Collaboration in an enterprise can better enable security going forward, after a challenging six months.
Speaking on a Cisco webinar, Wendy Nather, head of advisory CISOs, said there is need for collaboration over control, as “control presents greater cost for the enterprise.” Asking what you can ask users to take care of on the security side, and what can you no longer enforce, Richard Archdeacon, advisory CISO for Cisco EMEA said there is a chance CISOs are “losing control anyway and will need to become collaborative in order to secure their organizations.”
Fellow advisory CISO J. Wolfgang Goerlich said we have seen the workforce has become more savvy, and this has led to “creative things” in terms of the way the business works with the employees.
Goerlich said the idea of collaboration is sound, and asked how can we introduce constraints, yet still have good relations with the workforce? “Also, how can we leverage this savviness of the workforce that it is developing, and how can we embrace our shadow so to speak?”
Nather said the difference between collaboration and control could have a significant effect on how we build our security products, “not with the assumption that there is a centralized control point that is setting all of the policies and doing all the monitoring and the enforcement, but rather that there are multiple controls, some within the enterprise and some without.”
This has led to the concept of secure remote work, which Nather said when everyone needed to work from home, we saw some big problems in the supply chain and enterprises couldn’t get the laptops they needed for employees to take home and use what they have at home.
“That forced enterprises into BYOD, where they may not have necessarily embraced it before, but now they have no choice,” she said. “As a result of that, the users - especially in Europe - pushed back and are saying ‘this is not a corporate device and I do not want you monitoring it, I do not want any possibility you will erase my data’ and especially when users are at home. Those enterprises that are used to scanning endpoints for vulnerabilities cannot do it any more as the ISPs sitting between user at home and enterprise may see this as an attack.”
Nather said this has resulted into businesses saying to users that they can do what they wish on their own devices, but they need to meet security requirements to access corporate applications. “That is the balance, the collaboration that we are starting to see pushed more and more with remote work,” she said.
Goerlich said in times of stress and when everyone is trying to work remotely, when they go back to “tried and true security” like good MFA, DNS security and a good VPN connection. “One of the trends we’re seeing is in response to the stress, is a doubling down on bread and butter fundamental security controls,” he said.
Archdeacon said there is a trend to get the core fundamentals and controls correct, and now are looking back to ask how this will affect the business in the future. “This comes back to the point of collaboration and control, where we are going to shift the security control to endpoint and user and we’ve got to collaborate with them to be part of our frontline security team when they start to access our resources,” he said.
Nather concluded by saying that the remote work model had to be re-thought quickly, so many organizations had to put in whatever they could at the last minute, and this will impact on users, and ultimately CISOs too. “If they didn’t put in something sustainable at the beginning, they are going to have to now.”
It was also revealed Duo's user authentications per month jumped from 600 million to 800 million per month due to the rush to enable remote work, while over 500 million meeting participants generated 25 billion meeting minutes in April, more than triple the volume in February.