At the outset of the global coronavirus 2019 (COVID-19) pandemic, many organizations decided to enforce social distancing by requiring that their employees begin working from home. This decision changed the fundamental way in which many employees were accustomed to working. It also created new security challenges for organizations that had larger remote workforces.
Tripwire wanted to learn the specifics of these challenges, so it commissioned Dimensional Research to 345 IT security professionals about them in mid-April 2020. As reported by Business Wire, a majority of respondents (58%) indicated that employee home network security was one of their areas of higher concern followed by increased attacks (45%), difficulties in keeping remote systems configured securely (41%) and obstacles with keeping remote systems compliant (38%). Reflecting on the difficulties of keeping remote workers safe, 89% of survey participants said their job was harder as a result of the new work-from-home policy. Nearly half (49%) blatantly said they couldn’t effectively secure employees’ home offices, leading 65% of respondents to admit their belief that their security was worse because of COVID-19.
These findings motivated Tripwire to learn more. In particular, it wanted to learn what strategies organizations were implementing to make the work-from-home shift as seamless as possible. It also wanted to learn if other challenges were plaguing their security teams.
Tripwire therefore got a bunch of security executives together and asked them the following questions: “Since moving to remote working, what has worked well? And perhaps what have been the biggest challenges for your security team?”
Striking a Delicate Balance
Christian Toon, CISO at Pinsent Masons LLP, was among the first to respond. He revealed that flexibility as well as balancing security with productivity proved crucial to his employer:
The security team has already been very well versed in remote working, so the flexibility and approach has made them into ambassadors of attempting to work during a pandemic. We didn’t work 9-5 before this all started, so being flexible to meet personal challenges has been key. Our biggest challenge has been adjusting our security footprint to enable the business to continue to work. Working out what good security looks like alongside good productivity has been a good learning curve. We’ve adjusted our approaches based on this different style of working.
Ron Solano, Data Security Officer at OptumInsight of United Health Group, agreed with this statement. He explained that his employer specifically needed to balance the threat of growing malware attacks with the network’s ability to handle greater numbers of remote users.
“Employees need to have laptops that are protected against viruses and other digital threats,” Solano explained.” We want to make sure there is no contamination when they log in to a company network. At the same time, networks have to be able to handle the larger number of people logging into the network as a result of our organization’s remote work. Inbound pipes need to be monitored for load balancing.”
Security teams have needed to develop new policies to balance these challenges. But their work didn’t end there. They then needed to communicate those new policies to the entire workforce and to then train employees on how those changes affect them.
Communication: A Challenge in Itself
Maintaining effective communication flows wasn’t so easy when team members could no longer interact with one another in the same physical space. Dr. Grigorios Fragkos, Digital14 Cyber Defense and vCISO at Expo 2020 Dubai, shares his input.
“The biggest challenge since moving to 100% remote working has been real-time communication and interactions, especially in cases where you could jump next door—for example, in IT or the SOC—and have a quick discussion,” Fragkos noted. “When you work with your team throughout the day, you can discuss, coordinate and brainstorm on-the-fly, but it takes way more time to have these micro-communications over virtual mediums, phone-calls and emails, compared to a brief face-to-face catchup. Of course, another challenge is when you need to be physically present on-premise for various reasons. As this can take some time to arrange, it introduces delays that wouldn’t be present if things were different.”
Nigel Sampson, Head of Information Security for Alegeus, agreed that communications and a lack of physical interaction had hampered some of his security team members’ efforts:
Communications across the company has worked very well to the point where we were using instant messaging more than email. Other areas that have worked well are responses to queries. People are more responsive. Productivity has risen; team members start their day earlier and end later, as there is no commute. Overall, the work-life balance for the team has helped with overall productivity.
Challenges occurred during audits where auditors required walk throughs. We managed to adapt and conduct Facetime walk throughs while following appropriate safety precautions. There is also the issue of equipment failure and accessory replacements. It’s no longer a case of ask the IT tech to grab a power pack. It must be shipped.
We rely heavily on our endpoint protection system with well-developed policies that will isolate any system in the event of infection. Should a system become inoperable for any reason, it then becomes an issue of downtime for the user while we ship a laptop to them. However, we have not encountered any events that required laptop replacement, which is a testament to good security hygiene and technology.
But there is a way to solve these communication challenges. It doesn’t come from the efforts of the security team members. Rather, it comes from the top.
“… [T]he leadership’s commitment to cybersecurity made a huge difference,” Fragkos noted. “The early decision to invest in OPEX, focus on a dynamic design and flexibly expandable architecture, have strategic partnerships in place and develop a clear distribution of responsibilities paid off. All these early decisions allowed the cybersecurity team to enable different types of business requests in a secure manner.”
Keeping in Mind the Value of Fun
The office isn’t just where employees work. It’s where they socialize. It’s where they’re able to relate to others in new ways.
Dianne Kelley, CTO at Microsoft, is well aware of this point. She therefore thinks that organizations should emphasize both work and fun.
“Because working remotely can feel very isolating, one of the best ways to stay connected in the long-term is to bring groups together collaboratively for work and fun,” Kelley explained. “Remote work can be an engaging, collaborative experience when teams brainstorm in video meetings, iterate documents and projects in shared workspaces, and track progress in ongoing chat threads. And having a bit of fun matters, too! To keep remote workers connected, consider virtual group activities like a weekly brown bag lunch, happy hour, or a book/movie discussion club. Find a way to replicate water-cooler comradery in the virtual world.”
Christina Morillo, Cloud Security & Platform Engineering at Microsoft, also recommended that security employees be kind to themselves during these turbulent times:
My number one advice is to embrace the change with a healthy dose of optimism. While I can understand that working remotely (during a pandemic, nonetheless) is no easy feat, a shift in perspective is the most powerful tool we have.
From a logistical perspective, I have top three recommendations for security professionals. (These tips also helped me transition into a full-time remote role, as well.)
- Stick to your morning routines – Wake up, shower and get some breakfast (or however this looks for you).
- Dress for a productive day – Get out of your PJ’s and go for some comfy athleisure (yoga pants and a comfy tee/sweater) instead. Staying in your PJ’s will lure you back into bed.
- Invest in a solid desk/work table – Your work area matters…a lot. If you have a desk, great. If not, invest in one. I would recommend a standing desk. If this is not possible, use the kitchen table. You will be less productive if you are uncomfortable, so get comfy.
- Take your lunch/breaks – It is crucial for your well-being and sanity. Act as you would in the office. You will burn-out if you do not.
An additional or double monitor setup is also a bonus.
Keep in mind that working remotely (or from home) is a bit different than working remotely during a pandemic, so have patience and don’t be afraid to recalibrate and shift until you find what works for you.
Strengthening Their Work-from-Home Capabilities
The expert guidance provided above highlights the need for organizations to make the most of their work-from-home policies in a way that accords with their business needs. That includes deploying tools that facilitate these new telecommunication policies. For tips on how to effectively implement these tools, download this Tripwire white paper.
Authors note: This blog was co-authored between Joe Pettit and Mitch Parker
FURTHER READING ABOUT CISOs:
- Security Execs’ Advice on Overcoming the Challenges of Remote Work
CISO: What the Job REALLY Entails and How It’s Evolved over the Years
How CISOs Can Foster Effective Comms and Build a Cybersecurity Program