Embracing DEX: One Step at a Time
Digital employee experience has become a hot topic for organizations. And understandably so, considering that 65% of employees say that they would be more productive if they had better technology at their disposal.
But to secure the investment, you need to lay out how your organization can benefit in both the short — and long-term. That’s why Chris Goettl, VP of Security Product Management, and Robin Rowe, Senior Product Manager, got together to define a step-by-step guide to planning and measuring DEX in your organization.
The importance of balancing user experience and security
Pat Ziembicka: Digital employee experience has been a topic that's been talked about for quite some time now — a solid few months, and it's really growing in importance. But, very often, it’s seen as this big initiative, something that you really need to splash out on and dedicate a lot of resources to. But it doesn't have to be. It can be just like this thread that you incorporate into your daily operations that improves your daily IT ops and security efforts.
Before we get going into laying out those steps, as to how you can actually take that staggered approach to it, let's just look at the whole conflict. One of the things that we found in our DEX report towards mid-last year was that almost 50% of C-level executives have actually requested bypassing security measures within the past 12 months. So, Chris, what are your thoughts on that?
Chris Goettl: A lot of times, these two things are at odds. Think about most of the time when you put a security measure in place, it's there to restrict or control what's going on in the environment and for good reason. I mean, these are the things that are going to be used by threat actors to attack the environment.
So, we want to put measures in place to make sure that Chris only has access to the things that Chris should have access to. He shouldn't have access to something that Robin has access to just because, there's separation of duties, there'sinformation that we want to keep separated. We may have to put in things like better controls around access to files, the ability to run things as an administrator. All of those things should be restricted because they make our environment less secure.
Think about passwords is a good example. Everybody hates passwords. They like to make them very simple, repeatable so they don't have to remember them all. If you're like me, you enforce a password policy even on your own family. My kids and my wife hate the fact that I make them actually have a different password for everything, and they have to actually manage all those things. Oftentimes, putting tighter security measures in place makes the user experience more difficult.
If I put a stronger password policy in place, I make it so that you can't reuse your password, you have to make it longer, you have to make it so you're using special characters, uppercase, lowercase; it has to be so long and you can't reuse that password and every 90 days you can have to change it. Well, that frustrates your users. So, they're going to find ways to get around that. The balance between, the user experience and how we're securing that experience absolutely has constant tradeoffs.
And I think that the one thing that's most interesting about this, like, hey, everybody, why's one of the security guys on here to talk about DEX, which is more digital experience. That's exactly the problem that we want to try to talk about as well.
As you're getting into this, the more that you do security-wise, the more potentially you could be impacting your digital experience. And one of the most interesting things I think about DEX that we'd like to talk about today is — how DEX gives us visibility into that so we can improve that security experience and the overall digital experience together.
Robin Rowe: Security and ops are horizontally opposed in terms of it. That friction can occur when the use of flexibility in productivity might be impacted by the stringent security policies or the other way around to increase that security, getting compromised by executive frustrated with productivity issues from overriding or bypassing those policies. But at the same time, security and ops are intrinsically linked with the digital experience at different levels.
And really, the first part of that is the insight. DEX really starts with the data, and the data might fall into two categories. The first category is really that the items that are going to impact the user, the things your user cares about. These are issues that are actually causing the user's impact through symptoms that they perceive — that might be things like long login times, application crashes, blue screens.
And if we think about the relationship with security, those symptoms might have been triggered by a recent security change, there might be a new patch, might be a policy change, might be some new security software rolling out with some sort of driver conflict. DEX tools can help us identify these new symptoms occurring and not only that, they can also show the scale of the issue as well, how many users are affected and help support and security teams correlate those symptoms with changes.
DEX also includes the capability to survey users and this can be really useful for picking up on unreported technology issues. So, these are things that might not have been detected automatically or the users might not raise tickets. But this will give security and ops teams early visibility, so they can potentially poll users, maybe on a recent major change, a big update roll-up, maybe part of a security shift-right strategy.
I had a conversation with a CISO recently and he's actually really excited about the potential of DEX. Security can often get the blame by default — if something goes wrong, it must be a security policy. So, it wasn't really just a way for him and his team to measure the impact of their policies, but it's also a way to deflect false positives and placate his team.
The second category of data are really things that relate to the overall health of the device. From a security perspective, that might be cyber hygiene, things, missing patches, EDR, malware software not running, missing agents and that kind of thing.
And those types of things aren't the things that users are directly concerned about. They don't directly impact users. But they're all things that you want to catch and you want to heal from a DEX perspective because if the user does experience an issue related to those things, some kind of security issue, then that could well cause them a big experience issue, either from the issue itself or as a result of the required remediation where they have to reimage or replace that device.
Chris Goettl: The fact that you're talking to a CISO about digital experiences is really good. Think of it this way; when that CISO wants to push a new policy, they're going to be able to use DEX to determine how much of an impact that policy is having. You can see that in maybe the ticket volumes that come out. So, as we're rolling out this new technology, we could be watching the pilot group that we're using for this very closely and see overall how this change is impacting that group.
If you do this well, security groups should be able to roll out new technologies, changes, policies and be able to get better visibility into that experience to ultimately avoid another challenge that a lot of organizations have, which is called Shadow IT obviously, you would start to impact users too much, they're going to then find ways around it.
So, Pat, the stat about 49% of C-level executives deliberately bypassing security measures, is a direct result of that. If a mature DEX experience would have been in play there, then that could have been avoided. You could have looked at that and made it so that you understood the user experience and you improved it.
So, going back to passwords, a great technology that's trying to improve that password experience is eliminating the password altogether. That's the weakness in that digital experience. None of us want to remember thirty passwords. None of us want to change that on a regular basis.
So, if we can eliminate the password and use other strong authentication types like biometrics or certificates, phone as a token, those things can become the authentication mechanism. And that's easy for me. Scanning a QR code, getting a push notification, accepting that I don't have to remember a password anymore.
We create a great digital experience and improve security at the same time. I like the direction that we're going and the types of conversations that are coming up.
The benefits DEX offers
Pat Ziembicka: Chris, Robin mentioned patching as a component of DEX. Can you elaborate on that and maybe shine a little bit of light for our listeners on the daily benefits to our IT security teams?
Chris Goettl: Think about the fact that this is something that all of you have to deal with on a regular basis. There's a continuous need to identify risks, prioritize what needs to be updated, and then push those changes out to the environment. So, this is crossing over into vulnerability and risk management, remediating those risks and change management.
Very few things drive as much change as patch management across the environment. One thing that I hear from a lot of organizations is that as soon as the patch cycle comes around again, they constantly become the target of blame for the next couple of weeks while that maintenance is going on. And we've had some fun with this over the years.
Like I said, I've been in this space for a while now and I've actually been out on hand, you know, onsite with customers rolling out our technologies. There's been many cases where we go and actually push patching out to a small sampling of users during the workday and then we'll go walk the floor and we'll talk to people and figure out what their reactions are.
We'll talk to one person and ask them, you know, how their experience is going, and they'll be like, 'Oh yeah, you guys must have pushed something because everything's broken right now. And we're like, you weren't in the group that got deployed to it all. So, no. And then the next person we go and talk to, it's like, 'Oh yeah, this is one of the people that we did patch. Let's go talk to them.
They're responding back, saying, 'Oh, yeah, everything's run smoothly, everything's performing well. It's all great.' They're like, 'Oh, did you realize we just patched your machine?' And they're like, 'Seriously? I didn't see anything.' Patching is not the pain of, you know, all the things that go wrong in the environment. Yet the people who are responsible for it oftentimes get blamed for everything during that time.
One of the things that's been interesting — we have a customer, one of our early adopters of the Ivanti Neurons DEX experience. They have been using this as a way to measure how well patch cycles are going within their organization. As they push out the patches, they've got everything set up — they've got a pilot group they start with, it's like 1% sampling of their environment. Then they've got an early adopters' group that's like another 9% of their environment. And then they go out into production, which is the remainder of what happens over the course of a couple of weeks. In the first 48 hours, that first 1% gets patched. They're watching that group very closely.
Using DEX, they've been able to get a much deeper level of visibility into that because it's pulling in the service desk information. I can see if any of those users are opening tickets. Were any of those tickets relating to the things we just updated? We can see that system stability type information coming back from the agent and agentless agent tree that's out there. Being able to see that, are there any crashes occurring? Are there any other things happening there?
The importance of DEX scoring to security efforts
Pat Ziembicka: How does this scoring help security? And let me add to that — does security data impact the DEX score?
Chris Goettl: Yeah, the security data can absolutely impact that DEX score. You could pull in a variety of different bits of information. Getting a little bit deeper into the patch example, we not only have information about what had a vendor release, what was the vendor severity, what were the CVSS scores for that vulnerability. We also have data through our risk-based vulnerability management platform on the real-world risks that the exposed vulnerabilities are presenting. We can tell you if there's a vulnerability in your environment that has a known exploit against it.
Here's an interesting fact — over 73% of vulnerabilities used by ransomware threat actors aren't rated as critical by the vendor. That means these vulnerabilities, if you're if you're prioritizing by traditional means, you're prioritizing by vendor severity and by CVSS score, and those can't take real world aspects into account very effectively.
If you look at 2021, Microsoft resolved 23 zero day vulnerabilities and 15 of those, while Microsoft knew full well, they were actively being exploited, because of the way their scoring algorithm works, they were only rated as important. Most organizations were paying attention to the wrong vulnerabilities.
Providing a more robust risk score in a case like that, you're able to show specifically, I've got a device that might have critical vulnerabilities exposed on them but more importantly, there's three important vulnerabilities that have known exploits against them and are trending amongst ransomware threat actors. That's actually the more dangerous of those and providing a more robust scoring algorithm around that and visibility into that. You could provide a very rich security aspect to that DEX score as I'm looking at the devices in my environment.
Now, I've got visibility into and the ability to measure more of a real-world risk to that device. And we've got customers who are actually taking advantage of that. Not only are they taking advantage of the actual risk to the environment and making sure that their SLAs are focused more on those couple hundred vulnerabilities that are actively being exploited versus the thousands that I'm never going to get to all of them, they also get that operational benefit as well to say as we're pushing updates out.
I mentioned that customer before, their number one goal was risk reduction, not operational impact. They were finding that tickets were being opened, exceptions were being made and they were exposing long-term risk in their environment because of operational impacts. DEX has provided them with the visibility to understand that.
What they're seeing isn't only a reduction in the amount of operational impacts during patching, but also a reduction in their overall risk to their environment because they're doing it more efficiently and reducing those operational impacts.
Rome wasn’t built in one day — same can be said for implementing a great digital employee experience. That's why a staggered approach to investing in your DEX is the best way to go for aiding your IT and security teams in the short-term and setting your organization up for future success.
To access all the insights, watch the full webinar on A step-by-step guide to planning and measuring digital employee experience (DEX).