While the flexibility granted to remote workers is game changing, employers have new concerns about the security of a hybrid setup. COVID-19 vaccinations are now within reach for a majority of Americans, meaning enterprises need to re-examine the remote office model many were forced to adopt over the past year. Experts anticipate that a hybrid work model with an equal number of workers in office and remote to be the new model of choice. 

If you’d like to learn how your enterprise can re-tool security strategies and ensure security for both remote and in-office employees, keep reading on for a conversation with cybersecurity expert Brent Johnson, CISO at Bluefin, on how leadership can address security challenges specific to a hybrid work model.

Security: What is your background and role at Bluefin?

Johnson: After earning my BS Computer Science from Colorado State University, I spent 5 years as Systems Engineer and Implementation Manager at a software startup focusing on law enforcement and public safety software. 

I’ve spent 10 years now in Information Security consulting and assessments, and today, I am the Chief Information Security Officer for Bluefin Payment Systems. Here my focus has been on critical infrastructure protection standards (SCADA systems/powergrid), and then within the payments industry for various PCI standards (PCI-DSS, P2PE, PA-DSS, PCI -PIN).

Security: What are the security challenges associated with a hybrid work model?

Johnson: Security challenges will always vary based on the type of business and product offering.  However, from a security perspective the hybrid model increases the attack surface for an organization. Similar to remote work, it adds variables such as unknown network, connected systems, and workspace security. Implementing a hybrid work model has the potential to increase cost and complexity, since an organization must deploy effective security tools on both corporate infrastructure and remote endpoints.     

Security: How are these different from the challenges associated with remote work?

Johnson: In remote work scenarios the traditional static desktop, active directory policy driven, in-office monitoring and logging tools are simply not effective. A full time remote workforce doesn’t afford the flexibility to segment highly sensitive work processes to tightly controlled onsite systems and networks.  While this may present a challenge depending on the nature of the business, tools do exist to ensure work is performed in a controlled and monitored environment. 

Security: How can organizations re-tool their security strategies and ensure security for both remote and in-office employees?

Johnson: Whether remote or onsite the goal of securing an organization's people, processes, and technology remains the same. The challenge is how to accomplish this goal without substantially increasing the budget or security tools that must also be managed. A security strategy should be developed that analyzes tools and security features that can service both environments. Can services be moved to the cloud? Are there processes that must be performed in the office and why? Is it worth investing in VDI or desktop as a service technology?  Will additional training be required? Obviously questions and answers will vary based on the business and processes, but at the end of the day basic security principles of a controlled and monitored work environment must remain intact. 

Security: How can leadership address these security challenges specific to a hybrid work model?

Johnson: For leadership it's going to come down to embracing change. Understanding that the traditional 9 to 5 onsite workforce is a legacy concept, and management should be looking forward and asking how and what efficiencies can be gained under this new model. Security practitioners must be very involved in helping executives understand that moving to a remote or hybrid workforce doesn’t have to mean sacrificing the security of its people or products.