around it.

What goes wrong when security and DEX are separate

Digital Employee Experience, or DEX for short, is about how employees experience the digital workplace. How fast does a laptop boot up? How long does it take to log in? Does an application work smoothly or does it hiccup? Are there network problems that go unnoticed?

What many organizations fail to see is that security measures are one of the biggest causes of poor DEX. Complex authentication processes, strict access controls, endpoint agents that eat up resources, or DLP scans that run in the middle of the day and slow everything down.

Nearly half of all CISOs bypassed security protocols themselves during the corona pandemic

Ivanti research shows that nearly half of all CISOs during the corona pandemic bypassed security protocols themselves to get their work done. Not out of negligence, but out of necessity. When even the people who make the rules circumvent them, that says something about how the rules are made.

And employees do the same thing. They look for the shortest route. They use a personal device. They send files via WhatsApp. They click “remind later” when updating. Not because they don’t take security seriously, but because security gets in the way of their work.

Security as a luxury car without seat belts

Daren Goeson, former SVP Product Management at Ivanti and now Chief Product Officer at Lakeside Software, aptly describes it: organizations buy a luxury car with the most advanced safety systems, but then don’t install seat belts. Or worse: the seat belts are there, but so uncomfortable that no one puts them on.

That’s what happens when security tools are purchased, but not properly configured or tuned to users’ daily practices. The tools are there. The investment has been made. But the effect fails to materialize, or worse: it causes resistance.

Goeson argues that CISOs must proactively understand how their security decisions affect employee productivity and engagement. Not adjust after the fact when complaints come in, but measure the impact of a configuration change or new policy in advance.

What DEX data tells you that no security tool tells you

Traditional security tools measure risk. They tell you which devices aren’t patched, which users are exhibiting anomalous behavior, or which endpoints are outside policy. But they don’t tell you what it feels like to work on that endpoint.

DEX tools fill that gap. They measure login times, application performance, CPU load, network latency and session duration. They show where employees get stuck, which applications get terminated the most, and when performance problems occur.

What that provides is insight into the weakest links in the digital workplace. And very often that weakest link is not in Citrix, or in Teams, or in the network. It’s in a security agent that scans profile containers the moment a hundred employees log in at once. Or in a DLP scanning gigabytes of data through tooling in the middle of a busy workday.

Want to read more about how problems in the IT chain hide behind the workplace? In our article“Citrix is not your problem, but often the scapegoat,” you can read how this works in practice and why the root cause is almost never where you expect it to be.

Without DEX data, all you see is the end result: employees complaining that things are slow. With DEX data, you see exactly where things are going wrong and what measure is causing it.

ControlUp: DEX data that brings the entire workplace into focus

One of the tools we use to bring DEX and security together is ControlUp. ControlUp is a platform that provides real-time visibility into the performance of the digital workplace, from endpoint to data center.

What ControlUp does specifically:

  • Real-time monitoring of sessions, applications, endpoints and infrastructure in a single dashboard
  • Login time analysis by step: how long each stage of the login process takes and where is the delay
  • Automatic detection of disruptions, such as a security agent consuming excessive resources or a profile not loading correctly
  • Correlate infrastructure events with user experience, so you can see what a patch, scan or update does to the workplace
  • Historical data and trend analysis so you can recognize recurring patterns and take proactive action
  • Script-based automation to solve problems without help desk intervention

What that means in practice: you see immediately when a security update causes a peak load, which users are affected and what the impact is on login times. Not after the fact when you complain, but live while it’s happening.

ControlUp works in Citrix environments as well as Microsoft AVD, RDS and hybrid setups. It bridges the gap between IT, security and the end user. Exactly the bridge that is missing in most organizations.

Why only 38 percent of CISOs are involved in DEX strategy

The same Ivanti survey found that only 38 percent of organizations involve the CISO in DEX strategy, investment and planning. That’s remarkably low, especially considering the direct contribution DEX tools can make to security.

In fact, DEX tools can automatically perform security interventions without interrupting employees’ workday. Think scanning for devices that don’t comply with policy, automatically fixing cyber hygiene problems, or detecting anomalous behavior before it becomes an incident.

But that only works if the CISO knows what’s going on in the workplace. And that’s exactly where it often goes wrong now: security and IT work alongside each other, with their own tools, their own dashboards and their own priorities.

Common objections and honest answers

“We already have monitoring, that’s the same thing, right?”

Traditional monitoring looks at availability and errors. DEX looks at perception. A system can be technically available, yet feel slow to the user. The two are not the same thing.

“Our employees don’t really complain,” he said.

That doesn’t mean there aren’t problems. Research shows that employees encounter an average of four technical problems per workday. Most don’t report them, they just bypass them. And that circumvention is exactly the security risk you want to avoid.

“Better user experience means less control.”

This is a persistent misunderstanding. DEX is not about removing security measures. It’s about setting them up to work without hurting productivity. That requires more precision, not less control.

“We don’t have the people for that.”

DEX tooling like ControlUp, in particular, reduces the workload for IT. By proactively measuring and automatically intervening, you solve problems before they escalate to the help desk. That saves tickets, calls and research.

Practical checklist: this is how to bring security and DEX together

Use the questions below as a starting point for an honest conversation in your organization:

  • Are you now measuring the impact of security changes on login times and application performance?
  • Do you know which security agents consume the most resources on endpoints?
  • Is the CISO involved in decisions about the digital workplace and DEX tooling?
  • Do you have insight into when and how employees bypass security protocols?
  • Are DLP scans and other intensive security processes scheduled off-peak?
  • Can you demonstrate what a security investment has yielded in terms of user experience?
  • Is there a shared dashboard where IT, security and management see the same workplace data?

How New Yard looks at this

At New Yard, we see daily how organizations struggle with this issue. Security teams do their jobs well. So are IT teams. But because they work separately, no one has the complete picture.

We look at the digital workplace as an ecosystem. That means we look not just at what’s running technically, but at how the whole chain performs from the employee’s perspective. Login times per step. Profile load. Identity responses. Storage latency. Impact of security-tooling on end users.

Because only when you have that data can you honestly say where the problem is. And very often that’s not what everyone is pointing to.

Want to know where your workplace really gets stuck?

We always start a conversation about the digital workplace with the same question: do you have visibility into the whole chain, or just the layers you manage?

If that insight is not there, we work it out together. With a workplace assessment you map out where the weakest links are: in security-tooling, in identity, in storage, in profile management or somewhere else in the chain. Not a product-specific scan, but an honest picture of the entire digital route your employees take every day.

Schedule a no-obligation introductory meeting through newyard.com and find out what concrete improvements can be made in your area.

Contact
Other posts