Taking the first steps toward a hybrid-first cybersecurity environment
Featured in TB Tech
This blog was featured in Top Business Tech. Read it here 👉
With the New Year in full swing, physical offices have remained largely empty, and while official work from home advice is still in place, it’s become clear over the last two years that, by and large, people enjoy flexible working. With ‘Plan B’ restrictions coming to an end in the UK, the question of an office return is in the air. But while people will be free to return to the workplace, it’s unlikely things will ever go back to the way they were pre-pandemic.
With a successful vaccine rollout, many businesses took an optimistic outlook in the second half of 2021. Some, such as business answering services provider Moneypenny, brought virtually all of their staff back to the office as soon as reasonably possible. Many organizations, however, have taken a hybrid approach. Indeed, a closer inspection of Google’s billion-dollar bet on a return to office working reveals a clear ambition to create a new and permanent hybrid working culture; a working culture where employees are encouraged – but not required – to be in the office.
Hybrid working cybersecurity challenges
A long-term hybrid working culture – particularly following two years of employees largely working remotely – presents a significant challenge for Chief Information Security Officers (CISOs). In a recent survey of 600 UK CISOs, 30% admitted that since March 2020 they have lost track of movers, joiners, and leavers. What’s more, 29% stated they are missing corporate devices. The key challenge that CISOs are facing is mitigating the ever-increasing cybersecurity risk brought about from the growing complexity of their IT environments. Their number one priority in 2022 will be IT discovery. After all, it’s virtually impossible to effectively protect what you don’t know is there.
Security teams must now contend with user sprawl and device sprawl. In the past, their focus would have been on securing one main location – the office. Now, location is a fluid notion. The concept of networking in this context is increasingly difficult to define. To help overcome this challenge it’s vital to compile an in-depth – and ongoing – view of the organization’s IT estate. Only by knowing what assets you have within your environment can you apply effective security controls.
A hybrid-first security mindset
Procedures and processes for this new world need to be reviewed from the ground up – all with a hybrid-first policy. The challenge is not insurmountable for security leaders that remain flexible and adopt new ideas. Desmond Tutu once said that “there is only one way to eat an elephant: a bite at a time.” What he meant is that everything in life that seems daunting, overwhelming, and even impossible can be accomplished gradually by taking things one step at a time. For CISOs facing this challenge, the overarching focus should be on improving visibility, intelligence, and control over their network and devices. Breaking this down, there are three key first steps CISOs should be considering:
1. Visibility: Focus on identity
Identity runs through the core of visibility, intelligence, and control. Start by establishing who your users are, what they have access to, and building a robust joiners and leavers program. Any and every user account that has been neglected in some way over the last two years is a potential weak point. The culmination of this has led directly to the data sprawl now endemic in organizations. Security teams need to understand everything that is happening on the network in an identity context – whether that’s a human user or a connected device – before they can begin to get them under control.
2. Intelligence: Look at new technologies
A new hybrid-first security framework requires modern technology solutions. Extended detection and response (XDR) is a good example. Many CISOs will be grappling with the decision of where to focus their immediate efforts – applications, devices, or the network. XDR pulls all three areas together. As well as the network, XDR gives visibility into the cloud and certain software as a service (SaaS) applications – visibility on the application level as well as the device.
These capabilities will be crucial in a new hybrid-first framework, moving the traditional security operations center (SOC) focus from the office network to a much wider and deeper view of the organization’s environment. The threat landscape is now fundamentally different. Less focus on the office and network and more focus on applications and devices will provide a better and more holistic view of risk, what’s happening in the environment, and where the organization’s exposure resides.
3. Control: Design from the ground up
Security strategies that were created even three years ago are now obsolete. The pace of change is increasing exponentially and sitting on the fence is no longer an option. CISOs need to adopt policies and procedures that deal with location independence and network independence. Hybrid working is now ‘business as usual’ and CISOs must work to design modern, fit-for-purpose hybrid-working strategies from the ground up. Perhaps the worst thing any CISO could do as employees return to the office is to carry on as though they were operating in a pre-pandemic world.
The hybrid-first world has new and very different demands, but the mistake to avoid is viewing this as a bad thing. There is a multitude of benefits to be realized. Ultimately, organizations will have more secure applications and devices. As policies and procedures mature, organizations will enjoy more agile and robust business processes. But before this can happen, there is baggage to dispose of, plasters to remove, and new perspectives to cultivate. For those willing to think differently, hybrid working will ultimately provide the catalyst for a more secure environment.