How long-term hybrid work is changing security strategies

Pam Nigro wants to know if workers at her company are working odd hours. She wants to know exactly where they are, too, because such surveillance is one of the strategies Nigro has to keep her company safe.

Nigro says her security tools must understand and analyze when and where employees work so they can identify unusual access attempts that could indicate an attack.

And her security program must become increasingly attuned to each employee’s work habits in the years ahead, as widescale hybrid work arrangements remain the norm.

“We need to consider our investments and a changing work environment to make sure we’re leaving as small of an attack vector as possible,” says Nigro, the top IT and security officer at Home Access Health Corp.

Home Access shifted a large number of employees to virtual work when the Covid pandemic hit in early 2020, implementing technologies and policies that gave them secure remote access from their homes. At the same time the company continued to support those employees who needed to be in the office, such as its lab workers.

Home Access Health Corporation

For Nigro, the experience presented new challenges, including educating workers how to safeguard home internet connections. It also gave her opportunities to accelerate new security initiatives, such as adding analytics capabilities to understand employee patterns and geofencing-based tools to block access originating outside the United States.

“These are the kinds of things we’re still enabling and enhancing to make security stronger as we continue with hybrid work,” says Nigro, who is also board vice chair with the professional governance association ISACA.

Her experience is typical among CISOs, many of whom were unprepared for widescale remote work.

A survey of 2,600 enterprise leaders for the 2021 Thales Data Threat Report supports that assertion. Only 20% said their security infrastructure was very prepared to deal with the pandemic-induced disruption, including the shift to remote work. Some 82% said they were somewhat or very concerned about the security risks and threats that the increased remote workforce poses. And 44% said they weren’t confident that their access security systems could effectively secure remote work.

Those figures might have been sufficient at first. But what was conceived as a temporary situation has now become permanent, as organizations plan for an ongoing mix of in-office time and work-from-anywhere options. McKinsey & Co., the management consulting firm, surveyed 100 executives and found that the majority expect that moving into the future those employees in roles where on-site work is not required will be working remotely between one and four days each week.

That has many security leaders reworking their strategies as they seek to strengthen their security programs to meet the demands of this new work world.

“So many CISOs are going back and buttoning things up,” says Tony Velleca, CISO of UST and CEO of CyberProof, a UST company.

They’re looking at pre-pandemic roadmaps that never accounted for this new extended hybrid environment and concluding that old plans are no longer sufficient for existing and upcoming needs.

West Monroe

And they’re revisiting the stopgap security tools and the temporary policies they enacted to quickly enable remote work to replace them with stronger permanent solutions.

“Now when we think of a hybrid workforce, we have to think longer term,” says Kaumil Dalal, a senior partner in the West Monroe technology practice and a national leader with its digital workplace and modern systems integration offerings. “That requires a mindset shift. CISOs have to inculcate a security-first mindset within their organizations and help everyone understand their roles in terms of protecting the organization.”

Good enough is no longer good enough

Many organizations are facing significant obstacles in creating a secure long-term hybrid work environment, often lacking modern IT infrastructure, such as cloud resources, modern security tools such as AI-enabled anomaly detection, and even a fully staffed security team and robust data management policies.

At the same time CISOs are seeing an ever-expanding threat landscape.

The 2021 Voice of the CISO Report from security software maker Proofpoint found that 58% of responding CISOs said they’ve seen more targeted attacks since enabling widespread remote work. Meanwhile, 56% said allowing remote access to company information negatively impacts their ability to manage the control and classification of sensitive business data and 58% said that staff use of personal devices increases the risk of data breaches.

As such, the report concludes that the continuing hybrid work environment “challenges the CISO to convince their boardroom that the ‘good enough’ approach of the past 12 months will not work in the long term.”

Many CISOs are taking action.

The report found that 57% of surveyed companies have strengthened the security policies put in place at the beginning of the pandemic and 65% of CISOs said they believe they will be better able to resist and recover from cyberattacks by 2022-2023.

“Everyone has rethought their strategy over the course of the past year,” says Cameron Smith, research director in the security, privacy, risk, and compliance practice at Info-Tech Research Group. “How significantly that strategy has changed is much smaller for those who were well prepared before the pandemic, and it’s much larger and more painful for those who weren’t.”

Even so, nearly all CISOs face some challenges as they seek to reinforce security for a hybrid environment.

Of course, each security chief faces his or her own unique mix of issues depending on the organization’s existing security posture, industry, staffing levels and more.

However, CISOs report some issues in common:

Many say that they were saddled with older security technologies that were inadequate to meet long-term widespread remote work, the corresponding proliferation of endpoints, and the obliteration of network perimeters. Experts cite VPNs as case in point, with many organizations finding that the technology couldn’t deliver the security and user experience they needed across numerous employees.

Many CISOs also had staffing challenges, as they sought to enable security team members to work remotely and then learn to manage them in that new distributed environment.

And they had to develop new policies, procedures, and training programs for business workers who had to become more security minded literally overnight. For example, Nigro says she had to advise staffers on safeguarding screens and confidential phone calls in homes where family members—not co-workers—are nearby.

Accelerating initiatives, investments 

CISOs have been working to counteract those challenges and continue to do so.

Now they’re also laying out roadmaps for the future, with plans that feature investments in new technologies and processes to better secure the work-from-anywhere environment that is the norm today and moving forward.

Security leaders say they’re investing heavily in the technologies that support newer approaches to security, namely the zero trust model and the secure access service edge (SASE) concept.

Additionally, their roadmaps call for increased investments in technologies essential to those approaches. Those technologies include multifactor authentication, encryption, identity and access management controls, network segmentation, microsegmentation, behavior analytics to detect anomalies among users, and analytics capabilities for dynamic access control.

“Organizations are moving controls from the network to the endpoints,” explains Frank Lesniak, a senior architect at the consultancy West Monroe Partners and the firm’s team lead for digital workplace and technology automation projects.

West Monroe

He notes that CISOs are also investing in traditional anti-malware software as well as endpoint detection and response (EDR) platforms, managed detection and response (MDR) platforms, and data loss prevention (DLP) software.

Using such technologies for layered security provides better protection than reliance on traditional security defense technologies such as firewalls, says Nadya Bartol, managing director at BCG Plantinion, a division of Boston Consulting Group.

“It’s finally acknowledged that the perimeter no longer exists,” she says, adding that most organizations will require years to implement the technologies required to develop a mature zero trust program.

BCG Platinion

Meanwhile, CISOs are advancing their monitoring and response capabilities by implementing security orchestration, automation and response (SOAR) platforms and using machine learning and AI capabilities to create more efficient and effective security operations.

CISOs are also revising training and awareness programs, updating them for a new era in which employees must develop a security mindset that recognizes the role each individual can play in thwarting phishing attempts and other nefarious actions.

And they’re rethinking how to best prepare their own departments for the future ahead as work-from-anywhere lets them recruit (and forces them to compete) more broadly for the security talent they need as well as supplement staff with 24/7 managed security service providers (MSSPs) and highly specialized security firms, Velleca says.

Results from the Proofpoint survey reflect those trends, with

• 35% of CISOs saying they intend to enhance core security controls,
• 33% investing in new solutions to support remote work,
• 32% spending on employee cybersecurity awareness,
• 32% consolidating and simplifying security controls and solutions, and
• 30% addressing supplier risk.

Furthermore, the report found that the majority of CISOs expect their budgets to increase by at least 11% over the next two years to support their revamped roadmaps.

Smith acknowledges that none of these technologies or strategies is new; they were all of interest prior to the pandemic.

But he notes that one of the biggest changes to the CISOs strategies now versus pre-pandemic is the pace of adoption: CISOs are accelerating their investments in all of these areas because they must.

“I’m seeing budgets being pulled forward to enable remote work,” Smith says. “For many, the new working world is enough to really enable that new perimeterless model.”