Balancing workplace flexibility and enterprise security is not a new challenge for IT and technology decision-makers—but getting it right is essential for tomorrow’s workplace.
On the one hand, employees need access to systems, data, and applications to do their job—anywhere, anytime, using any device. At the same time, IT and technology decision-makers must secure the enterprise from the growing volume and variety of security threats.
We reached out to influential IT leaders to gather their advice on how to handle this delicate balancing act.
“I liken it to walking a tightrope over a tank of hungry sharks,” says Ed Featherston (@efeatherston), VP and principal architect at Cloud Technology Partners. “Employees need access to information to do their job, but information must be protected. Put up too many roadblocks, and employees will find workarounds, putting data at risk. Understanding who needs what through the access channels is key to striking a balance.”
If there’s a common theme running through our respondents’ answers, it’s this: Strike that balance with a multipronged approach that considers the human impact, best practice access controls, and the role of technology.
Jonathan Reichental (@Reichental), CIO of the City of Palo Alto, California, suggests six important steps: “Pursue a risk-based approach to cybersecurity solutions, mount a continuous education program, focus on protecting data over hardware, incorporate a mix of defense solutions, deploy a cloud access security broker (CASB) approach, and have a rigorous approach to access control.”
Put Your Users First
Just as customer experience has taken center stage for many organizations, so should employee experience top the list of considerations when balancing flexibility and security.
“Always start with the user experience, and focus on understanding where you need to reduce friction in collaboration and getting work done in your digital workplace,” says James Dellow (@chieftech), a consultant and researcher at Chief Technology Solutions. “Employees don’t want to intentionally risk enterprise security—and with an experience-led approach, you can make it a win-win.”
Tuan Pham (@tuan), managing director at SVB, says IT needs a tight—but not too tight—approach. “In today’s evolving business world, where people can work from anywhere, anytime, it’s extremely important to not impose draconian enterprise security for the sake of IT security theater,” he says. “IT departments must focus on the weakest parts of information security, including the human factor, and form policies, procedures, and processes that can truly protect an enterprise.”
The “weakest link” concept is important, says Michael Sheehan (@HighTechDad), senior manager of content marketing at Riverbed Technology. “True enterprise security is only as good as the weakest link in the IT chain,” he explains. “A thorough vetting of the appliances and devices attached to corporate networks will hopefully reveal the true state of the entire security layer.
“Enterprise end users obviously desire a secure workplace,” he continues, “but this means that additional responsibilities fall on the shoulders of IT to install and maintain this security. BYOD policies must be strict and regulated to ensure this compliance.”
Piloting a new approach can help ensure that users are happy. “Do a trial of a single example of employee workplace flexibility that has demonstrated a significant benefit in your content consultant David Geer (@geercom). “Given the security principle of least privilege, no flexibility is necessary that enables employees to do more than simply fulfill their job requirements.”
Move Beyond Single Sign-on
The next step in securing the enterprise? Moving beyond single-sign-on access to corporate data and applications.
“Employee flexibility threatens the very nature of achieving true enterprise security in the workplace,” says Phil Bartlett (@Phil_Comtek), director at Comtek Network Systems. “Technology decision-makers should be rigorous and uncompromising in their responsibility for enterprise security; there is no balance.”
Kayne McGladrey (@kaynemcgladrey), director of information security services at Integral Partners, offers his view: “Recognizing that user identity is the only true unit of security and not settling for single-sign-on or simple password storage solutions, decision-makers should be actively evaluating vendors that incorporate proactive user and entity behavior analytics (UEBA) with multifactor authentication (MFA) of privileged access management (PAM).”
James Fee (@jamesmfee), CTO of Cityzenith, says, “I think we’ve already crossed over with BYOD. No longer are employees having to use a VPN or dial in to gain access to email. That said, requiring 2FA [two-factor authentication] or rolling type authentication is the only way to protect security,” he notes. “Employees will jump through any hoops to try to get their email and documents on their own devices. Rather than try to limit this, you should embrace it and, in turn, enable the security that will recover data or turn off access if a device is lost.”
Build from the Core
Finally, there are several key technology considerations when walking the flexibility-versus-security tightrope.
Start with security architecture. “Bringing IT flexibility to the workplace with today’s landscape of complex and high-volume threats can make it difficult to ensure that a robust and resilient defense is maintained,” says Andy Wood (@AndyWoodUK), senior manager of consulting at Capita Cyber Security. “To deliver this flexibility while maintaining your defense requires a solid security architecture, using a methodology such as SABSA, which delivers robust security both vertically and horizontally across the enterprise. The architecture defines the requirements that need to be delivered through business changes to reduce the introduction of vulnerabilities, thus lowering the businesses risk profile.”
Next deploy virtual applications and desktops, says Phillip Hodge (@phillipjhodge), regional director of sales at Burwood Group. “It is essential for technology decision-makers to understand that information and data are the lifeblood of their organizations. Therefore, protecting it and providing the benefit and user experience of workplace flexibility can be a challenging endeavor,” he notes. “The key is to be able to securely isolate and protect information and data, using models such as virtual applications and desktops as well as increasing reliance on secure enterprise file sharing services.”
And don’t forget real-time monitoring. “Technology decision-makers need to focus efforts on real-time monitoring and security data analytics to prevent and detect attacks,” says Angela Orebaugh, PhD (@AngelaOrebaugh), assistant professor and director of cybersecurity and IT programs at the University of Virginia. “Real-time data monitoring of critical assets and information enables a fast enterprise response to detect and stop attacks. Security data analytics enable enterprises to correlate data for use-pattern insights to prevent and predict attacks. Through real-time monitoring and security data analytics, enterprises can allow employee workplace flexibility while remaining cyberresilient.”
The Bottom Line
Robert Siciliano (@RobertSiciliano), CEO of IDTheftSecurity.com, sums it up for forward-looking technology decision-makers: “Security is often a roadblock to fluidity and flexibility,” he says. “But with the right mix of proper planning, effective vendor solutions, and the necessary training to facilitate employee and enterprise adoption, enterprises can generate their own recipe for success based on the fundamentals.”