A year ago, work from home (WFH) emerged as the "new normal" for organizations seeking to keep their staffers safe from COVID-19. Today, companies are viewing WFH as simply, well, the norm, as 83% of IT managers are planning or have planned for a long-term transition to remote working.
In many circumstances, the arrangements have increased productivity and efficiency. But they also bring on risks: Three-quarters of IT professionals are concerned that their response to security threats is less effective due to employees working remotely, and 63% have less than 90% visibility of remote endpoints. Seven of 10 indicate that the pandemic has negatively affected their ability to patch endpoints and enforce compliance.
Given the challenges, we recently asked a selection of top security managers and executives about their experiences. We wanted to know what's the biggest lesson they've learned after a year of WFH, and how they advise their counterparts at organizations to proceed as a result of those lessons. Here's what they told us:
Steve Zalewski, CISO, Levi Strauss & Co: "Now is the time to double down on security awareness training for your company. After a year of transition from 'work in the office' to 'work from home' to 'work from anywhere' to 'work from everywhere,' people are stressed, fatigued, struggling with work/life balance, and generally feeling overwhelmed. This has created a bonanza for attackers who use phishing and social engineering attacks. Targeted attacks are on the rise as well. So get creative with your education and testing, be persistent, and don't let your people give in to the COVID fatigue, false sense of security that home environments can create, and targeted attacks. Every click we can prevent saves us hours of incident response time chasing down compromised credentials or lost revenue."
Timothy Myers, CISO, Missouri Employers Mutual: "Don't try to figure it all out on your own. Develop a peer group and schedule regular conversations to share information on trends, projects, threats, etc. If you can afford to, use a well-established security consultant to do vulnerability and penetration assessments to see if that perspective maps well with where you think you are."
Britney Hommertzheim, Director of Cyber Threat Operations, Cardinal Health: "Embrace the uncomfortable. Right now, many people are in a state of flux. Use this as an opportunity to provide a solution for your business that also provides a security benefit."
Gregory Matthias, CISO, TCF Bank: "It's more important than ever to work with your partners to understand risk across the organization and not just tech risk. Secondly, you need to be at the table and become an enabler of faster digital transformation."
Shinesa Cambric, Manager of Security Architecture, Vistra Corp: "This is a time to rethink cyber processes and integrations and the messaging around that. There is a huge opportunity to use the message of a 'fresh secure start.' Security managers and teams should take advantage of migrations to the cloud to reset and reinforce the image of security — that security being integrated and built into their tools and platforms is a value-add and a distinguisher, rather than using a 'fear, doom, and loss avoidance' message to get buy-in for security."
Aimee Martin, Director of Information Security, Vista Outdoor: "Determine how to cut costs in the right places but spend the money in the places that add the most value. Rethink business resiliency and protect the critical assets and data in your environment."
Judy Hatchett, CISO, Surescripts: "Be flexible, invest in tools and strategies that solve more than one problem. Invest in your people."
Nathaniel Cole, Director of Security, MSTS: "Leaders need to be acutely aware of massive disruption to everything in 2021 — remote workforce may or may not continue — then we are looking at huge disruption in real estate and others. Deploy security without brick and mortar. Truly reevaluate end-user behaviors, grant access, identity access, onboard, and offboard. The short term will be hard, but we will all be better off in the long run as a result of the work done now."
We can't predict with absolute certainty what the state of WFH/remote work will look like a year from now. But we do know that cybersecurity professionals will seek to continue meeting the many new challenges that extraordinary circumstances bring. By closely aligning IT goals with business strategies and a flexible, agile, and value-first mindset, CISOs and their teams will more effectively prepare their organizations for current "norms" — and whichever new ones come next.