CISOs are split on whether to favor worker productivity or corporate security with remote-work policies

A new study conducted among security executives at Fortune 2000 companies captures the CISO perspective on how the “remote work reality” forced by COVID-19 has reshaped organizations’ approaches to corporate security and worker productivity.

The responses revealed deep and surprising divisions in how differently companies are responding in the face of real business continuity challenges posed by the pandemic.

For example, 26% of CISOs surveyed have introduced more stringent endpoint security and corporate access measures since the arrival of the pandemic, while 35% have relaxed their security policies in order to foster greater productivity among remote workers; 39% have left their security policies the same, according to the results of the study from Team8 and Hysolate.

Sixty one percent of respondents felt that they weren’t ready for the changes that the pandemic forced. What remains unclear is whether the other 39% who have made no changes are standing pat because they are comfortable with their company’s security posture or because they don’t know what changes to make and what side to choose - security or productivity.

Here are some other interesting findings:

When asked about latitude to browse the Internet freely, 62 percent of respondents said their companies restrict access to certain websites on corporate devices. There are any number of websites that receive large volumes of traffic but that don’t have any relevance to workers doing their jobs. However, challenges arise when companies limit access to websites that workers legitimately need to be able to visit in the course of a typical workday.
More than 70 percent of CISOs report not allowing 3rd-party applications to be installed on corporate devices. WhatsApp, Facebook, Slack, Microsoft Teams and Zoom occupy the top slots on the list of applications that employees seek to install. While some may be better suited for personal time, it’s clear that employees are looking for ways to make their days more efficient. And with the shift to remote work further blurring the lines delineating work-life balance, it is understandable that employees want access to the most popular applications and websites on the same devices they primarily use to do their jobs.
The new remote-first stance companies have been forced to assume in the wake of COVID-19 has deepened the CISO’s dilemma: Is it more important to structure less stringent security policies to promote worker productivity? Or is it more important to sacrifice user experience in favor of maximizing corporate security? How should they formulate endpoint security and corporate access policies to best address the massive shift to remote work?

The transition to remote-first has produced mixed responses among CISOs:

26% of CISOs surveyed have introduced more stringent endpoint security and corporate access measures since the arrival of the pandemic.
35% have relaxed their security policies in order to foster greater productivity among remote workers.
39% have left their security policies the same.

In addition, the report found that there is no single standard methodology for enabling remote work on non-corporate and personal endpoints:

4%use zero-trust architecture
13% utilize multi-factor authentication
24% utilize VPN
36% deploy VDI or DaaS
22% do not allow access to corporate networks or applications from a non-corporate device

It is important to note that even in the current remote-first environment, more than one in five companies do not permit workers to use non-corporate endpoints to connect to company assets.

Some organizations utilize split tunneling -- accessing dissimilar security domains concurrently on the same device -- to reduce the organization’s VPN loads and traffic backhauling. Thirty-nine percent of respondents say their companies do not implement split tunneling. Of the 61 percent that do, two-thirds of CISOs express doubt in the security of a split-tunneling approach.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.