Navigating a Safe, Successful Return to Office: 5 Tips for Security Leaders

HAC Guest

A Reprint From Diligent Insights

Security leaders have a lot on their plates in these later stages of the continuing COVID-19 pandemic. In a 2021 survey by Gartner, over three-quarters (76%) of respondents reported increased demand for new digital products or services during the pandemic — and 83% expected this demand to continue to increase. This imperative for transformation has been coming straight from the top: 69% of boards report accelerating digital business initiatives in response to COVID-19.

Fortunately, for security leaders and their colleagues in IT charged with executing digital transformations, their relationships with executive management are stronger than ever. As a result of the pandemic: 

  • 70% of Gartner survey respondents reported taking leadership of high-impact cyber initiatives 
  • 80% of respondents have found themselves educating the CEO and other senior leaders on the value of IT

Priority number one for many organizations right now is facilitating a safe, productive return to office. Given this imperative and the newly elevated influence of IT leadership, where should security leaders focus first?

We talked with HackerOne CEO Marten Mickos about the top risks and concerns facing organizations right now. Read on for five suggested next steps.

1. Refresh Business Continuity and Disaster Recovery Protocols

The possibility of a cyberattack, ransomware incident, lockdown due to a COVID-19 resurgence or network outage due to a natural disaster all spur urgent questions: Are all employees safe and accounted for? How can your organization rally to keep business operations going — securely and efficiently — as swiftly as possible?

The physically disaggregated nature of remote and hybrid work further complicates matters. Employees are now storing and sharing information from company facilities, their home offices and on the move, across increasingly complex IT infrastructure.

“A hybrid workplace literally […] makes security a moving target,” writes data protection and recovery company Arcserve. “With employees requiring remote access to the company network on a broad array of devices and from every imaginable location, there is no practical way to set up a security perimeter.”

Moreover, Mickos pointed out, “Procedures and protocols must not assume that an individual is in a specific location. People may be in the office, at home or traveling. Yet the company needs to bring them together — digitally — on very short notice.”

For such connectivity to happen, and for organizations to maintain “business as usual,” organizations need a business continuity plan. Specifically, they require a plan that is regularly reviewed and tested and that is a living document that evolves with the situation. Importantly, changes at headquarters need to be immediately apparent to employees across entities, subsidiaries and locations; any business continuity plan must reflect a “single source of truth” for the entire organization.

2. Enhance Collaboration Among Hybrid Teams

A hybrid work model poses unique challenges during non-emergency times. Consider meetings, for example. Encouraging active discussion with equitable participation and fruitful outcomes was tricky enough when everyone was dialing in by webcam. Now, with the return to work, some people are physically present while others remain virtual.

“There are two ways to deal with this,” Mickos said. “For one, the chairperson can take special care to give all attendees the same attention and opportunity to speak. Often this means prompting the digital attendees to participate and to have them talk first. The other way is to have everyone attend through the same video conferencing channel, even if they could physically convene in the same room.”

  • Do teams have access to a single source of truth for key data and insights?
  • Do they have the tools to collaborate securely across different environmentsCan you automate any processes to minimize employee work and burnout?

“We have learned and seen customers establish digital social gatherings and opportunities for people to relax and be themselves even though they are physically in different locations. With such an outlet for people’s social needs, meetings that are purely about business can improve and be more effective.” 

Marten Mickos, CEO, HackerOne

3. Prioritize Cyber Risk and Security Gaps

An obvious place for security leaders to take a leadership role is in mitigating cyber risk. Security leaders must ensure their organization is equipped to tackle escalating vulnerabilities and threats.

“It’s best to take action today, because tomorrow it will be more complex,” Mickos said.

And in a hybrid environment, these actions get even more complicated. The organization must monitor and safeguard both office IT and remote IT, a mission that involves efforts on a variety of fronts.

On the technology side, now is the time to transition legacy systems. “Do you have the right technology to bring your organization into the future of work and maintain competitive advantages as the business landscape becomes more volatile? Companies need to upgrade to systems that can handle the ambiguity of today’s world,” Mickos said.

Now is also the time for a thorough, enterprise-wide cybersecurity evaluation, including outside vendors, outside software and interdependencies across it all.

“No software system of today is free from third-party dependencies, and third-party or supply chain risk is a huge challenge for software,” Mickos noted. “As your teams transition to the office and you revamp your processes, your technology stack of business apps and third-party services will undergo changes. You’ll need to identify potential blind spots.”

Finally, when addressing security gaps, don’t overlook the importance of employee skills — and the risk of human error.

Despite elevated levels of external risk in the hybrid environment, 84% of data breaches today involve human actions that are either unintentional or inadvertent. Employee training in the latest security practices and stronger cyber hygiene should be a top priority.

“Technology may cause cybersecurity problems, but humans resolve them,” Mickos said. “When people feel trained and prepared for a new situation, they stop fearing it, and productivity can increase.”

“It’s best to take action today, because tomorrow it will be more complex.”

Marten Mickos, CEO, HackerOne

4. Monitor Legal and Compliance Issues

Thanks to ever-evolving mandates and regulations, return-to-work data collection and reporting has become a constantly changing enterprise as well. For example, as of September 2021 in the United States, the Path Out of the Pandemic COVID-19 Action Plan requires employers with 100+ employees to mandate vaccination and require any unvaccinated workers to undergo weekly testing. Meanwhile, many workplaces — such as those in education, healthcare and the public sector — have implemented rules of their own for employee vaccinations and COVID-19 testing.

Is your organization equipped to collect, monitor and share the data it needs to keep up with mandates like these, as well as corporate policies and public health best practices? Do you fully understand data privacy laws related to these efforts, as well as the requirements and potential risks of tools like vaccine passports?

“Modernization of governance, risk and compliance (GRC) practices is a must,” Mickos said. Security leaders play an important role in helping their organizations implement an adaptable, scalable compliance framework, supported by secure and flexible technology solutions.

5. Safeguard Board and Executive Communications

Throughout, board members and executive leaders are making critical decisions about workplace safety, employee health and the bottom line, all while operating in a physically disaggregated fashion. Only 32% of board members expect to go back to 100% in-person meetings, with the other two-thirds opting for either fully virtual or hybrid models, according to research by the Diligent Institute.

Here, digital technology enables action but puts boards at risk, particularly as sensitive board communications entice bad actors and the legal stakes escalate for directors themselves.

“Board meetings are becoming more productive and can occur more frequently thanks to the remote option. But executives and board members cannot use general-purpose tools to communicate,” Mickos said. “Consider leveraging encrypted tools for execs and board members to share sensitive company information with other leadership members as well as external parties.”

Training is also essential. “Companies must educate their board members on the proper procedures and etiquette in regards to data security and confidentiality. Otherwise, there is a great risk of someone inadvertently sharing information outside the intended group.”

“The more sensitive the nature of the business is, the more specific the protection of information and communication must be.”

Marten Mickos, CEO, HackerOne

Learn more about how HackerOne can help your organization can fortify security during a return to office or hybrid model implementation.

This blog post was originally published on Diligent Insights.

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook