BoxWorks Digital: How security leaders are sustaining and securing remote work
Securing remote work isn't just a technology issue. In this digital era, security is built on layers of trust that underpin the way people engage with technology. Leaders need an approach that elevates trust throughout their entire ecosystem.
Box's Global CISO, Lakshmi Hanspal hosted and executive panel to discuss Securing and sustaining remote work. She was joined by Meg Anderson, VP—Chief Information Security Officer at Principal Financial Group, Tony Soules, Deputy Chief Information Security Officer at Amgen and Chris Niggel, Regional CSO, Americas for Okta. Here are key takeaways from that conversation:
Remote work requires you to rethink your boundaries of trust.
The attack surface has widened: With the transition to a work from anywhere world, the attack surface has widened, which has changed the calculation of risk. While many companies already facilitated remote work to some degree, having everyone everywhere changed the risk by orders of magnitude. There has been a drastic increase in the number of networks, devices and physical works spaces. Zero trust architecture needs to account not only for employees, but also partners, supply chain and the entire ecosystem, as well as ensure protection of customer data and intellectual property.
Focus on employee education: Niggel, Chief Security Officer of Okta, emphasized the need to extend the controls that have been put in place in the office, to the employee's home office. An emphasis was put on educating employees about extending the trust boundaries to the home office with things like clean desk policies. This included allocating budget to purchase equipment, like screen shields, to maintain the trust their customers expect. Soules, CISO at Amgen, added that, personal devices weaken security posture and that a great deal of emphasis was placed around how staff should interact in a home environment. They need to consider who is around them, who can hear their conversations and who has access to their equipment.
Speed and convenience still matter in zero trust model: While building a modern technology platform, frictionless security is key. You need to establish a zero trust boundary that still allows employees to get to the data they need. The system must be easily accessible as well as secure.
Sustained remote work offers new opportunities as well as challenges.
Build a better workforce: Not being tied to office locations offer new opportunities for hiring and retaining talent and increasing diversity. There is now access to a greater pool of talent and increased opportunity for employee satisfaction as they have fewer limitations around where they live or relocation requirements.
Accelerate technology adoption: The rapid shift to remote work also brought about an accelerated mass adoption of new technology. Teams are more motivated and invested to adapt to new technologies like video conferencing and collaboration tools that make their jobs easier. Anderson, CISO at Principal Financial Group, stated that her company is reevaluating how they roll out technology changes in the future, and there may not be as much benefit to taking small steps, as they've always assumed.
Business continuity and disaster recover (BCDR) plans are crucial: Anderson encouraged that risk management choices must be documented and to make conscience decisions on which choices will be rolled back, which will be permanent, which need evaluated. BCDR plans that have now been tested need to be assessed and adjusted as they may have exposed unforeseen weaknesses. Niggel explained how the primary BCDR plan was for employees to work from home if there was an outage at the office, but now with everyone already working remote they need to account for interruptions that may occur, at an employee's home office.
Adjust your priorities: Re-prioritize what you are asking your employees to focus on, and how that may need to change. Some examples stated include:
- Deferring training so that employees can better focus on serving their customers
- Using stronger passwords or passphrases that need to be changed less often to help minimize potential interruption which is magnified when working remotely
- Increase transparency and line of sight on the health of critical services that are undergoing additional stress to meet demand
Where do we go from here?
Today's state of cloud security and privacy is complex, strong, volatile and promising. Cloud security and privacy is growing increasingly complex. The number of employees and partners across the globe, with the ever-evolving regulatory landscape are all trying to come together to serve their customers. Complexity breeds volatility, as new services are being issued companies need to understand how to use and protect them, most cloud breaches are self-inflicted, so there needs to be a large focus within. Promising - we not quite there yet, but on the right path!
People and privacy should be your main concerns. People make cyber security a challenge and you need to understand how people threats evolve. You also need to be sure you understand who is accessing your system. Are the people who they say they are and are they really people? Privacy is becoming a bigger part of an IT professional's job. As companies gather increased amounts of data and the concepts of machine learning evolve, privacy will be a growing concern.
Accelerate trends to maintain business continuity. Acceleration of business and technology trends are vital in order to continue to provide for your customers. Whether it's investing in augmented reality so that researchers can access equipment remotely, e-signature and collaboration tools to continue to service your customers or adapting to employee’s need to access corporate data via personal devices, rapid adoption of technology can help move your business forward. But, all these devices and software may also need approved, secured, and maintained in order to ensure privacy and protect customer data and intellectual property.
What is here to stay? Shifting focus is good for the company and good for the employee. Adopting cloud technologies, and creating a secure, frictionless, collaborative environment helps employees achieve more by doing less. A shift to strategic remote work and a focus on collaborative spaces and better tools will strengthen the workforce, even when we do come back to the office. Flexible work schedules and giving grace and understanding to parents are just a few examples of how the panel hopes empathy will be sustainable.
And the most important take away..
"We live in an imperfect world and will continue to be in that. And in my experience the most effective way to build trust is to listen, learn, lead with empathy. I believe it creates work environment full of empowered people who are going to invest in the organization's success. That is a security-based trust posture no money can buy." - Lakshmi Hanspal
Watch this session and others here.