User Experience Matters: Ending the Tug of War Between Security and Performance

Security leaders often question why performance matters. In this blog, we will discuss the “tug of war” that exists between implementing robust security controls and delivering a superior user experience as we spotlight the findings from a new white paper from industry analyst IDC, and highlight why the design of the Netskope NewEdge infrastructure is so important to how we approach these challenges.

It’s important to get security decision-makers and practitioners to understand the serious risk that comes from degraded performance and why networking considerations are key. Without factoring in performance, the best-case scenario is that cloud security slows down the business. The worst-case scenario is that users bypass security controls altogether – ignoring hours of security awareness training–creating greater exposure for an organization and diminishing the return on their significant security investments.

Fortunately, in most opportunities I’ve come across at Netskope, the networking team plays an integral in influencing security decisions, especially when it comes to inline services like security service edge (SSE) and secure access service edge (SASE) architecture, as well as individual capabilities like secure web gateway (SWG), firewall-as-a-service (FWaaS) or zero trust network access (ZTNA). 

Different mindsets: security vs. networking

While security teams typically focus on the depth and breadth of features for securing data, identifying threats, understanding application instances, or gleaning context for the best security efficacy, networking puts a spotlight on speeds and feeds. In short, how quickly can traffic get to the cloud, get the security processing needed, and get the user to the content, data, or app they are trying to access. For networkers, performance is all about delivering a high quality experience and it’s also why tools for remediating issues quickly (like Netskope’s Digital Experience Management) are so integral to cloud security purchase decisions. 

As reported in the June 2022 results of a Dimensional Research survey, which polled more than 500 enterprise security and IT professionals, a mind-blowing 46% admitted to relaxing or bypassing security to improve user experience. To sum it up, nearly half admit to taking the easy, less secure and more convenient path for the sake of a better experience. It doesn’t take a security expert to recognize the dangers and risks associated with that trade-off. Fortunately the survey results make it clear the vast majority of customers (90%) believe end-to-end monitoring is needed to determine if security between their end-users and the cloud is impacting the quality of experience.

This is consistent with Gartner analysts forecasting that by 2025, half of IT organizations will have established a digital experience strategy, team, and management tool, up from 5% in 2021. It is also noteworthy that in the Dimensional Research survey upwards of 90% of respondents believe visibility into end-user experience will be imperative to SASE adoption and success. 

Why should performance matter to both security and networking practitioners?

Shining a spotlight on the connection between security controls, cloud security performance, and ultimately user experience is the heart of a new paper from IDC analyst Chris Rodriguez. It’s a particularly timely topic with the shift to hybrid work and employees splitting their time between working remote and being on-premises, in the office. This is driving a corresponding spike in interest in digital experience monitoring solutions, as Rodriguez points out, “44% of customers admit hybrid work limits visibility” into user experience. 

In the paper, Rodriguez says, “Security systems must provide protection without hindering business operations. History has shown that disruptive security tools may be set to monitor-only mode, avoided, or switched off entirely, leading to reduced security efficacy. Put simply, security must be accurate, reliable, performant, and frictionless. Security transformation must go beyond mere adaptation to technological change but must account for the “human factor” as well.”

An example of the risky trade-offs often made between security and experience–often illustrated by users doing not what is “safest” but what is most “convenient”–is what we’ve seen over the years with seatbelts. It wasn’t until laws were put in place, massive media campaigns educated individuals on the risk of driving sans seatbelt, and technology advancements (like automatic belts or audio alarms that notify drivers when they are not safely buckled in) were put in place that individuals took action. Yes it was a combination of education, but also things that made it easier (or more painful to not buckle up) that drove the right behavior and in this case the best security posture for drivers hitting the roads. Netskope CISO, EMEA Neil Thacker wrote about a similar concept in a recent blog, through the lens of the Halo safety measure in Formula 1 racing, comparing it to how minute controls and coaching can help lead to better security posture and business outcomes. 

Many times this is what we’ve seen firsthand at Netskope, even working with some of the most security and compliance-minded enterprises in the world—including banks, healthcare providers and even government agencies. I experienced this shortly after joining Netskope when I learned of a customer prospect embarking on a web security proof of concept (POC) where employees were intentionally bypassing their VPNs to go direct-to-net, without any security protections (endpoint or otherwise) in place. It’s pretty clear the risk associated with this approach. The question I asked was “why did they choose this path”–avoiding using their VPN or the pains of multi-factor authentication? The short answer was because it was faster and more convenient. And this is why Rodriguez’s paper is such an important topic. Security and the performance required to deliver a superior experience are interconnected.

The right infrastructure for a superior digital experience

As a result of the $100M+ investment in building out its security private cloud called NewEdge, Netskope is particularly well-suited to help solve this inherent issue that comes with security transformation. NewEdge was designed to ensure cloud security is delivered without performance trade-offs. This strategy and level of investment further underscores why the underlying infrastructure is so important, not just for networkers but also security teams.

Rodriguez also wrote that “the digital transformation era also presents an opportunity for security providers [like Netskope] to address a long-standing trade-off in cybersecurity: performance versus protection… Now, the technological and operational changes introduced by digital transformation require security practitioners to consider performance in the context of the human factor. Through this lens, performance becomes a security imperative.“

Isn’t it about time as an industry that we fully recognize the weakest link of the “human factor” and work collectively to end the tug of war between security and performance? Customers can have both – the security they need and the digital experience their users expect. Accordingly, it’s also why customers, both security and networking leaders, need to pay attention to the underlying cloud security infrastructure that powers SSE and SASE to ensure there are no trade-offs. 

Learn more

For more information about why performance and user experience matters, as well as how the fast,  performance-focused NewEdge network powering the Netskope Security Cloud can give your business a competitive advantage and better support hybrid work, download a complementary copy of the IDC paper here.

To dig in further specifically on the topic of digital experience, as part of this year’s Netskope SASE Week, I will be hosting a session with Netskope Product Management Director Priyanka Pani on the importance of end-to-end visibility for monitoring performance and why it is the “linchpin of SASE success.” Register now to join this session on September 13.