Security and Usability Have to Be Designed Together

Presented by Knox Systems & Carahsoft

Government modernization efforts often run into a familiar tension: systems need to be secure, but they also need to be usable. Mario Lunato, Field CISO at Knox Systems, says those goals should not be treated as competing priorities. They need to be designed together from the beginning.

In this Innovation in Government segment from the GovExperience Summit, Lunato explains that cybersecurity and end-user usability are a major tension point. A product that is easy to use but does not protect data creates obvious risk. But a product with controls that are too complex or burdensome can create a different kind of risk: users may work around the controls to get their jobs done.

That is why Lunato says organizations need to find the right balance. Security should protect confidentiality, integrity and data without making the product so difficult that it is avoided or misused. If users are forced to circumvent security controls, the controls have failed from a practical standpoint.

Lunato points to DevSecOps as one example of trying to bring security closer to the development process. But he argues that even this model can become too narrow if it leaves out usability. UX designers and product teams should be part of the security and DevOps process before products are shipped. That way, security is not bolted on after the fact, and usability is not treated as an afterthought.

The conversation also connects this balance to AI, automation and public trust. Lunato says AI can improve efficiency and usability, but agencies and vendors must make sure customers feel confident that products are secure. A breach of trust can damage public confidence and an organization’s reputation. That is especially important in government, where digital services may involve sensitive personal information or mission-critical operations.

One way to improve both security and usability is to rely on inherited controls and cloud-native services. Lunato says developers and engineers can build on secure foundations that already include best practices and controls under the hood. That allows teams to focus on user experience and product functionality without pushing every security burden onto the end user.

He also argues for automating compliance. Traditional compliance can become a checkbox exercise built around point-in-time snapshots. Automated security and compliance monitoring can show whether tools are operating as they should and provide evidence of security at different points in time. That can help teams move faster while maintaining confidence that systems remain secure and compliant.

This is especially relevant as modernization accelerates. Agencies want to deploy new features, ship code, fix bugs and adopt AI-enabled capabilities. But speed without risk management can erode trust. Lunato’s message is that automation can support both sides of the equation: faster delivery and stronger assurance.

The broader lesson is that security is part of customer experience. Citizens and government employees may not see every control, but they feel the impact when systems are frustrating, confusing or untrustworthy. A secure system that people cannot use well will not deliver its intended value. A usable system that does not protect data will not earn public trust.

Modernization works best when security, usability and compliance are built into the same design conversation.

Key Takeaways

• Security controls must be usable, or users may work around them.
• UX and design teams should be part of security and development processes early.
• Automated compliance can help agencies modernize faster without sacrificing trust.