Securing the Digital Employee Experience

Show Notes

Ivanti’s latest research report surveyed over 20,000 unique executive leaders, IT professionals, security professionals and office workers around the globe to understand how organizations can strike a better balance between security and digital employee experience. 

Our research revealed that cybersecurity teams often don’t take user experience (UX) into account when designing security policies and protocols — leading to employee frustrations and frequent unsafe workarounds. These risks are further exacerbated by factors like the rise of unsanctioned AI use at work and a lack of prioritizing security when it comes to remote and hybrid workers. 

How can CISO’s play a greater role in digital employee experience decisions and create seamless security experiences that don’t interfere with employee productivity? 

Listen to hear the full report: Securing the Digital Employee Experience. 

Get more resources 

To read the report and access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti.com/secure-experience.  

For more Ivanti research on IT, security and the future of work, visit ivanti.com/research. 

About Ivanti 

Ivanti elevates and secures Everywhere Work so that people and organizations can thrive. We make technology work for people, not the other way around. Today’s employees use a wide range of corporate and personal devices to access IT applications and data over multiple networks to stay productive wherever and however they work. Ivanti is one of the only technology companies that finds, manages and protects each IT asset and endpoint in an organization. Over 40,000 customers, including 88 of the Fortune 100, have chosen Ivanti to help them deliver an excellent digital employee experience and improve IT and security team productivity and efficiency. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued, and we are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit ivanti.com and follow @GoIvanti. 

Chapters

• 0:00: Introduction
• 0:46: Part 1: Reducing digital friction
• 2:20: Part 2: The AI multiplier
• 4:29: Part 3: Securing Everywhere Work
• 4:53: Part 4: Up-leveling
• 6:59: Part 5: Action steps
• 12:03: Outro

Transcript

Rigid security protocols — such as complex authentication processes and highly restrictive access controls — can frustrate employees, slow productivity and lead to unsafe workarounds. Research from Ivanti shows how to strike the right balance. 

You’re listening to the audio version of Securing the Digital Employee Experience, part of Ivanti’s state of cybersecurity research series. To see more Ivanti research and to access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti, I-V-A-N-T-I.com/research.  

[Sting]  

Part one: Reducing friction 

[Sting]  

Problem today 

Cybersecurity efforts frequently don’t take end-user experience into account.  

More than half of cybersecurity professionals (57%) say their company’s security user experience (UX) is “very good” or “excellent.”   

A good start.   

Yet just 13% of security professionals we surveyed say UX for end users is a mission-critical priority when adopting cybersecurity tech interventions. Is it really possible to have a high-performing security UX when an organization doesn’t highly prioritize it?   

[Sting]  

Why it matters 

When companies disregard security UX — expecting employees to use unwieldy tools — it can lead to unsafe workarounds.  

1 in 2 office workers say they use personal devices to log into work networks and software — and within that group, 32% say their employers don’t know they’re doing this.  

Why the risky behavior? In large part, people don’t choose unapproved devices and software to cause problems; they use them because they’re easier to use and more reliable. And because sometimes they have no other option.  

Companies should take steps to understand their employees’ workplace behaviors — good and bad — and design experiences that minimize friction, frustration … and risky behaviors. 

[Sting]  

Part two: The AI multiplier 

[Sting]  

Problem today 

The downside risk of poor security hygiene — unsafe workarounds, unapproved devices, etc. — is about to get a lot worse with the skyrocketing use of gen AI.   

Adoption of AI-driven tech is exploding. The proportion of global knowledge workers who use generative AI nearly doubled over 6 months in 2024 to reach 75%, according to Microsoft’s 2024 Work Trend Index.  

Yet, most companies are not moving quickly enough to lower AI risk. 

81% of office workers report they have not been trained to use generative AI.  

And 32% of security and IT professionals have no documented strategy in place to address generative AI risks. 

[Sting]  

Why it matters 

When employees have unfettered access to gen AI tools and other advanced technologies, the downside risks can be massive. Here are just three examples. 

First, cyber threats. Unapproved gen AI tools — just like any other shadow IT — introduce risk by expanding the organization’s attack surface without any oversight from security, potentially introducing unknown vulnerabilities that compromise an organization’s security posture.  

Second, data privacy and compliance. Employees may inadvertently enter sensitive company or customer data into Gen AI tools. When these data are stored or processed on external servers, they are outside the organization’s control, and vulnerable to breaches and violations of privacy laws, such as GDPR or HIPAA.   

Third, copyright infringement: Employees may access and use third-party datasets that include copyrighted materials, which can lead to legal challenges.  

Ivanti’s research shows that among office workers using Gen AI at work, 15% are using unsanctioned tools — a number we expect will rise. All of these are “unforced errors” — employee missteps that can be minimized with proper training, oversight and a well-designed technology stack. 

[Sting]  

Part three: Securing Everywhere Work 

[Sting]  

Problem today 

Employees want to work anywhere, anytime. Many companies are still not providing the tools and processes that make Everywhere Work productive and secure. 

[Sting]  

Why it matters 

Everywhere Work is not a temporary state. Even companies that are rolling back remote working policies must equip employees with technology and workflows that keep them engaged, productive and safe — no matter where work takes place.   

In Ivanti’s year-over-year studies, we are noticing a shift in leadership’s perception of remote work, with more and more leaders wanting their employees back in the office.   

60% of executive leaders in 2024 believe employees need to be in the office to be productive, compared to 44% last year.  

Even if employers are pressuring employees back to the office, it does not mean remote working is no longer a priority or concern. 

[Sting]  

Part four: Up-leveling   

[Sting]  

Problem today 

Security leaders are often not consulted about investments in digital employee experience (DEX).   

Just 38% of companies consult the CISO for input on DEX strategy, investments and planning. This is despite the fact that DEX tools can make significant contributions to security.    

DEX tools can automate security interventions proactively, without interrupting employees’ daily work patterns. For example, companies can scan for device noncompliance and automate fixes to routine cyber hygiene issues — all without requiring any effort or intervention from end users. 

[Sting]  

Why it matters 

Employees are unlikely to follow through on security practices that are cumbersome, confusing or inefficient. Investing in the right tools can close the gap.   

DEX-informed security minimizes the need for employees to change their typical behaviors at work. Ivanti’s research shows 96% of leaders and 93% of security professionals say that prioritizing digital employee experience has a positive impact on an organization’s cybersecurity efforts.  

Currently, most security professionals (89%) say they have invested in the right security-related UEM tools to automate security practices. What’s needed in addition to tools may be a mindset shift.   

[Sting]  

Part five: Action steps 

Experts weigh in on how organizations can strike a balance between high security and frictionless user experience.    

[Sting]  

Understand your employees’ preferred behaviors and workflows, says Michael Riemer, Ivanti’s Field Chief Information Security Officer. 

Many CISOs are so focused on security that they overlook the user experience — deploying overly complex authentication processes, highly restrictive access controls or other user-unfriendly options. And when employees encounter tech friction or feel frustrated with the tools they are asked to use, they will find a workaround.   

CISOs need to take time to understand employees’ work habits, workflows and preferred tools — before companies invest in new security tech. That way, new investments in security tools and interventions will more closely align with how employees prefer to work. Ultimately, good UX reinforces good security. 

[Sting]  

Michael also advises organizations to develop clear policies for using Gen AI. 

To avoid potential security risks when using generative AI, employees need to be trained appropriately, not only on the tools, but on what type of data is appropriate to use within that tool. They need to understand both the tool itself and where the data will be stored and utilized.  

First and foremost, organizations need to determine which AI tools they're going to permit their employees to use. Second, establish guidelines and policies around what type of data can be imported into those tools and used within those tools. Sensitive company, customer or even personal employee data should not be entered into an AI tool that isn't controlled by the company. Storing data outside of the organization's boundaries can lead to various problems, including data breaches and violations of regulatory requirements. 

[Sting]  

Deploy proactive automation to avoid interrupting workflows, says Dr. Srinivas Mukkamala, Ivanti’s Chief Product Officer. 

The best security interaction is no security interaction. Ideally, you want to limit user interactions and user involvement with cybersecurity tools. What happens when people start bypassing security controls and tools is that they create unintended consequences and risks for the business. Don't ask the user, “Do you want to update?” Instead, build in automation and deploy updates proactively and automatically in the background. That’s a simple example, but a model for how security should be inbuilt — and to some degree, invisible — within daily workflows.   

You don’t need humans to be taskmasters. And that’s really when you look at Gen AI and modern automation tools. The number one thing they’re trying to solve is limiting human triage, limiting human interaction, limiting humans having to get involved in the mundane tasks. 

[Sting]  

Srinivas also advises organizations to extend their security perimeter to the edge. 

 Hybrid work and Everywhere Work are a fact of life today. How do we make sure we are protecting our assets — no matter where employees work? Security has to go beyond your perimeter to the edge. That’s where you see a rise in technologies like SASE and zero trust. We don’t have the luxury of protecting just within four office walls or even defining a perimeter. Today, the perimeter is your browser. The perimeter is the user who’s using workplace devices, wherever those may be. Think of it as a perimeter-less network: you can’t trust anything. It’s a big paradigm shift. 

[Sting]  

Get CISOs involved in DEX strategy and planning, says Daren Goeson, Ivanti SVP of Product Management. 

CISOs really need to proactively understand how their security initiatives and policies are impacting business productivity and employee engagement. Ensuring security leaders have access to digital employee experience information helps CISOs be more proactive about how they decide and implement security policies — rather than needing to adjust after the fact if users are experiencing friction or circumventing the security methods.  

Configuration changes are one of the leading drivers of technology change within organizations — required, of course, by the need to respond to the evolving threat landscape. Unfortunately, change is a major drag on user productivity.   

It’s critical for CISOs and other security leaders to be involved in DEX strategy for a number of reasons, including:   

• Ensuring appropriate control and governance of DEX tooling.   
• Incorporating DEX tooling into security workflows (in other words, minimizing reactive service-desk calls from impacted end users).  
• Measuring the impact of shift-left measures like proactive configuration changes and patching.   
• And finally, augmenting existing security tools with DEX capabilities. 

[Sting]   

  If you enjoyed listening to this report and want even more Ivanti research, you can subscribe to this podcast to get the latest Ivanti research in your feed as soon as it’s released.   

 You can read the report, download charts and graphs and presentation-ready slides, and see the rest of Ivanti’s research at ivanti, I-V-A-N-T-I.com/research.   

   And if you’d like to hear even more audio content from Ivanti, check out Executive Summary with Jeff Abbott, a podcast exploring the latest research in IT, security, and the future of work, and what they mean for your business strategy. In every episode, Jeff is joined by a new business leader for a free-ranging discussion, unpacking the research findings and connecting them to real-world leadership experience.   

   You can follow Ivanti on social media at Go Ivanti, and you can visit us at ivanti.com to learn more about our products and solutions.   

   Thanks for listening!