Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:55 AM

Collaboration Undermined When Security Teams Work Remotely, Some Argue

Knowledge workers are perfectly suited for remote work, but the benefits of collaboration - and the requirements of proving identity - make fully remote security teams problematic.

As pandemic-related stay-at-home orders phase out and many companies decide whether to bring employees — and how many — back to the office, some cybersecurity experts are warning that extended remote-work arrangements are not necessarily a good idea for security teams.

While security professionals worry that remote work has undermined the security of their users' systems, the arrangement has also impacted the way their groups work as well, argues Corey Thomas, CEO and chairman of security firm Rapid7. Security teams that work from home are less effective at communicating and sharing skills and have to give up the security benefits of physical-presence requirements to access certain systems, he says.

"Working remotely during the pandemic has taught cybersecurity professionals to stretch their skill sets and exercise new levels of creativity, but it hasn't fully replaced the benefits of working together under the same roof," Thomas says. "As businesses prepare to reopen with new safety guidelines, they should embrace plans that incorporate not only the flexibility of remote work but the valuable experience that can be gained through on-site communication."

Thomas is not the only one to caution companies from embracing remote security teams. Software security firm BitDefender points out that some security efforts require on-site workers to access systems, such as controlling product updates, updating signatures, and installing patches. Other companies may have intellectual property documents that they do not want exposed to the Internet or high-security systems that have classified information.

Physical presence remains a good security measure, and large companies — especially those with their own data centers — will not be able to have an entire work-from-home security group, says Liviu Arsene, global cybersecurity researcher at BitDefender. 

"Some services just cannot be managed remotely for security reasons," Arsene says. "So you have to make a business decision as to whether you want to have security services that you can expose online."

Not everyone agrees, of course. Some companies — especially smaller ones — are embracing the movement to virtual companies based on cloud infrastructure to the furthest possible extent. Cobalt, for example, which offers pen testing as a service, plans to move its company completely virtual — joining others, such as developer-services firm GitLab — in creating a company based on a far-flung group of workers. 

High-tech workers are well-suited to distributed work arrangements, says Caroline Wong, chief strategy officer at the company. 

"Teams these days, they know how to collaborate asynchronously, and the vast majority of security incidents are not 'wake up in the middle of the night and scramble to deal with it' types of events," she says.

Many companies had already changed their security arrangements because of the pandemic-prompted remote work. Almost a third of companies have made changes to employees' security training to bolster security at the endpoint, according to survey conducted by BitDefender and published today. One in six firms are requiring that only company-owned devices be used for remote work. And about a third of companies have moved to 24/7 IT support for workers. 

Overall, more than a quarter of companies expect more employees to work from home on a permanent basis, the survey shows. Facing a permanent change in how they do work has caused many companies to tighten up their work-from-home security arrangements. 

"I have some friends that worked from home," Arsene says. "After the pandemic hit, they made changes. They completely forbid the use of work computers to do anything else but work. They started sending a lot more materials to employees."

Many companies may not have a choice but to allow security professionals to work from home. With cybersecurity skills in high demand and the supply of workers reportedly tight, businesses may have to be flexible to attract the right type of talent, says Cobalt's Wong.

"There is a skills shortage, and it remains very real," she says. "So the likelihood of getting all your security people in the same region is small. But if you look beyond that when hiring a security team, having a remote workforce gives you the ability to have workers in different time zones and pull from a much larger pool."

For Cobalt, the move to remote work will become permanent. The company will likely move away from a central office arrangement and instead focus on bringing together people for collaborative work sessions, Wong says.

"We are never going to have offices against the way that we use to," she says. "But we will have social events. We will get together — the entire company — twice a year, when it is safe to do so. What we use to call an office, we will instead have a creative hub, and you will not need to be there eight hours every week day, but once a week or once a month."

BitDefender sees that as a viable option but will continue to keep security people — and some others — coming into the office. 

"If your business model allows remote work, then maybe move to some sort of shared-office arrangement," Arsene says. "While not every one can do it, we are going to be seeing some shifts over all, even in security."

Related Content:


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...