As the RSA Conference a friend and I repeated the exercise from last year's conference to evaluate the user interface of the security solutions shown on the exhibit floor.
What we saw last year was mostly horrible, with a few exceptions. Have things improved? Does the raising of the bar based on good consumer user interfaces affect the way enterprise security solutions are designed? We were cautiously optimistic.
We were disappointed yet again.
I walked the floor with Ken Guzik, who has designed enterprise user interfaces throughout his career, including VMware vCenter. He knows what he's talking about and has an eye for recognizing the good, the bad, and really ugly in a few minutes of watching a demo and talking with the booth staff. Ken wrote a blog on this too, titled: Enterprise UX – What’s so tough about creating a good user experience?
There are several rather simplistic ways we categorize user interfaces.
- Take some data that you want to display and dump it on the screen, and put a few buttons to manipulate it. There may be some pretty icons to make it look nicer and shiny, but those are just like sweet frosting on a stale cake since the underlying cake is still fundamentally no good.
- Don't even attempt a real user interface. Simply provide a command line interface that just happens to reside within a browser or an app window. It may provide for some familiarity for CLI-fans, but that's about it.
- Take some effort to understand the goals and tasks that an end-user wants to accomplish and craft a user interface that helps the end-user accomplish their goal. Make the product easy to use by helping the tasks at hand and by using the tool to guide the end user, with proper context.
Most vendors choose the first two paths. It's not just laziness but as my friend said, it's a form of naïveté. "Not knowing what you don't know means you get something you think is good but misses the mark. "
A few people within booths even sheepishly admitted that their user interfaces are bad. I just don't understand how they continue to get away with it. I suppose that some customers are so desperate to get some core security functionality that they tolerate a bad end-user experience. Many just reek of bad design, or not understanding the end-user, or simply productizing an early prototype. Ultimately, the customers are letting them get away with it unless they speak up (or vote with their feet).
But they need to realize that a good user interface accomplishes many goals:
- Feature discovery - some key functions are not understood and therefore not used. A good interface will help me understand what is possible without reading lots of documentation.
- Efficiency and contextual information - people are just puzzled about what they see (or see extraneous garbage on the screen that gets in the way). A good user interface shows you what is important, what is going on, and why.
- Appeal to a wider audience -- there's a big need to make the net ops team work together with the security ops team. Having a good user interface may enable those teams to collaborate and share info.
We did see a few good ones that stood out.
- Juniper: We spoke to a designer of the Juniper Junos Space Director, which was a favorite from last year. They were working on it for three years, and the refinement shows. I learned that it was driven by a customer panel to influence the design. Key focus on usability does shine here, as the product was based on task (or intentions) orientation.
- Microsoft: We also saw Microsoft's set of security and management tools including the Operations Management Suite. They too were cleanly designed, focused on tasks at hand, and not distracting. Kudos to them for taking their experience and design decisions learned from consumer products and applying them to security interfaces.
- Cisco: The big vendor delivered a mix. Their Meraki products always had a good UX, and some other product lines may have benefited from learning via osmosis the design culture from Meraki. They have made strides over the years but there's room for improvement. I see potential.
The rest were all over the board. Many used off-the-shelf visualization elements that may look nice, but offered no real information. Instead, they just show data without context. Much of what we saw were tabular views and a few graphs. There was an unusual liking for chord diagrams (circles with arcs in the middle showing relationships). They often provide for no functionality other than being just decorative. Just because you can show something fancy does not mean that you SHOULD, unless there's a good reason.
A few startups did have good UX. They probably invested in it, and made it a high priority. They know who they are.
What makes a development organization deliver good UX? They invest in true UX design, not just software developers who think they know UX. They also don't treat graphic artists as a substitute for real UX designers. They test, iterate, and refine. They talk to customers. They observe customers. They measure.
I won't name the bad ones. But they also probably know who they are. I give most of them at best a C minus grade or a D. Please, please do something about it. People will appreciate your efforts. And your sales may go up as a result.