to do now?” The person responded,
“Once I’m checked in, I find a restaurant.” Soon after, Google Maps added
a “find a nearby restaurant” feature.
That’s a good UX designer!
A UX may be beautiful and elegant
and comparable to a piece of art, but
asking a UX designer to change the
background to a picture of a sailboat is
It is your job to trust testing data
over opinions, to create an environment that plans for multiple revisions
before the product ships and expects
further refinement after.
Do not confuse a UX designer with
a graphic designer. A graphic designer
develops layouts to inspire and inform
in a variety of media from brochures
to websites. Asking a UX designer to
design the company holiday card is as
much of a faux pas as asking the technical writer to write the company newsletter. These are all different skills.
5. Security is everyone’s
You are in the security business
whether you know it or not, and
whether you want to be or not. All software has security requirements and
potential security vulnerabilities. The
systems involved in producing your
software have security requirements
and vulnerabilities, too. While security infrastructure components such
as firewalls and intrusion detection
are necessary, they are not sufficient:
you must also design, implement, and
operate your software platforms with
built-in security controls. Security is
as much about good process as it is
If you think you are not a target,
then you are wrong. All computer systems are targets, as the prize is not just
the information in them but the mere
fact that it is a computer. For example,
a system with no information of value
is a cybersecurity target because it can
be used to relay an attack on other
computers, or mine bitcoin, or store
someone’s pirated video library.
Security is not an on/off switch.
There are many shades of gray. You
don’t build a system, then press the
“make it secure” button.
Security is about risk and your toler-
ance level for risk. Encrypting commu-
nication between two points doesn’t
make it secure, but it enhances the
security such that only a superpower
has the resources to crack the code.
Mitigating risk in one area doesn’t
help in other areas. Securing the net-
work doesn’t prevent physical security
issues. An employee propping a door
open enables someone else to steal
your backup tapes.
As Gene Spafford famously stated,
“The only truly secure system is one
that is powered off, cast in a block of
concrete, and sealed in a lead-lined
room with armed guards—and even
then, I have my doubts.” 3
Compliance with security standards such as NIST CSF (National Institute of Standards and Technology
Cybersecurity Framework), PCI DSS
(Payment Card Industry Data Security
Standard), and SOC 2 (Service Organization Control report) quantifies risk
and, when done right, reduces risk.
These standards do not assure perfect
security; such a thing does not exist.
More importantly, they provide guidance on how to respond responsibly
and report the inevitable security
breach. Being honest, forthright, and
public is my recommendation.
Security is best designed in from
the start. Bolting it on after the fact is
expensive and often ineffective. You
would not build a boat and then “add
in” a way for it to float.
Today the most common vector for
security issues is not the sexy high-tech
security hole some elite hacker discovered last night. It is the old, boring, ev-eryone-else-fixed-it-years-ago issue that
goes unnoticed. You would be stunned
at how many systems are calcified and
cannot be updated because updates are
impossible, expensive, or unavailable.
They may have been considered (
relatively) secure when new, but now new vulnerabilities have been discovered. Software,
left alone, grows stale like bread.
conjured out of thin
air. It needs to be
designed, built, and
operated ... It can
be designed well
or badly, and a fast
design is rarely a