Recently Richard Archdeacon, advisory CISO and Josh Green, Technical Strategist at Duo Security, gave a virtual keynote presentation at the Cybersecurity Leadership Summit 2021 in Berlin where they discussed the Future of Work. We sat down with them both to get the lowdown of what they covered around this fascinating and constantly evolving area, and the key considerations they think CISOs and senior leaders should focus on in 2022.
Q: It’s pretty irrefutable that the world of work has been disrupted significantly over the last few years. How would you describe where businesses are now?
Richard Archdeacon: The ‘new normal’ — or perhaps more accurately ‘the accelerated normal’ given that changes we’re now seeing have been in progress for a while — has affected companies in different ways. As a general trend I would say that many have moved from a survive to a thrive situation. They have increasingly realized that work is about what you do, not where you are.
This mindset change has also meant that many have had to question whether they can easily cope with people working in different scenarios, some at home, some in the office, some at other locations, also most importantly, how everything stays secure. But as another keynote at the event in Berlin mentioned, people shouldn’t be our weakest security link, they should be our first line of defense.
Q: What do companies need to be aware of in terms of the people that work for them?
Richard Archdeacon: I read in Harvard Business Review that according to the U.S. Bureau of Labor Statistics, 4 million Americans quit their jobs in July 2021 and that is a trend that is continuing in what’s being dubbed ‘the great resignation’, where people are changing roles and jobs for a whole list of reasons. And so keeping people happy is going to be extremely important going forward. I see three key areas of resilience needed in an organization: 1) capital 2) operational capability and 3) human capital. And it’s often the human capital that is the hardest to replace. So I think it’s about making sure that we can make remote work secure and comfortable for people, and ensuring they still feel like they are part of an organization.
Josh Green: I have been really surprised with some statistics such as those from the Society for Human Resource Management (SHRM) that said 40% of generally more tech-savvy millennial workers are struggling more to work from home compared to 28% of baby boomers. And so I think there are structural and organizational factors as well as psychological factors that also need to be addressed too, not just technical issues.
Q: So is it fair to say the two top challenges on the horizon are around where and how people work?
Richard Archdeacon: Yes, and more specifically, measures around the remote workforce and the trusted workplace. The most important area here is ensuring security posture is managed properly. Knowing whether somebody is who they say they are, and whether their devices are secure.
Josh Green: Device security is a huge area for consideration and a lesson many have learned even pre-COVID. Because even if the user is exactly who you think they are, you can’t always trust the device that’s making that assertion on their behalf, and so you shouldn’t let them in. Not because they aren’t necessarily who they say they are, but because the device itself could be a problem, right?
Richard Archdeacon: Especially when employees have to use their own device. That brings up an even higher level of risk. But the answer to this isn’t just to add ‘more security’. That approach will soon raise further issues and questions including: how is that managed? How do you make it seamless? How do you make sure that the user doesn’t mind? How do you make sure that users don’t try to find shortcuts to circumvent these systems?
Q: What does the ‘trusted workplace’ consist of?
Richard Archdeacon: There’s no doubt we are going to have to change how we look at the office environment. Firms need to ensure seamless remote collaboration, mitigate risk to the network, employees and data, and protect themselves from COVID exposed weaknesses to operations that may have been overlooked previously. For example, security considerations if the office is empty. There was a recent example, where an empty office became a weakness to an organization. We were talking about that just the other day weren’t we Josh?
Josh Green: Absolutely, in that specific example, the system that went down was also the system that prevented the people that worked there from getting into the building to solve the problem! A real catch 22 situation. Because the designers had never envisioned a world in which no one would be in the building.
Q: How can companies practically and safely achieve both a secure remote workforce and trusted workplace?
Josh Green: There needs to be a change in how we look at our security policies. Gone are the days when physical controls were the main measure needed to get into a building, and once you were in you could access anything digital. Obviously, if you’re working from home, those physical checks have gone out the window.
And so we need to have much more granular control over what you’re doing but that also needs to be flexible. A one-size-fits-all policy doesn’t make sense anymore, because it’s undoubtedly too strict for certain low risk things. And, it’s undoubtedly too lenient for the most secure things. In today’s world, companies should be striving to take that visibility and security down to the level of every single application, but without disrupting the end user as they try to get on with their work.
Richard Archdeacon: We have actually defined a series of five simple and straightforward principles that you can start to use when you’re looking at defining what a secure future of work could look like for your business. First is to assume every access attempt originates from an untrusted network. Secondly, you should protect every application in the same manner regardless of where it’s hosted or how it’s accessed. Thirdly, firms should enable every worker to work successfully from networks that a company doesn’t own or manage. Fourth, they should ensure access is authorized, authenticated, and encrypted. And finally, fifth, they need to manage the privileges for any application access.
Q: Are there any other areas you think will be integral to the future of work that we haven’t mentioned yet?
Richard Archdeacon: I’m frequently asked about when we will no longer need passwords. For example, recently I was speaking to the CEO of a big mining company who said he didn’t understand technology, and frankly, didn’t really care — but what he did care about was when we were going to get rid of all these passwords, because he is sick of them! As I think we all are!
Josh Green: Absolutely. We have all seen the most commonly breached passwords are ‘123456’ or the classic ‘password’. Is that because users think that password is secure? No! They know it’s not secure. They do it because they’re not willing to sacrifice usability for the sake of the extra security of having a much more complicated password.
And when we translate that to the corporate environment, of course, we would love to tell ourselves that users are definitely not reusing their corporate password on any other system. The reality is, that’s just plain old, not true. We see ‘password stuffing’ attacks happen all the time. One of the more notable ones in the last couple of years was against the Government of Canada, where they didn’t do anything wrong, other than the fact that users had reused their government of Canada password on a site that got breached.
Q: So, how long will we have to wait until we get a passwordless workplace?
Josh Green: Thankfully technology has advanced so that suddenly everyone has a fingerprint reader or face recognition scanner in their pocket through biometric technology in their smartphones. More importantly, we now have open standards, like FIDO, which allow us to basically not only take advantage of the devices everyone has, but it allows a level of interoperability between different systems and different devices that we had before which allows us to maintain this balance between security and usability. Because if we actually sacrifice usability for the sake of security, we’ll be back to where we started with people circumventing safe password behavior to make their lives a little bit easier.
But passwordless is really just the beginning. We’re likely going to see big changes in how digital identity and personal information are secured in the coming years – what I’m talking about is truly digital identities via distributed ledger technology (DLT), the underlying technology behind Blockchain.
In reality the technology goes much deeper than bitcoin, cryptocurrencies, ethereum, etc. It has the capacity to really solve a lot of identity problems in a way that users are going to love because it preserves their privacy without sacrificing anything that we need to do to secure ourselves. It’s fundamentally evolving a model that already exists and applying it new ways.
Q: Can you expand on that? How could that work outside the world of Bitcoin?
Josh Green: Take a credit card or a driver’s license, behind both of those there’s a governance authority. In the case of a driver’s license, it’s the government. In the case of a credit card, it’s a bank, or perhaps a regulatory agency that oversees a number of banks. And based on a number of rules that they publish, they will issue you a driver’s license or a credit card that 9 times out of 10, will be represented by a plastic card.
If you want to have an extra copy of your driver’s license to carry around in case you lose one, you can’t print one yourself. For a credit card, you can’t create a copy of your credit card yourself without committing fraud. But for the bad guys, it’s incredibly easy. They can duplicate credit cards by simply swiping them or scanning them. And anybody with a good printer and a photo camera can duplicate a driver’s license.
By applying DLT, a governance authority can issue a cryptographic identity based upon a private key that only the holder creates. The issuer essentially stamps that as valid because they validated the data however they wanted to during the issuance of that identity – and the user can start using that ID, and even create an extra copy if needed.
Thank you for sharing those insights. Where can your readers go to find out more about these topics?
Richard Archdeacon: We recently launched the latest version of Cisco Security’s flagship data-driven security research report, the Security Outcomes Study. This is an independently conducted, double-blind study based on a survey of 5,000+ active IT, security, and privacy professionals across 27 markets. I’d recommend this for anyone who wants to get actionable, data-backed practices that can boost security.
Also, for more on the steps to securing the workforce I touched on earlier, there is a great ebook here. My last recommendation would be our Trusted Access Report, which examines how Duo’s customers are adapting to a more nuanced security landscape, using data from more than 36 million devices, over 400,000 unique applications and roughly 800 million monthly authentications from across our global customer base.
Josh Green: Yes and I’d add for anyone interested in the trusted workplace, there are many insightful resources here. Cisco has also looked into the overall future of work topic, with a research report and several on demand videos that explore the topics we have covered here in more depth. Finally, for more on how digital identity will pan out, check out our webinar: ‘Does a career in credential theft have a future?’
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels