Tired of hearing things like “humans are the weakest link” and instead want to focus on designing more secure, more resilient systems? Same.
I help people designing the security user experience—UX and product people, engineers, security practitioners, legal and privacy teams—understand and design for the dynamic cybersecurity ecosystem.
What I do
Think of a Venn diagram with each circle representing a different team with different specializations and motivations—and sometimes conflicting goals.
The UX team understands your users.
The engineering team understands what is technically possible.
The security team understands cybersecurity risks facing the organization.
The legal and privacy teams understand ever-changing laws and regulations.
And so on.
The problem? Those teams, each within their own circle (or silo!) need to overlap to create the Venn diagram.
That overlap is where the magic happens: where you improve the security user experience and, in turn, security outcomes.
That's where I help.
I'm a security and privacy-focused UX expert, a translator of security risks, and interpreter of security and privacy standards and regulations. I act as a facilitator who speaks multiple security languages!
Through speaking, workshops, and consulting, I help teams:
Understand the dynamic cybersecurity ecosystem and the players within it: the user, the threat actor, and the system design.
Anticipate or threat model user and threat actor behaviors.
Leverage a systems thinking approach to improving security outcomes. In other words, design safer systems that demand less of the user.
Have an iterative mindset when it comes to designing security user experiences. After all, the ecosystem is always changing and both user and threat actors will do things you could not have anticipated.
By the way, I understand the unique needs and complex workflows of security practitioners. Yes, they deserve a great user experience, too!
Interested in learning more? I’m the host of the podcast Human-Centered Security, where I interview security experts and people who design for the security user experience. And I wrote Human-Centered Security: How to Design Systems That Are Both Safe and Usable.
Human-Centered Security Podcast
Cybersecurity is complex. Its user experience doesn’t have to be. Listen to interviews about improving the security user experience—for both consumers and security practitioners.
Human-Centered Security: How to Design Systems That Are Both Safe and Usable
You understand your product better than your users ever will—including the potential security threats that directly impact your users. You are in a unique position to address those threats and protect your users from them.
This book will help you:
Find and focus on the areas of the user experience where security impacts users the most.
Understand the dynamics of the security ecosystem: your users, threat actors, and the security user experience.
Find your security UX allies and ask them better questions.
Considerations for designing safer systems and encouraging more secure outcomes.
Hi. I’m Heidi Trost. In 2010, I started Voice+Code to help product teams better understand their users to improve the user experience. “Voice” refers to the importance of understanding your customers: the voice of the customer. “Code” is the technology layer.
I led the UX research team for cybersecurity software company Secureworks and have helped tech-focused teams at startups, nonprofits, and Fortune 500 companies rethink their digital experiences.
Today, I focus on the security user experience. Why? I realized security is a human problem (after all, we protect information to protect people). Not just that, it was a user experience problem. Once I went down the security rabbit hole, it was hard to resurface!
The design decisions we make influence the security (and privacy) choices users make and actions they take. And we live in an ecosystem where everything increasingly relies on the security of systems: from hospitals, to our water supply, to cars and robots. So the stakes are high: disruptions to these systems mean people can get hurt.
So, here I am. Focusing on designing cyber resilient systems.