Securing the Digital Employee Experience

Ivanti’s State of Cybersecurity Research Report Series

Rigid security protocols — such as complex authentication processes and highly restrictive access controls — can frustrate employees, slow productivity and lead to unsafe workarounds. Research from Ivanti shows how to strike the right balance.

Download Executive Summary
 

Share article
 

 
Listen to this report

01

Reducing friction

Problem today

Cybersecurity efforts frequently don’t take end-user experience into account.

A good start for security UX:

More than half of cybersecurity professionals (57%) say their company’s security user experience (UX) is “very good” or “excellent.”
 

But still a low priority:

Yet just 13% of security professionals we surveyed say UX for end users is a mission-critical priority when adopting cybersecurity tech interventions.

Is it really possible to have a high-performing security UX when an organization doesn’t highly prioritize it?



Why it matters

When companies disregard security UX — expecting employees to use unwieldy tools — it can lead to unsafe workarounds.

1 in 2 office workers say they use personal devices to log into work networks and software — and within that group, 32% say their employers don’t know they’re doing this.

Why the risky behavior? In large part, people don’t choose unapproved devices and software to cause problems; they use them because they’re easier to use and more reliable. And because sometimes they have no other option.

Companies should take steps to understand their employees’ workplace behaviors — good and bad — and design experiences that minimize friction, frustration … and risky behaviors.

Quote Icon

Security UX is about designing actions and workflows that blend in seamlessly with the way employees prefer to work, enabling them to make and execute decisions efficiently. It’s a balancing act: enacting robust oversight and controls to protect the organization, while ensuring these interventions do not create unnecessary obstacles and slowdowns.

Dr. Srinivas Mukkamale

Dr. Srinivas Mukkamala
Chief Product Officer, Ivanti


02

The AI multiplier

Problem today

The downside risk of poor security hygiene — unsafe workarounds, unapproved devices, etc. — is about to get a lot worse with the skyrocketing use of gen AI.

Adoption of AI-driven tech is exploding. The proportion of global knowledge workers who use generative AI nearly doubled over 6 months in 2024 to reach 75%, according to Microsoft’s 2024 Work Trend Index.

Yet, most companies are not moving quickly enough to lower AI risk.

81%

of office workers report they have not been trained to use generative AI.

32%

of security and IT professionals have no documented strategy in place to address generative AI risks.



Why it matters

When employees have unfettered access to gen AI tools and other advanced technologies, the downside risks can be massive: 

  • Cyber threats: Unapproved gen AI tools — just like any other shadow IT — introduce risk by expanding the organization’s attack surface without any oversight from security, potentially introducing unknown vulnerabilities that compromise an organization’s security posture.

  • Data privacy and compliance: Employees may inadvertently enter sensitive company or customer data into gen AI tools. When these data are stored or processed on external servers, they are outside the organization’s control, and vulnerable to breaches and violations of privacy laws (e.g., GDPR, HIPAA).

  • Copyright: Employees may access and use third-party datasets that include copyrighted materials, which can lead to legal challenges.

  •  

Ivanti’s research shows that among office workers using gen AI at work, 15% are using unsanctioned tools — a number we expect will rise. All of these are “unforced errors” — employee missteps that can be minimized with proper training, oversight and a well-designed technology stack.

03

Securing Everywhere Work

Problem today

Employees want to work anywhere, anytime. Many companies are still not providing the tools and processes that make Everywhere Work productive and secure.



Why it matters

Everywhere Work is not a temporary state. Even companies that are rolling back remote working policies must equip employees with technology and workflows that keep them engaged, productive and safe — no matter where work takes place.

In Ivanti’s year-over-year studies, we are noticing a shift in leadership’s perception of remote work, with more and more leaders wanting their employees back in the office.

60% of executive leaders in 2024 believe employees need to be in the office to be productive, compared to 44% last year.

Even if employers are pressuring employees back to the office, it does not mean remote working is no longer a priority or concern.

Quote Icon

Your in-office employees may bring work devices home in the evening, take conference calls on the road, or sign in to work apps on their personal phones. Whether half of your employees work remotely or just a small fraction do, there is still a profound need to ensure that the company supports all the ways employees work — even moments that fall outside the bounds of a traditional work day.

Kristen Kamp
Kristen Kamp
SVP, Global Human Resources, Ivanti

04

Up-leveling

Problem today

Security leaders are often not consulted about investments in digital employee experience (DEX).

Just 38% of companies consult the CISO for input on DEX strategy, investments and planning. This is despite the fact that DEX tools can make significant contributions to security.

DEX tools can automate security interventions proactively, without interrupting employees’ daily work patterns. For example, companies can scan for device noncompliance and automate fixes to routine cyberhygiene issues — all without requiring any effort or intervention from end users.



Why it matters

Employees are unlikely to follow through on security practices that are cumbersome, confusing or inefficient. Investing in the right tools can close the gap.

DEX-informed security minimizes the need for employees to change their typical behaviors at work. Ivanti’s research shows, 96% of leaders and 93% of security professionals say that prioritizing digital employee experience has a positive impact on an organization’s cybersecurity efforts.

Currently, most security professionals (89%) say they have invested in the right security-related UEM tools to automate security practices. What’s needed in addition to tools may be a mindset shift.

Quote Icon

CISOs need to be a part of delivering a stellar experience – and we are beginning to see modern CISOs take DEX very seriously. Security is much more than the aggregation of tools and processes. It is a team sport. That’s a massive cultural and mindset shift.

Dr. Srinivas Mukkamale

Dr. Srinivas Mukkamala
Chief Product Officer, Ivanti


05

Action steps

Experts weigh in on how organizations can strike a balance between high security and frictionless user experience.

Understand your employees’ preferred behaviors and workflows

Many CISOs are so focused on security that they overlook the user experience — deploying overly complex authentication processes, highly restrictive access controls or other user-unfriendly options. And when employees encounter tech friction or feel frustrated with the tools they are asked to use, they will find a workaround.

CISOs need to take time to understand employees’ work habits, workflows and preferred tools — before companies invest in new security tech. That way, new investments in security tools and interventions will more closely align with how employees prefer to work. Ultimately, good UX reinforces good security.

Develop clear policies for using gen AI

To avoid potential security risks when using generative AI, employees need to be trained appropriately, not only on the tools, but on what type of data is appropriate to use within that tool. They need to understand both the tool itself and where the data will be stored and utilized.

First and foremost, organizations need to determine which AI tools they're going to permit their employees to use. Second, establish guidelines and policies around what type of data can be imported into those tools and used within those tools. Sensitive company, customer or even personal employee data should not be entered into an AI tool that isn't controlled by the company. Storing data outside of the organization's boundaries can lead to various problems, including data breaches and violations of regulatory requirements.

Deploy proactive automation to avoid interrupting workflows

The best security interaction is no security interaction. Ideally, you want to limit user interactions and user involvement with cybersecurity tools. What happens when people start bypassing security controls and tools is that they create unintended consequences and risks for the business. Don't ask the user, “Do you want to update?” Instead, build in automation and deploy updates proactively and automatically in the background. That’s a simple example, but a model for how security should be inbuilt — and to some degree, invisible — within daily workflows.

You don’t need humans to be taskmasters. And that’s really when you look at gen AI and modern automation tools. The number one thing they’re trying to solve is limiting human triage, limiting human interaction, limiting humans having to get involved in the mundane tasks.

Extend your security perimeter to the edge

Hybrid work and Everywhere Work are a fact of life today. How do we make sure we are protecting our assets — no matter where employees work? Security has to go beyond your perimeter to the edge. That’s where you see a rise in technologies like SASE and zero trust. We don’t have the luxury of protecting just within four office walls or even defining a perimeter. Today, the perimeter is your browser. The perimeter is the user who’s using workplace devices, wherever those may be. Think of it as a perimeter-less network: you can’t trust anything. It’s a big paradigm shift.

Get CISOs involved in DEX strategy and planning

CISOs really need to proactively understand how their security initiatives and policies are impacting business productivity and employee engagement. Ensuring security leaders have access to digital employee experience (DEX) information helps CISOs be more proactive about how they decide and implement security policies — rather than needing to adjust after the fact if users are experiencing friction or circumventing the security methods.

Configuration changes are one of the leading drivers of technology change within organizations — required, of course, by the need to respond to the evolving threat landscape. Unfortunately, change is a major drag on user productivity.

It’s critical for CISOs and other security leaders to be involved in DEX strategy for a number of reasons, including:

  • Ensuring appropriate control and governance of DEX tooling.  
  • Incorporating DEX tooling into security workflows (i.e., minimizing reactive service-desk calls from impacted end users). 
  • Measuring the impact of shift-left measures like proactive configuration changes and patching.  
  • Augmenting existing security tools with DEX capabilities.

Methodology

This report is based in part on three surveys conducted by Ivanti in late 2023 and 2024: 2024 Everywhere Work Report: Empowering Flexible Work, 2024 State of Cybersecurity: Inflection Point, and 2024 Digital Employee Experience Report: A CIO Call to Action. In total, these three studies surveyed over 20,000 unique executive leaders, IT professionals, security professionals and office workers around the globe.

Thank you!

Download Executive Summary Download

Get charts and key findings

Get key findings and survey results, including charts and graphs, in a presentation-ready format