Three Design Concepts You Should Apply In Information Security

Look, you’re probably thinking, designed things look great but I don’t need my security program to look pretty, I just need it to work. You designers can take your service blueprints, UX/UI, information architecture, graphics, and typography to our marketing team. Security Ops, on the other hand, is for serious people like us who deal with risk management, governance, controls, and audits.

To that I say, I get it, your IT and Security budgets are tighter, getting the right and competent security people is a chore, and the tools these days… each of them promises to do all-things-security but fails to deliver the basic feature you pay them for.

Audit, Remediate, Repeat

I’ve been there. I ran a sizable IT and Security operations for a 24/7 service provider for almost two decades. What bothers me the most is that even with the best tools, knowledge, and talent they have available, companies today still ran IT and Security operations the same old compliance way— Audit, Remediate, Repeat. No judgement, I did it the same way for most if it.

Now some companies implement Governance, Risk, and Compliance (GRC) systems as an attempt to get out of the vicious audit-remediate cycle to no avail. Implementing even the best GRC platform is an expensive, daunting and time-consuming affair. These projects end up being abandoned after a year, and the IT/SEC team is back to tracking spreadsheets with audit findings while spawning a bunch of security initiatives that seem to come from every direction.

Now, I’m not saying that GRC systems are worthless, companies just invest on them too early. GRC’s provide a centralized repository and inter-disciplinary workflows to ensure that stakeholders have access to the right information when performing the right processes. If only they have these figured out before implementation.

Security Design Disciplines

Information architecture (IA) - focuses on organizing, structuring, and labeling content in an effective and sustainable way. 

What does Secure coding principles, Physical Security, Data Loss Prevention, and Data Backup System all have in common? They are all security related words that you will encounter in a conversation with an auditor. Followed by questions on what you do with them and what artifacts you can produce as evidence.

Without an architecture that defines the taxonomy and relationship between security concepts, providing security assurance is close to impossible.

Here is how our Unified Control Framework will define those terms:


Service Blueprints - A service blueprint is a diagram that displays the entire process of service delivery, by listing all the activities that happen at each stage, performed by the different roles involved.

If you’re wondering why your patching numbers don’t add up (or you don’t get them at all), chances are, your asset management and patch management processes are not in sync, and your governance function hasn’t performed the necessary 2nd line process to manage this issue to resolution.

Your security functions are supported by interwoven services with ownership requirements, data dependencies, and timing considerations. If you haven’t mapped out their value delivery streams, you cannot have assurance that they will produce the value you expect.


User Experience and User Interface (UX/UI) -  encompasses all aspects of the end-user's interaction with the company, its services, and its products.

In IT and security, combining a clearly defined Information architecture with a mapped out service blueprint ensures that your processes exists to deliver value whether through efficient operations or risk mitigation activities.

UX/UI defines how stakeholders such as customers, users, executives, and your board of directors interact with your operational services and what value they can expect from each.


Design in Security

There you have it, three design disciplines you can apply in your IT and Security operations. Depending on the size of your organization, it can take 6 to 12 months to get all your Control Framework domains sorted out but at the end of it you can be assured of the following:

  1. Easier and organized InfoSec Audits

  2. Clear path to maturity on all security capabilities

  3. Measurable risk mitigation capabilities and performance of control activities

We’re here to help

We implement control frameworks to get companies like yours out of the audit-remediate cycle. If you’d like more information or assistance on getting yours setup, feel free to contact us here.

Security Inspired Design

Trend Towards Personal Products

We have all been told that the way to acquire and retain customers in a competitive market is to tailor our products to the personal needs of the few. By doing so, the data we capture about our customers will naturally become more individualized and in most cases, more sensitive.

In responsible hands, this data set can drive the development of profitable products that can turn interested consumers to loyal customers. On the flip side, the same data can be used to commit nefarious activities from the common fraud to sophisticated behavioral manipulation through targeted messaging based on preferential data.

Some will claim that the collection and inevitable misuse of these data sets are unintended consequences of business operations. This was justifiable years ago when security research and tools were exclusive to large companies.

Today, consumers, partners and regulators demand more transparency and accountability regarding data collection and use from businesses of any size.

Baby in a Rollercoaster

How do you secure a baby in a rollercoaster?

  1. Design a carseat intended to be attached to rollercoasters.

  2. Or, you don’t let them ride in the first place.

It sounds obvious and yet we have a market full of products intended to protect data in transit and at rest. These are your Firewalls, Data Loss Prevention (DLP), Encryption, Anti-Malware and File Integrity Protection to name a few. These tools are designed to protect your systems and data from unauthorized access and change.

When judged based on their merits, the best of these tools perform exactly as they are sold and more. With their benefits though, comes along the need for upkeep items such as license subscriptions, professional administration and maintenance.

In addition, alongside their costly implementation periods and configuration tuning phases is the inevitable disruption of your regular business flow because of glitches and outages. All these while you or your employees figure out a way around the protections because you need to perform your tasks the way you are accustomed to.

Even with such complexities, we simply tolerate them because the security guidelines, compliance standards and regulators require us to comply.

That is— if we want to continue allowing babies into our rollercoasters.

Alternative: Inspire Design with Security Intentions

You’re probably wondering that if we start with security and privacy intentions, wouldn’t that hinder the creative process?

First Look: Security and creativity are two opposing forces with one restricting and the later one maximizing.

Closer Look: Design is powered by creativity, productive creativity is driven by constraints, security and privacy intentions fit the constraint mold just fine.

Just like how we constraint our ideas with factors considering business viability, technical feasibility and user desirability during the design process, we argue that adding security and privacy as core product values is a natural evolution of the design process in today’s market.

Putting It All Together

At Craftelli Design, we value security, simplicity and storytelling.

  • Secure products are simpler to make and easier to market.

  • Simple products are easier to secure and come across as memorable in the market.

  • Story driven products are ones that have a simple and secure command of their values.