Prior to the Covid-19 pandemic, there was a trend towards remote work, particularly for IT jobs. However, with the introduction of the COVID 19 situation, this trend was massively accelerated, even among some of the world’s largest employers, such as the U.S. Department of Defense (DoD). The shift from working from anywhere is one that is only likely to continue, the genie is out of the bottle as they say, and it isn’t likely to return. There are several implications for cybersecurity in this paradigm shift and we will discuss them in the article below.
The most obvious shift for many cybersecurity experts when looking at the continued adoption of Work From Anywhere is the reality that the threat landscape has changed and security architectures, tooling, and methodologies follow suit. All of the devices utilized to work from anywhere are a vector to potentially introduce security incidents to the organization and by extension its supply chain, including those it both receives and provides goods or services to.
In January, the Whitehouse itself issued a memo further committing the Federal government’s push towards a Zero Trust architecture. This push revolves around five pillars, of Identity, Devices, Networks, Applications, and Data, all of which are relevant to the Work From Anywhere situation. Whether it is your employees’ endpoints, both user and non-person entity identities, the networks and applications they’re using and the data they generate, access or store. This creates a massive challenge for cybersecurity professionals used to traditional scenarios where they could build a strong perimeter and imply trust to anything inside it. It’s this reality that is leading to the quick decline of the VPN and the adoption of more modern Zero Trust-oriented tooling and processes as well.
Organizations need to shift to a more contextually aware and intelligent approach around access management. This involves the use of signals, such as user and location, device hygiene, applications involved and real-time risk telemetry to help drive dynamic access control decisions on demand. This shift is also having an impact on how organizations architect and secure the applications that their employees access. Rather than simply being placed inside the perimeter, applications are increasingly being externally exposed and should be secured accordingly. This is coupled with the reality that organizations’ use of as-a-Service service offerings are ubiquitous across all industries and critical to business continuity. All of these factors demand a new approach to cybersecurity for organizations and those that fail to adapt will struggle to secure their enterprises in the new operating model of the workforce.
Building right on the end of the previous section, a not often discussed of the Work From Anywhere shift is its impact on the workforce and more appropriately, organizations’ approaches to talent management, hiring, and retention. It’s no secret that every organization and industry faces a shortage of cybersecurity talent. There are a lot of factors that go into this such as rigid educational and experience requirements, lack of diversity, geographic restrictions, and more.
That said, as it relates to working from anywhere, this shift is a massive opportunity to begin addressing that shortage. In fact, the organizations that openly embrace the work from anywhere model will unquestionably outperform those who try and ram through a return to the legacy on-premise working model. As we’ve all lived through what was dubbed “The Great Resignation” by many, employees have more leverage when it comes to what they demand from an employer. For countless people in tech and cybersecurity, this includes flexibility when it comes to where and how they work.
Leaning into the work from anywhere shift allows organizations to massively open the aperture through which they can source and hire talent, no longer confined by geographic restrictions and reality. Organizations that fail to do this will struggle to attract new promising talent, but more importantly, they will risk retaining existing security talent, most of which has a tremendous amount of institutional knowledge both technically and culturally.
As discussed above, the work from anywhere paradigm offers both an opportunity and a responsibility. You now have the responsibility of securing the business from a new operating model where users and devices are connecting from everywhere. That said, you also have the opportunity to lean into an eager new pool of security talent or aspiring security entrants willing to help you secure it.
The choice is yours, plan accordingly.