After a year and a half of pandemic, most audit, security and governance professionals have grown comfortable with the “remote work” risk landscape. In the early days of the pandemic, practitioners had to rapidly evaluate any new risks associated with the new ways of doing things to enable operations to continue while staff stayed social distanced. There were many examples of this: new collaboration tools, new workforce dynamics, changes in policies, etc.
Now, even though COVID-19 is still very much with us, the availability of a vaccine and subsequent reduction in infection rates are causing organizations to rethink the balance of remote vs. onsite work. This shift is a much more disparate and personalized one than what we went through en masse at the beginning of COVID. Now, organizations are making individual, business-specific decisions about what elements of remote work to keep – and what elements they can do without. Likewise, individual employees are deciding what they are comfortable with. In some cases, they’re anxious to return to a group setting as quickly as possible; in others, they’ve become accustomed to reduced commutes, increased time with family or perhaps they’re just not ready to go back to a public setting.
Because of this, many organizations are embracing a “hybrid work” model – meaning, a model in which they keep the elements of remote work they find advantageous while also supporting onsite employee presence (perhaps two or three days a week, or as needed). There are a number of factors that drive this: some organizations may have realized cost savings from a remote workforce (such as costs associated with maintenance of shared spaces), while others might have hired out-of-town staff during the lockdown and they like the freedom to hire geographically distributed staff with hard-to-find skills.
Whatever the reasons, many organizations are once again shifting their work models. For us in the practitioner community, it’s important that we pay attention to this. Just like the “work from anywhere” model had its own set of risks and benefits, so, too, does a hybrid model. Unlike the first mass exodus though, the risk dynamics are much more individualized for each organization. This means thinking it through carefully is time well spent.
Hybrid work risk considerations
The first thing to think about is how risk might be impacted by a hybrid model. Now, it’s a given that organizations are different and that context matters: organizations have different risk appetites, exist in different industries, have different needs and have different cultures. This means that what is risky for one organization might not be for another, so thinking through what’s unique to you is the best path forward.
As an example, consider the budgetary impacts associated with a hybrid model. Many organizations struggled (at least initially) with technology investments that presupposed a relatively modest remote workforce. They were fundamentally unprepared to scale to 100% remote (or close to it). However, now that they’ve acquired the capacity to potentially support a fully remote workforce, does it make sense to scale back these investments as some staff return to the office? It might. Does it make sense to keep those investments in place? Again, it depends on the context. If they are supporting a “hotelling” model where workers no longer have a set workspace, onsite presence may be more fluid, and thus keeping them in place makes sense.
Consider also the new controls that you’ve put in place since the pandemic started. If your organization is like most, you’ve had to adapt how you do things in light of being geographically distributed. And, in many cases, that has required deploying new controls – or changing the implementation of existing ones. It can also mean changing the processes that implement the controls you have in place. For example, you may have had to adapt your incident response planning to use distributed collaboration tools (with fully-considered redundancies of course) vs. assuming that there will be a physical, on-premise “war room”. You may have moved from a physical SOC to a virtual one (vSOC). You may have introduced new controls on desktops to lock down data in the event that a family member of an employee gains access to a workstation. Depending on what you’ve had to change, you may need to once again re-examine these controls in light of a shift in work arrangements. Which make sense to keep? Which make sense to change back?
Lastly, consider how we conduct training for security awareness. In years past we might have put money into posters in public areas and onsite training. During the pandemic, we may have shifted that budget into a mailing (or giveaway like a mousepad) and computer-based training. Depending on the culture of the organization, some social engineering-based attacks might be easier in a hybrid model vs. a fully remote or fully onsite one.
A case for measurement
While none of these items are “earth shattering” in and of themselves, they bear mentioning because they have one thing in common – namely, that the primary way to evaluate them and to plan is through understanding how much of the workforce is remote and planning accordingly (and measuring and using the resultant data to drive decisions). This is not always an area of strength for many organizations. Many of us in the “trust” business (be it audit, security, governance, risk, compliance, etc.) haven’t had the best track record in gathering and using relevant metrics. This is dangerous in light of the current shift, where I’d argue that metrics are at the forefront of what’s most important.
For example, say we’ve implemented a vSOC. If the lion’s share of employees are remote and stay that way, it makes sense to keep the vSOC remote. If, however, the entirety of the analyst staff and incident response team members return to the office, it might make sense instead to pivot. Likewise, from an economic point of view, balancing the costs of distributed collaboration vs. facilities costs is dependent on how many people return to work and how often, which is reliant upon measurement so that you can understand how your workforce is shifting and how rapidly.
This, in turn, means that having insight into how our organizations’ personnel are responding to the hybrid model is valuable and may be fundamental to security planning in this new phase of transition. It’s valuable because it directly impacts how we understand our risk profile, it’s valuable because it impacts how we adapt our controls and which controls we keep, and it’s valuable because many of the impacts are emergent – meaning it’s difficult to predict what they will be in advance (so being able to measure the scale can give us insights about when to be extra vigilant).
For a security, audit, or governance function in any organization, it pays to have partnerships with other areas like HR, facilities, and (arguably most importantly) the business. If we don’t already have those connections, this can be a powerful incentive – and critical time – to build them. If we do, there’s value that can be gained from tapping those relationships to solicit information about how our own workforce is being impacted. You’ll be glad you did.