How are CISOs managing the tug-of-war between IT security and worker productivity in this new, remote-first era?
Before the pandemic, remote work was already on a gradual rise. A FlexJobs survey revealed a 159% increase in remote work in the U.S. between 2005 and 2017—but even then, in 2017, only an estimated 3.4% of the total U.S. workforce was remote. Today that number has climbed to a whopping 42%, according to new research out of Stanford. It’s no secret that the pandemic has dramatically accelerated the trend toward work-from-home. However, what many of us innocently believed was temporary back in Spring 2020 has since developed into an indefinite timeline. Seventy-eight percent of CISOs surveyed for a joint study by Hysolate and Team8 believe that one-quarter to three-quarters of their workforce will operate remotely indefinitely.
I recently reviewed “The CISO’s Dilemma,” a report detailing the results of this joint study. It delved into how aspects of this new world order impact CISOs at Fortune 2000 companies and the large remote workforce they now manage.
What’s clear is that this massive uptick in at-home work has exposed weak spots in some companies’ traditional approaches to managing remote IT employees—or in some cases, what could be considered non-approaches in their informality. These legacy approaches were conceived of before this new normal, long before it expanded into the indefinite timeline we find ourselves in today. What worked for a few odd or occasional work-from-home employees may not work for the masses. To be sustainable, secure and productive in the long-term, companies need to figure out how to thrive in this new reality.
CISOs Balancing Security, Productivity in a Remote-First World
Out of the CISOs surveyed, 87% believe that remote work is a permanent workflow. Just 13% believe they will go back to full-time office-based work. Clearly, we’re working with a new majority rule.
This rapid ballooning of the at-home workforce has exacerbated an existing dilemma CISOs had already been facing on a smaller scale: whether to favor worker productivity or corporate security when employees are at home under less managerial oversight and increasingly using non-company devices.
As the report notes, “Legacy remote work solutions have established worker productivity and corporate security as competing priorities in a zero-sum game …” In other words, by favoring one, you lose some of the other—at least, that’s how some see it. It’s a game but not a particularly fun one and it’s leaving some CISOs feeling pulled in competing directions.
This challenging dilemma may lend some context to another telling statistic: CISOs self-reported an estimated 8% increase in whiskey consumption and a 20% increase in wine consumption since the pandemic began. Not that they’re alone, by any means. If we’re to read into this, we might guess that these folks, like so many these days, are understandably stressed.
With this in mind, one central question the survey sought to answer was: How are different companies playing this game? Are they finding a centerline or diverging to one side of the security-versus-productivity question? As it turns out, there are surprising divisions in companies’ handling of policies around endpoint security, web browsing, third-party app use and BYOD (bring your own device).
As an example, among CISOs surveyed:
- 26% have introduced more stringent endpoint security and corporate access measures since the pandemic’s arrival.
- 35% have relaxed their security policies to foster greater productivity among remote workers.
- 39% have left their security policies the same.
CISOs are split on how to approach this dilemma. The report asked: Are these last 39% of companies not making changes because they are comfortable with their security posture? Or is it because they don’t know what changes to make?
Web Browsing: To Surf or Not to Surf
Whether to allow free surfing of the web is a key if not obvious question regarding security and productivity. On the one hand, freewheeling access to the web introduces security issues and the temptation to stray from work. At the same time, strict limitations can unintentionally keep employees from accessing websites they may legitimately need—not to mention it feels like Big Brother.
Sixty-two percent said…