Gone are the days when remote work was the exception and the most distributed employee was the salesperson on the road. As remote and hybrid work become the predominant work structure for organizations, and the new rules of engagement are only beginning to be solidified – most CISOs are asking themselves: how does security need to change?
There are many lessons organizations will learn as cultural expectations and practical realities shift on how we define physical and digital workforce norms.
Kory Daniels, Global Director, Consulting and Professional Services, provided his take on the changes that so many organizations and their CISOs have faced in this Q&A:
How has IT security changed in the 20 months since organizations were forced to roll out remote and hybrid work environments due to COVID-19?
Before the pandemic, there were two types of businesses: those with a longstanding on-premise technology infrastructure and operations, where people were accustomed to working against clearly defined processes, and newer businesses with less infrastructure debt on-premise from a technical, operational and cultural perspective. This dichotomy was changed overnight when the COVID-19 pandemic struck, and remote work was widely adopted. It quickly became apparent how capable the existing people, processes, and technology for these organizations empowered a virtual workforce and if the security strategy in place was ready for the shift in their attack surface.
This shift was more challenging for some organizations than others. Newer companies may have seized the advantage of building their business in cloud-first philosophy. Larger and more mature businesses had more variance in where they were in their cloud journey at the time the pandemic hit. These businesses' status quo was upended, which affected how their core revenue-generating operations performed and how the security team could effectively provide resilience.
How has a largely distributed workforce shifted the requirements of security?
The reality is less about the size and more about the risks. Fewer employees, fewer revenue streams, and a smaller data footprint provide the advantages of being incredibly agile. Yet, even with an agile digital workforce in place, companies large and small have needed to review their fundamentals: What are the biggest threats and latest tactics based on remote work? Are our users equipped to understand risks and spot suspicious behaviors? Are our new virtual collaboration tools for file sharing, communication, and business operations secure, and can we effectively see threats from our security team?
For larger businesses that were not as far along in their digital transformation as they may have planned, the shift to remote work was incredibly difficult and disruptive. Overnight, thousands of previously centralized workforces located within controlled environments were suddenly working from their homes on possibly poorly secured home networks and personal devices. An organization’s security posture was further complicated by the sheer volume of vendors and suppliers operating from their own distributed locations. Compounding the issue was staff use of Bring-Your-Own-Device (BYOD), which was at times unavoidable. Even the new tools adopted to help with this transition created opportunities for data to be compromised.
Rapidly reconfiguring protection and detection architecture to reduce exposure and communicate new processes came with many challenges. What once was finely tuned and modeled for a particular network and environment -- to lock down corporate assets for data protection -- now had a vastly evolved attack surface, leaving organizations vulnerable in entirely new ways. Knowing what threats had changed and which tools were right for the job had many companies overwhelmed -- and that’s still true today.
What then becomes our baseline understanding for normal user and entity behaviors?
Baselines have shifted further since remote behaviors differ from those in the office: logging in later at night, accessing files and systems at different points in the day. It has become much more expensive for organizations, especially those that have mature insider threat management programs in place, to distinguish a bad actor from an actual employee.
The rules of engagement were much more predictable when workers kept to the traditional 9 and 5 workdays and remained at a designated location. Many companies don’t have insider threat management on their radar. And for those that are actively monitoring it, there’s a new layer of complexity with the surge in remote work that wasn’t a widespread issue before.
Is hybrid and remote work truly the new normal or a temporary solution?
Business and IT leaders alike are grappling with decisions to maximize efficiency and employee satisfaction for today’s workforce. Once corporate leaders decide on a remote work policy, there are several questions IT leaders should be asking. How well do we understand our attack surface? Is the threat intelligence we have still relevant, and what are the threats we need to prioritize? How effective is our balance between plan, build, and run to ensure our projects are being achieved cost-effectively, on time, and not causing detriment to our ability to maintain monitoring and response.
Cloud-based Infrastructure-as-a-Service tools lay a flexible foundation. Likewise, your partners should be asking themselves similar questions but in reverse: how to manage changing environments, keep alerts relevant and create resilient cloud security strategies in the event of a compromise.
The longer the jury is in session on a definitive approach to hybrid and remote work, the more significant the implications for IT and security will become.