My thumb is already hovering over the “Resend Code” button, and I haven’t even finished typing the 17-character password. Three attempts. Three different devices. It’s 9:47 AM, and I’m 47 minutes into what should have been a two-minute process to check a single spreadsheet on the secure server. I solved the CAPTCHA (identify 7 fire hydrants), got the text message 6-digit code, and then, the system decided my mobile device was “unregistered.” This is the third time this week it’s decided my mobile device, which I use every single day, is an undocumented, hostile actor.

The mandate is usually simple: “Prevent breaches.” The implementation is usually outsourced to a firm whose primary deliverable is a thick binder outlining hundreds of steps of ‘due diligence.’ That binder, that checklist-that is what they are actually selling. They are selling the ability to stand up in front of the board, or worse, in front of a judge, and say, “We did everything humanly possible. We had 237 layers of defense.” The defense isn’t aimed at the actual hacker; it’s aimed at the liability claim.

Friction: The Enemy of Attention

I keep coming back to Sky B.K., the typeface designer I worked with last year. Sky’s entire philosophy was about reducing friction. She would stare at a letterform, say the capital ‘G,’ and talk for 37 minutes about the 7 milliseconds of visual processing time gained by adjusting the spur. Friction, she insisted, was the enemy of attention. When you make the tool difficult to use, people stop using the tool correctly. They find a different way. They start leaning over the system boundary, whispering secrets across the firewall.

This is exactly why Shadow IT exists. We criticize employees for using unapproved apps-Slack channels on private accounts, Dropbox instead of SharePoint-but what choice do they have when the official communication tool takes 7 frustrating minutes to load and requires re-authenticating 7 different times just to share a 47-word status update?

I locked my keys in the car yesterday. It was entirely my fault, a moment of distraction, but the ensuing hour I spent waiting for the roadside service was a physical manifestation of this mental trap. I was trapped by a sophisticated anti-theft system that perfectly succeeded in preventing me, the owner, from accessing my property. That’s what our corporate firewalls have become: highly effective traps for the people paying the bills.

This struggle, this constant friction, takes a heavy, almost invisible toll. It’s not just the 47 minutes lost in the morning; it’s the fragmentation of focus. We are trying to maintain flow state, that deep concentration needed for creative, problem-solving work, but every 57 minutes, we are jerked out of it by the robotic voice of the Security Agent asking if we really, truly, want to download that one PDF from a known vendor.

And it’s ironic, because if the core goal of technology is simplification-taking the complex effort out of daily tasks, whether that’s designing beautiful fonts or perhaps, simplifying how you access modern alternatives to traditional consumption methods, where ease of use is everything-then our security apparatus is working directly against the very spirit of innovation it claims to protect. Sometimes, when people are dealing with complex regulations and finding simple, effective consumer solutions, they gravitate toward platforms that prioritize genuine ease and accessibility. This reminds me of platforms like พอตใช้แล้วทิ้ง which focus on streamlining the user experience, offering instant gratification and simplicity, a world away from the friction corporate systems impose. That contrast speaks volumes about what users truly value: not complexity dressed up as protection, but effortless functionality.

We must admit this crucial contradiction: We build tools that require immense human trust to operate-we trust the engineer, the designer, the accountant-but then we implement systems that fundamentally distrust the user at every single click.

We trust our employees to handle millions in revenue, but not to click a link without five layers of digital chaperones.

The Audited Reality: Policy Created The Breach

A few months ago, we had an audit. A big one. The report was 107 pages long. The highest-risk vulnerability they found wasn’t some sophisticated SQL injection attack waiting in the perimeter, but the fact that 77% of our staff had begun emailing critical documents to their personal Gmail accounts. Why? Because the internal document management system, protected by four separate MFA gates, was too cumbersome to use when collaborating quickly with an external vendor.

The policy created the breach path. The policy didn’t stop the work; it simply diverted the work into unsecured channels. It forced Shadow IT into the daylight, not by fixing the internal system, but by making the internal system unusable.

I once argued with the Chief Security Officer about this… I said, “If your system causes 47 minutes of delay per day for 500 people, that’s almost $7 million a year in lost productivity. How much did the breach you prevented cost?” He shrugged and said, “If we get breached, the cost is infinite, plus my job. If we lose $7 million in productivity, that’s a measurable operational expense. It’s acceptable risk.”

And that’s the brutal calculus we are up against. The cost of friction is buried in OPEX, in the generalized ‘slowness’ of the business, which is easy to tolerate. The cost of a breach is a headline and potential career destruction, which is an intolerable, immediate risk. So, the security team optimizes for self-preservation, not for workflow optimization. They choose the path that maximizes their survivability when disaster strikes, which inevitably means minimizing the user experience.

The Poverty of Imagination

I used to criticize security teams for this inflexibility. I’d rail against the 7-day password rotation requirements (which only encourage sticky notes) or the hyper-aggressive firewalls that block standard industry libraries. But I had to check myself. That’s the ‘criticize→do anyway’ loop I fall into. I hate complexity, but I know the stakes. The world *is* hostile. The threats *are* real.

The actual failure isn’t the existence of the security protocols; it’s the poverty of imagination in their design. It’s the insistence on a ‘deny by default’ posture that treats every employee like a potential mole, rather than implementing smarter, context-aware security.

Sky B.K., back to friction. She found the perfect balance in type design: legibility (the security, the protection of the message) combined with beauty (the usability, the flow). If security teams adopted that mindset-that the best policy is the one that is so naturally integrated into the workflow that it vanishes-we would solve 87% of our internal compliance issues instantly.

We need a layered approach that isn’t measured by the number of steps the user takes, but by the intelligence of the steps the system takes.

Metrics That Matter: Beyond Non-Events

The fundamental tension is that the security world measures success by non-events (the breach that didn’t happen), while the operational world measures success by events (the report that shipped, the code that deployed). When the non-events actively prevent the events, the system is broken.

I made my own mistake recently, related to this. I set up a new VPN for a small project team. I thought I was being clever by making the connection highly restrictive. The result? Total lockdown. The team couldn’t connect their authorized analysis tools. For two days, they sat idle. My security measures, which took 17 hours to implement, cost 47 hours of total team productivity. My intention was 100% protection; the reality was 100% paralysis. Admitting that error-that my rigidity created a worse outcome than measured risk-was crucial.

We need to shift the metric. Stop tracking ‘MFA compliance rate’ and start tracking ‘Security Friction Index’-the time cost and mental burden imposed by defensive policies. If the Index is high (say, over 7 minutes a day per employee), then the policy is failing, regardless of how secure it looks on paper.

The Final Shift: Empowering the Defender

The real revolution isn’t a new firewall or a new encryption standard. It’s adopting the radical idea that the best security system is the one that treats the person sitting at the keyboard not as the primary threat vector, but as the primary defender, and empowers them instead of paralyzing them.

We need policies that stop breaches, yes, but more importantly, policies that stop stopping the work.

What is the cost of the work you didn’t do today because the system asked you for your identity for the 107th time?