Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
John B. Dickson
John B. Dickson
Connect Directly
E-Mail vvv

How Company Cultures Dictated Work-from-Home Readiness

Companies large and small are discovering just how prepared they were for all employees to work remotely

The past few weeks have been a blur. I've eliminated the word "unprecedented" from my vocabulary. I've become a Zoom subject matter expert and have had far too much fun applying unique Zoom backgrounds to surprise my colleagues. I've not traveled for four weeks, which is the longest spell without travel in memory. Instead, I've worked from my home for two weeks with no end in sight. 

This radical shift could not have come at worse time for me and my colleagues at Denim Group. We had just closed one of the busiest weeks of the year at the annual RSA Security Conference and ran smack dab into a pandemic. My previous articles on the coronavirus seem to have been written in a bygone era. One sentence I wrote stands out: "As one attendee remarked, in a month we'll either laugh about how silly our fears were or we'll think attending RSA 2020 was the most reckless thing we've ever done."

With RSA well behind us, I can probably say with some level of confidence that I was not infected by the coronavirus while there. But in hindsight, it does seem attendance might have been, if not reckless, certainly questionable. We got a hint of what was to come less than a week after RSA, though; at least one security professional at RSA wondered how their VPNs would hold up when everyone worked from home.

I suspect this question has been asked in one way, shape, or form at virtually every organization in the last month. What we've witnessed throughout March is a shift that occurred in almost every company simultaneously. Some were better suited for the shift, while others are still struggling to support remote workers. I started to call it "work-from-home readiness," and, as vendors, we've had a chance to talk to hundreds of clients and prospects and have traded notes with other security vendors to obtain their perspective.

Here are some of the common reasons certain organizations were more prepared to support the massive shift from on-premises work to work from home:  

  • Business models: Certain companies were better suited to make the shift given their business models. For some, having employees working in an office was nice, but not necessary. Technology companies are the obvious candidate as they often already had distributed workforces and liberal work-from-home policies. In manufacturing, this is not the case. Absent of an entirely robotized assembly line, most manufacturing companies rely on employees to be present at their facilities to assemble product.
  • Business processes that broke: Although email and conference calling lend themselves to off-site work without friction, other business processes broke in unexpected ways. For us, it was US postal mail — we didn't have a process to accept mail with everyone working from home. This is important — some clients still pay via check. Our clients and prospects spoke of purchase order and statement of work processing, which require physical signatures in many cases.  
  • Technical debt: Likely directly related to the business models of certain companies, we've spoken to a variety that we thought would have the capability to work from home en masse but couldn't. Technical infrastructure constraints, including lack of VPN licenses, few employees with laptops, and lack of dual-factor authentication for remote workers all handcuffed companies and made them prioritize which workers get equipment first. 
  • Familiarity with remote tools: Suffice it to say, we are all smarter on Zoom, or your video conferencing solution of choice, than we were a month ago. Some organizations made the transition seamlessly as they already had a workforce who were comfortable with these technologies. Others had to learn in real time, putting a strain on internal IT support desk functions and lowering productivity across the organization. 
  • Culture: What's most interesting is the strong effect of corporate culture on an organizations' capacity to work from home. We've observed that organizations in the same industries have made the transition to work from home, while others have failed miserably. The common denominator is company culture. Certain organizations had flexible work-from-home policies as an employee benefit and were better suited to make this rapid transition. Others who had strong "on-premises" cultures were less prepared. By design, these companies discouraged working from home and emphasized the need for on-site collaboration. These companies are still struggling today to support their remote workers.

As we continue to muddle through working from home due to the pandemic, it's been fascinating to see how certain organizations have made the transition to working from home, while others have struggled. Common denominators, such as culture and technical debt, contributed, as organizations became intensely focused on uptime with minimal disruption. I expect that many of the changes that have been made by organizations will affect us long after the stay-at-home orders have been lifted.

For me and many of my colleagues, security is a day-to-day focus of these new, uncharted waters. The shift reminds us that security is part of a broader business resiliency discussion. Having the capability to work from home seamlessly and in secure fashion only strengthens the resiliency of your organization.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...