Striking a Delicate BalanceChristian Toon, CISO at Pinsent Masons LLP, was among the first to respond. He revealed that flexibility as well as balancing security with productivity proved crucial to his employer:
The security team has already been very well versed in remote working, so the flexibility and approach has made them into ambassadors of attempting to work during a pandemic. We didn’t work 9-5 before this all started, so being flexible to meet personal challenges has been key. Our biggest challenge has been adjusting our security footprint to enable the business to continue to work. Working out what good security looks like alongside good productivity has been a good learning curve. We’ve adjusted our approaches based on this different style of working.Ron Solano, Data Security Officer at OptumInsight of United Health Group, agreed with this statement. He explained that his employer specifically needed to balance the threat of growing malware attacks with the network’s ability to handle greater numbers of remote users. “Employees need to have laptops that are protected against viruses and other digital threats,” Solano explained.” We want to make sure there is no contamination when they log in to a company network. At the same time, networks have to be able to handle the larger number of people logging into the network as a result of our organization’s remote work. Inbound pipes need to be monitored for load balancing.” Security teams have needed to develop new policies to balance these challenges. But their work didn’t end there. They then needed to communicate those new policies to the entire workforce and to then train employees on how those changes affect them.
Communication: A Challenge in ItselfMaintaining effective communication flows wasn’t so easy when team members could no longer interact with one another in the same physical space. Dr. Grigorios Fragkos, Digital14 Cyber Defense and vCISO at Expo 2020 Dubai, shares his input. “The biggest challenge since moving to 100% remote working has been real-time communication and interactions, especially in cases where you could jump next door—for example, in IT or the SOC—and have a quick discussion,” Fragkos noted. “When you work with your team throughout the day, you can discuss, coordinate and brainstorm on-the-fly, but it takes way more time to have these micro-communications over virtual mediums, phone-calls and emails, compared to a brief face-to-face catchup. Of course, another challenge is when you need to be physically present on-premise for various reasons. As this can take some time to arrange, it introduces delays that wouldn’t be present if things were different.” Nigel Sampson, Head of Information Security for Alegeus, agreed that communications and a lack of physical interaction had hampered some of his security team members’ efforts:
Communications across the company has worked very well to the point where we were using instant messaging more than email. Other areas that have worked well are responses to queries. People are more responsive. Productivity has risen; team members start their day earlier and end later, as there is no commute. Overall, the work-life balance for the team has helped with overall productivity. Challenges occurred during audits where auditors required walk throughs. We managed to adapt and conduct Facetime walk throughs while following appropriate safety precautions. There is also the issue of equipment failure and accessory replacements. It’s no longer a case of ask the IT tech to grab a power pack. It must be shipped. We rely heavily on our endpoint protection system with well-developed policies that will isolate any system in the event of infection. Should a system become inoperable for any reason, it then becomes an issue of downtime for the user while we ship a laptop to them. However, we have not encountered any events that required laptop replacement, which is a testament to good security hygiene and technology.But there is a way to solve these communication challenges. It doesn’t come from the efforts of the security team members. Rather, it comes from the top. “… [T]he leadership’s commitment to cybersecurity made a huge difference,” Fragkos noted. “The early decision to invest in OPEX, focus on a dynamic design and flexibly expandable architecture, have strategic partnerships in place and develop a clear distribution of responsibilities paid off. All these early decisions allowed the cybersecurity team to enable different types of business requests in a secure manner.”
Keeping in Mind the Value of FunThe office isn’t just where employees work. It’s where they socialize. It’s where they’re able to relate to others in new ways. Dianne Kelley, CTO at Microsoft, is well aware of this point. She therefore thinks that organizations should emphasize both work and fun. “Because working remotely can feel very isolating, one of the best ways to stay connected in the long-term is to bring groups together collaboratively for work and fun,” Kelley explained. “Remote work can be an engaging, collaborative experience when teams brainstorm in video meetings, iterate documents and projects in shared workspaces, and track progress in ongoing chat threads. And having a bit of fun matters, too! To keep remote workers connected, consider virtual group activities like a weekly brown bag lunch, happy hour, or a book/movie discussion club. Find a way to replicate water-cooler comradery in the virtual world.” Christina Morillo, Cloud Security & Platform Engineering at Microsoft, also recommended that security employees be kind to themselves during these turbulent times:
My number one advice is to embrace the change with a healthy dose of optimism. While I can understand that working remotely (during a pandemic, nonetheless) is no easy feat, a shift in perspective is the most powerful tool we have. From a logistical perspective, I have top three recommendations for security professionals. (These tips also helped me transition into a full-time remote role, as well.)
An additional or double monitor setup is also a bonus. Keep in mind that working remotely (or from home) is a bit different than working remotely during a pandemic, so have patience and don't be afraid to recalibrate and shift until you find what works for you.
- Stick to your morning routines – Wake up, shower and get some breakfast (or however this looks for you).
- Dress for a productive day – Get out of your PJ's and go for some comfy athleisure (yoga pants and a comfy tee/sweater) instead. Staying in your PJ's will lure you back into bed.
- Invest in a solid desk/work table – Your work area matters...a lot. If you have a desk, great. If not, invest in one. I would recommend a standing desk. If this is not possible, use the kitchen table. You will be less productive if you are uncomfortable, so get comfy.
- Take your lunch/breaks – It is crucial for your well-being and sanity. Act as you would in the office. You will burn-out if you do not.
Strengthening Their Work-from-Home CapabilitiesThe expert guidance provided above highlights the need for organizations to make the most of their work-from-home policies in a way that accords with their business needs. That includes deploying tools that facilitate these new telecommunication policies. For tips on how to effectively implement these tools, download this Tripwire white paper.
Authors note: This blog was co-authored between Joe Pettit and Mitch Parker
FURTHER READING ABOUT CISOs:
- Security Execs’ Advice on Overcoming the Challenges of Remote Work