Remote Workforce Security - the Long Game episode artwork

EPISODE · May 21, 2020

Remote Workforce Security - the Long Game

from Info Risk Today Podcast · host InfoRiskToday.com

"Risk acceptance" was the operative term as organizations quickly deployed remote workforces in response to the global crisis. But now, as this deployment becomes a long-term option, enterprises need to take a future-focused view toward identity, cloud, and the attack surface. Forcepoint's Homayun Yaqub offers tips.

Episode metadata supplied by the publisher feed · Published May 21, 2020

"Risk acceptance" was the operative term as organizations quickly deployed remote workforces in response to the global crisis. But now, as this deployment becomes a long-term option, enterprises need to take a future-focused view toward identity, cloud, and the attack surface. Forcepoint's Homayun Yaqub offers tips.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Remote Workforce Security - the Long Game

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hi, I'm Tom Field, Senior Vice President of editorial with Information Security Media Group. My topic of today's discussion is securing the remote workforce for the long haul. And it's my pleasure to welcome to the studio, Holmayun Jakub, Senior Director of Strategy with ForcePoint. Holmayun, such a pleasure to speak with you again.

Likewise, Tom. I hope I help all this well with you. Oh, very well. Thank you.

Well, start here. It's clear that this large remote workforce that we have today is here today. What are some of the changes you've seen organizations have to make, not just to enable the ship but to continue to support it? It's a great question.

And I think there's also some acknowledgement that we're still trying to figure this out. Everyone's using these terms, like the new normal, the new reality, what was an unprecedented set of circumstances led to organizations that weren't typically built for a remote workforce now having to enable it. And so I think first and foremost, it meant just simply keeping the lights on. However, fashion and manner that they saw fit, which meant including that, at least from the lens of security, significantly accepting a certain amount of risk exposure.

You see all kinds of surveys that have been done for a variety of different organizations. There was an acknowledgement that in order to just maintain that continuity of operations and resiliency, there was a willingness to accept a certain amount of risk. But I think now, as we're normalizing a bit, there is a renewed emphasis on reducing that level of exposure. Homile, you mentioned a couple of key words, risk and acceptance, and increasingly I hear from CISOs about the risk acceptances they made to enable the remote workforce.

What are some of the shortcuts you've seen organizations take to make this remote workforce possible? You know, what became, and arguably for many organizations still is, what was top of mind was in enabling this transition, they had to acknowledge a willingness to accept a certain level of risk. And that risk, of course, was manifested in the form of shortcuts. One shortcut, for example, that I've heard about, and I've seen in a couple of surveys, is allowing users to be able to communicate with others professionally through their personal email.

Certainly something that most security practitioners would cringe in hearing, but this would be an acknowledgement. The second would be this idea of leveraging non-sanctioned collaborative tools that otherwise don't have the appropriate measures in place to authenticate users and so on and so forth. And when productivity coupled with resiliency defines how organizations need to continue to keep the lights on, there was a willingness to take some of these steps, allow for a level of risk exposure that typically would not be tolerated for, but increasingly I think as we are heading into the third month of the pandemic, at least from a remote work-on-home status, there is a need to sort of a gap, reduce that level of exposure and now start thinking about what the new normal looks like and what steps do we need to take to prevent and to reduce our tolerance for risk acceptance. So Homie, I want to ask you about some specific tactics, but if you would take a step back and look strategically, what needs to be done now to shore up cybersecurity and to sort of fill some of these vulnerability gaps as we approach the long haul, which could be 18, 24 months in some cases, with a remote workforce permanency?

First and foremost, if you just even put the issue of developing the right technology stack aside for a second, I think there is increasingly a renewed emphasis, if not a key priority in focus for practitioners to be able to increase the overall cyber hygiene of their organizations. So what do I mean by that? Increasing the number of communications, creating training opportunities, making them more interactive most of the folks that are now working from home are ones that are typically not used to addressing something. How are they in fact securing their own environment?

Are they going out if they have the opportunity to leverage public life by what are the implications of that? So certainly training is a core component and improving that overall hygiene towards building muscle memory and then you transition over into the side of enabling through technology and what are some of these core elements. Well, certainly we talk about being able to secure users against potential threats, acknowledging that there is a level of security that needs to occur with respect to where the data rests, where it actually isn't transit and when it's actually being used by the user, in this case now a user that is remote. And then also how do we ensure that we maintain the integrity and trusted reality of validating that user is in fact who they say they are, so that we don't end up onboarding onto our environment as someone who has been compromised and I think those are sort of the three core elements that are enabled by certain security solutions, et cetera.

Well, I don't want to ask you about three specific areas and one is what are some of the gaps you see in cloud security strategies? It's interesting, this is a question that actually now speaks to certainly some of the work that's coming out of the researchers like Gartner. Sassy, secure access services has become all the buzz and while the focus there is being able to better align network security as well as access to data and some of the initiatives there, it also speaks to a broader reality in terms of where data sits, how users are accessing it and how can we ensure the integrity of the security around that access. SaaS applications are no longer and increasingly not just a fringe capability or, you know, by exception, this is the new norm, whether it's O365, access to OneDrive, Salesforce, or those who use it, Dropbox, et cetera, even collaborative tools like what we are using to help with respect for this podcast or Zoom.

Some of these have certainly hit the limelight as of late and have become top of mind in terms of preserving the integrity of that as well as then applications that still reside on-prem and having the fidelity in access and secure access to the private apps as well. Homie, I hear a lot of concern about data governance. Where do you see that organizations could do a better job in identifying and addressing gaps in data protection? Data protection is clearly top of mind where everyone, I think even more so when you start talking about moving data off-premises right, outside of data centers, into the cloud.

Data is, in fact, the new oil just defines the intellectual property of organizations and it is commoditized. The elements there really go back to how best do we understand what I think is despite all of these other changes, when we start talking about, you know, moving towards increased reliance on SaaS applications, moving towards access to our data through a cloud-based environment, we'll talk about limiting the footprint of on-premises infrastructure. What we're fundamentally still left with when you strip away all of these evolutions and changes is that you still have two core components, people, i.e. users within an organization and the data that they interact with and so how best do we put a spot like on that interaction, acknowledging that it is in fact very fluid and very dynamic.

We hire people to be able to create value for an organization but we also acknowledge that they can potentially contribute to risk and so I think the best way to manage that interaction is really to play a point of emphasis on understanding where users and their interaction with data exists along a continuum, measure that continuously, understand the risks associated with it and then adapt your security environment based on that risk. You spoke earlier about the need for education. How can organizations do a better job protecting their remote workers from the state of targeted attacks that seem to have increased? Education is key.

It ultimately does come down to being able to instill that level of confidence and that confidence should then turn into muscle memory where users understand how to identify a phishing campaign or a phishing email, how they understand leveraging access to various ways of collaborating, understanding simple things like just password integrity, in password streams and combinations and so on and so forth, to the extent where possible simple measures that they can take with their own devices, if they're using a non-sanctioned or non-issued company laptop or device, how then do they ensure that they keep that integrity, file integrity? Where they're keeping it? If they are in an O365 environment making sure that they're leveraging the OneDrive and not simply moving files into their personal drive, for example, there are any number of things that are not immediately intuitive for folks because they are used to living in not living in a corporate working in a traditional ops environment and they're on that network and so now there has to be very deliberate, very methodical steps towards educating folks in terms of developing these best practices and these techniques for shoring up and being a contributor to raising the overall security posture of an organization. And now it's fair to say we certainly are living and working in the same environment.

That's true. Take a step back and talk to me about Forest Point. How is your organization different today because of your own 100% remote workforce? Yeah, it's interesting.

A good portion of our workforce was already remote. We are a software company with a very distributed workforce across the world, not just U.S.-based. We have office environments. Our corporate headquarters is in Austin.

We have large development teams who also have offices in various parts of the media in APAC as well. And yet, for the majority of our folks who are actually out of positioning Forest Point, IER sales reps and our sales engineers and so on and so forth, the vast majority of them have always worked remotely. But what it's actually highlighted though is some of the existing infrastructure and protocols that we had while ideally aligned for a percentage of our workforce now needed to be applied across the totality. So I think in many respects while we were prepared because we already had precedents taking that to a 100% remote-only approach, certainly putting some pressure on our own CIO in our own head of information security and others to be able to set the conditions so that it wasn't just one portion of the workforce but now applying to everyone in the same standard applied to everyone.

Now, what is Forest Point doing today to help prepare their customers not just for the short term but really securing the remote workforce as part of a long-term strategy? Yeah. For us, we've acknowledged from day one, and I'll say day one isn't aligned to the current state of the pandemic, day one for quite some time. I never since Forest Point came into being.

We were purpose built to address a couple of different areas, and one was acknowledge what I alluded to before that people truly represent the most valuable aspect that an organization has and relative to that value is how they interact with that second most arguably, depending on what your perspective is, other aspect of an organization's value chain, the data, their intellectual property. And so we've always felt that security must begin with understanding users and their interaction with data. Now, increasingly, we also acknowledge that that user is actually defining the new perimeter. They are the edge of security.

Today highlights it to your point about living and working at home. The perimeter is now defined from wherever that user makes it. I have a colleague who, when possible, and they don't have to be on physical camera, will take walks around the neighborhood in order to get the steps in, to make it a little easier and get some fresh air. They are literally a roaming user, and yet they are still accessing data and communicating while they are also deriving a health benefit as well from walking.

And so by no longer viewing these elements as silos, our approach is to take a far more integrated strategy, acknowledge that we need to protect users wherever they are. Acknowledge that we need to protect the data that they interact with, and also ensure that they have a secure way of accessing the data wherever they may sit along the edge. And so users' data and edge are fundamentally an integrated approach and no longer be done through a silo process. And it begins with really understanding how people through a behavioral lens present not only value so that we can enable their continued productivity, but also potentially present risk.

And so how do we adapt security to be able to reduce that level of risk exposure? Excellent. And as always, I appreciate your time and insight. Thanks so much.

Thank you, Tom. Take care. I'm Tom Keering, the remote workforce for the long haul, and I've been speaking with Homa Yoon Yakuob, Senior Director of Strategy with ForcePoint. For Information Security Media Group, I'm Tom Field.

Thanks so much for listening.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on May 21, 2020.

What is this episode about?

"Risk acceptance" was the operative term as organizations quickly deployed remote workforces in response to the global crisis. But now, as this deployment becomes a long-term option, enterprises need to take a future-focused view toward identity,...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!