As pandemic-related stay-at-home orders phase out and many companies decide whether to bring employees — and how many — back to the office, some cybersecurity experts are warning that extended remote-work arrangements are not necessarily a good idea for security teams.
While security professionals worry that remote work has undermined the security of their users' systems, the arrangement has also impacted the way their groups work as well, argues Corey Thomas, CEO and chairman of security firm Rapid7. Security teams that work from home are less effective at communicating and sharing skills and have to give up the security benefits of physical-presence requirements to access certain systems, he says.
"Working remotely during the pandemic has taught cybersecurity professionals to stretch their skill sets and exercise new levels of creativity, but it hasn't fully replaced the benefits of working together under the same roof," Thomas says. "As businesses prepare to reopen with new safety guidelines, they should embrace plans that incorporate not only the flexibility of remote work but the valuable experience that can be gained through on-site communication."
Thomas is not the only one to caution companies from embracing remote security teams. Software security firm BitDefender points out that some security efforts require on-site workers to access systems, such as controlling product updates, updating signatures, and installing patches. Other companies may have intellectual property documents that they do not want exposed to the Internet or high-security systems that have classified information.
Physical presence remains a good security measure, and large companies — especially those with their own data centers — will not be able to have an entire work-from-home security group, says Liviu Arsene, global cybersecurity researcher at BitDefender.
"Some services just cannot be managed remotely for security reasons," Arsene says. "So you have to make a business decision as to whether you want to have security services that you can expose online."
Not everyone agrees, of course. Some companies — especially smaller ones — are embracing the movement to virtual companies based on cloud infrastructure to the furthest possible extent. Cobalt, for example, which offers pen testing as a service, plans to move its company completely virtual — joining others, such as developer-services firm GitLab — in creating a company based on a far-flung group of workers.
High-tech workers are well-suited to distributed work arrangements, says Caroline Wong, chief strategy officer at the company.
"Teams these days, they know how to collaborate asynchronously, and the vast majority of security incidents are not 'wake up in the middle of the night and scramble to deal with it' types of events," she says.
Many companies had already changed their security arrangements because of the pandemic-prompted remote work. Almost a third of companies have made changes to employees' security training to bolster security at the endpoint, according to survey conducted by BitDefender and published today. One in six firms are requiring that only company-owned devices be used for remote work. And about a third of companies have moved to 24/7 IT support for workers.
Overall, more than a quarter of companies expect more employees to work from home on a permanent basis, the survey shows. Facing a permanent change in how they do work has caused many companies to tighten up their work-from-home security arrangements.
"I have some friends that worked from home," Arsene says. "After the pandemic hit, they made changes. They completely forbid the use of work computers to do anything else but work. They started sending a lot more materials to employees."
Many companies may not have a choice but to allow security professionals to work from home. With cybersecurity skills in high demand and the supply of workers reportedly tight, businesses may have to be flexible to attract the right type of talent, says Cobalt's Wong.
"There is a skills shortage, and it remains very real," she says. "So the likelihood of getting all your security people in the same region is small. But if you look beyond that when hiring a security team, having a remote workforce gives you the ability to have workers in different time zones and pull from a much larger pool."
For Cobalt, the move to remote work will become permanent. The company will likely move away from a central office arrangement and instead focus on bringing together people for collaborative work sessions, Wong says.
"We are never going to have offices against the way that we use to," she says. "But we will have social events. We will get together — the entire company — twice a year, when it is safe to do so. What we use to call an office, we will instead have a creative hub, and you will not need to be there eight hours every week day, but once a week or once a month."
BitDefender sees that as a viable option but will continue to keep security people — and some others — coming into the office.
"If your business model allows remote work, then maybe move to some sort of shared-office arrangement," Arsene says. "While not every one can do it, we are going to be seeing some shifts over all, even in security."
- Best Practices for Managing a Remote SOC
- 5 Big Lessons from the Work-from-Home SOC
- The SOC Emergency Room Faces Malware Pandemic
- COVID-19 Drives Rush to Remote Work. Is Your Security Team Ready?
- Latest Security News & Commentary About COVID-19