CISOs are challenged with skillfully managing the security and productivity requirements of employees working from across the world
Enterprises were embracing remote work even before the pandemic. The rate of adoption has increased rapidly after the start of the global lockdown.
A majority of the organizations have rapidly adopted the remote workforce strategy to ensure their employees’ safety and uninterrupted productivity. Many of the C-suite executives have not made any official statements on returning to on-premise locations in the near future.
CISOs have to manage a highly distributed workforce that has had some negative impact on the security profiles. The remote workforce era has exposed weak spots in the corporate network and conventional approaches as well.
So, while legacy methodologies were working fine for the pre-new normal times, and some processes that may have worked for occasional or odd remote employees, may not work when the number of remote points goes up.
To survive, be secure and productive in the long run, enterprises must figure out solutions that can help them thrive in the current scenario.
Balancing productivity and security in the remote-first environment
Security leaders believe that remote work policies, which started as a temporary workaround, will be permanent. However, the sudden shift has exacerbated the security issues that organizations faced earlier on a smaller scale.
These issues have been boosted by factors like managerial oversight, increased utilization of non-enterprise approved devices, and workarounds to increase employee productivity. Clearly, these aren’t compliant with security guidelines.
Read More: Security profile needs transformation along with digital transformation
The legacy remote work resolutions pitch corporate security and worker productivity directly against each other in the zero-sum game. It refers to the practice of losing some benefits of one factor when favoring another factor. The game is not fun, and has left CISOs feeling they are being pushed to competing directions.
The above pressure has resulted in CISOs and other C-suite executives experiencing higher pressure and reduction of mental health. Experienced CIOs suggest analyzing what solutions other organizations in the same industry have implemented.
Identifying the neutral line or choosing one side in the security vs. productivity debate as applicable to the organization. CISOs lean towards the obvious choice of handling policies relevant to web browsing, BYOD, third-party app utilization, and endpoint security.
Enterprises leaders are divided over the whether they should be strengthening, reducing, or leaving the security policies at the same level as before the pandemic. There’s a rising confusion as to why many organizations chose not to change their security posture because the measures were sufficient or because they were not sure of the steps to be taken.
To allow or not: web browsing
CIOs say that allowing free/unrestricted web surfing raises an obvious question related to productivity and security. Freewheeling access to the internet results in security liabilities and potential distractions from work. However, rigid restrictions may prevent employees from accessing sites that they need.
Read More: BEC Attacks Are Rising – How CISOs Can Tackle Accelerating Phishing Threats
To allow installation or not: Third-party apps
Similar to the previous situation, restricting third-party apps installation can eliminate potential security issues and save time for security teams. But too much restriction can directly affect productivity. Some third-party tools like Microsoft Teams and Slack can boost communication, morale, and efficiency.
Handling BYOD policies
Accessing corporate networks from personal or non-corporate handles endpoints results in a higher complexity level for security leaders. Permitting the use of personal devices for office work requires organizations to come up with effective BYOD policies. The absence of an industry standard to ensure security is a significant cause of worry.
Security leaders believe that a certain level of formality needs to be maintained on corporate-issued devices. The level of restrictions may be based on the security requirements of the organization. As each company’s risk factors and needs are unique, it is best to consider the most relevant measure.