The management consulting firm Korn Ferry recently surveyed professionals about what they were most looking forward to when they return to the office, and more than 20 percent of them said “nothing.” (No kidding.) Some 64 percent of respondents are cited as saying that they’re more productive at home. (Not surprised.)
There are numerous articles, surveys, blogs, and speculative pieces just like this one, like this one, almost all with interesting, or confusing, or downright curious data—even a year into the global COVID-19 pandemic. But it’s not hard to understand why; figuring out if and when to bring employees back to work at offices is one of the biggest question marks in business and government right now, given the obvious, and ongoing, uncertainty.
Some companies, particularly U.S.-based tech firms, are already allowing permanent work-from-home and positioning flexible work location choices as competitive benefits, which we also saw in our 2020 survey of security practitioners. Others, including multinational firms with offices in many countries, report concerns about adequate in-office protections and too-hasty returns to “the old normal,” especially with the virus having spiked again as of early 2021 in areas once thought to have contained it. And ideas for how to continually advance the accommodations for certain WFH necessities—such as robust Internet infrastructure and living conditions with sufficient personal workspace—that vary widely depending on where employees are located.
This shifting sand represents one of the hardest challenges ever faced by IT and Security teams. They are tasked with planning for the next 24 months and beyond based on a range of potential in-person/WFH scenarios, the balance of each depending on geography, capacity, technology, and a host of other concerns.
Reconsidering your next steps
In security terms—and hey, I’m a CISO, so this is of course how I think—many teams might be most worried about trade-offs. Do my employees stay majority-remote and sacrifice security so they have a good user experience when accessing the cloud applications needed to do their jobs? Do I hope that my security infrastructure will hold up to so much remote access and keep my users, data, and applications safe? Do I buy new tools, restructure or re-train my team, and re-architect my network over things that might be different in the next year or so? How much budget do I need?
Do I simply shut my eyes and “hope for the best”?
Really? We’re still saying that a year into this mess?
As we all know, “hope” is not a strategy, and neither are trade-offs between security and productivity.
Providers need to flexibly address all scenarios, from majority-at-home to majority-in-office, and do so in a way that’s scalable. Cybersecurity is amazingly dynamic and always changing, but threats aren’t getting any less frequent, or less sophisticated. Breach headlines remain constant, more than 30 percent of successful cyber attacks are a result of social engineering, network segmentation strategies are challenged, insider threats are increasing as an attack vector with so many people remote, WFH is the new network expansion, old systems and WFH transport devices that aren’t patched are still in some way responsible for more than half of all successful breaches.
So how do we keep pace, and with so much uncertainty over what the next two years will bring?
Security has entered into the realm of change management. The threats are continuing to evolve, the architectures are continuing to evolve, the expectations are continuing to expand, and capabilities are not what they once were when it comes to defending our cyber frontier—and that was before we had a global pandemic to deal with. It’s tough out there.
Change is imminent, rapid, and one of the hardest things for us to embrace and I’ve heard many infosec professionals say “this is uncharted territory” or “haven’t we done this before.” But guess what? We have. Not so long ago, we embraced a mindset that if we pursued security we would get compliance. That leap of faith required us to depart from a path of, “I met the e