Some industries have already migrated to a cloud centric view for daily operations, and this provides freedom for both the employer and the employees. Companies can now tap into global markets as geography no longer serves as a barrier and as mentioned in previous articles, ZeroTrust models continue to define how these remote identities are connected into the environment. From an employee perspective, this provides a greater breadth of opportunities that may not have been available a few years ago. That dream job in another region or country could now be viable as we continue to move to cloud based resources. Employers have access to a global talent pool and a cloud-centric model removes some of the traditional barriers. This could also have impacts on traditional workplaces, as we continue to work remotely, organisations may review the need to have as many dedicated offices space. The cost savings could be considerable.
One thing that has come out of the pandemic is the ability for an organisation to assess whether they have managed to work effectively in a remote scenario. Many organisations that may have been reluctant to work in such a way have been forced to find ways to continue operations during these challenging times. Those same organisations may now feel that a future remote, or hybrid solution is viable and adopt this moving forward. The challenge with such approaches is making sure that the workforce still feels connected. Social interaction at work is an important aspect of building effective teams but it is very easy to create silos. A negative outcome of the pandemic when it comes to work has been the “conference fatigue” issue. There is a balance to be stuck to ensure that employees don’t end up spending all day on conference calls and planning time for employees to build working relationships should be part of an effective remote working strategy.
A common historic argument against remote working has always been the need to “monitor” employee work output and this has been the main standpoint for the benefit of office spaces. I have always disagreed with this fact. It makes no difference where I am situated and in a mature organisation, there shouldn’t be a need to keep an eye on an employee to ensure that work is completed. In many ways, the office environment can sometimes be a distraction. I would argue that the main benchmark of effectiveness is delivery. If I am tasked with a project and I am given a deadline, that is my deliverable. From a mindset perspective, if I work on this task remotely or in a designated workspace makes no difference. I am measured on the deliverable. When the deadline arrives, if I haven’t completed this work then I will need to be held accountable as to why and that is the effective measurement.
Companies need to be aware that flexibility in working will more than likely become a competitive advantage when attracting talent. As new workforce generations enter, their life experiences will be immersed in technology. Keeping in contact and building relationships with people all over the world is not a novelty for this generation and therefore that ability to connect and integrate into the workforce will not be considered as something unique. If two companies are competing for a specific set of skills but one company is adopting a “work from anywhere” approach, the main review point for any possible job offers will largely depend on how the candidate perceives the benefits of working for the company and the specifics of the package. 20 years ago, there was less flexibility when approaching job opportunities, and therefore searching was confined to local or commutable work, or to moving. The distillation of company working locations has opened the possibilities for local, regional and global candidates to take advantage of specific roles and this trend doesn’t look to slow down. Some companies now employ people they have never actually met face to face. As previously mentioned, challenge for companies moving forward will be how to foster the working relationships between colleagues when things operate remotely. Sure, turning on the camera is a good way to see the other person and create some sense of connection, but it’s not the same as standing side by side. In some industries, and I would include penetration testing in this to a degree, the best way to learn is via peer-to-peer interactions which is much harder to do remotely.
Gartner has termed this remote centric model “Anywhere Operations” in a recent article looking at the top strategic technology trends for 2021.
“At its core, this operating model allows for business to be accessed, delivered and enabled anywhere — where customers, employers and business partners operate in physically remote environments.”
The mantra here is ‘digital first; remote first” which is obviously driven by an adoption of cloud technologies, however a ‘cloud centric’ view is not without its challenges. On one hand, removing the barriers to initial access can create much more agile workflows, but this is not to say there won’t be things that need access controls and monitoring. Mis-configuration is still one of the most common factors in compromise of cloud deployments.
Can You See Me?
As mentioned earlier, the historic argument that productivity is linked to being able to see and therefore track is one I don’t agree with as there are much better ways to ensure productivity. Employees being held accountable for the successful delivery of an assignment is an obvious one. However, there is a different perspective here that relates directly to security in terms of visibility, monitoring. If an employee is remotely connected into the business but working from the familiarity of the home environment, do they have the same sense of awareness related to business control processes? Are they more likely to reduce the controls around business data to get things done, for example copy things to a local network location such as a Network Attached Storage (NAS) device as the perception is that as they are at home, no-one can see? The perceived barriers for delivering their role can be challenged from the safety and obscurity of the home without anyone knowing.
For example, it’s not uncommon for a company to operate a ‘clear desk’ policy. In a home environment, how do we measure if employees are following these types of best practice when it comes to working from home? Like it or not, paper hasn’t been completely removed from common business workflows. It’s far easier to enforce these types of policies in a business location controlled by the company. In a way, the remote working model pushes the responsibility onto the employee and as such employees could now be considered ‘micro-departments'. That seems to be a good way of thinking about the security challenges, that employees working remotely have all the same responsibilities that a traditional department would have. Managing paperwork, how that data is passed around the network and the overall security posture of the home network in the first place. I would not be surprised in the pandemic if there were numerous cases of people just plugging in home printers and working in ways familiar to them from the office, hard copies of work related data and company records now building up in and on home desks with no-one holding them accountable for this. Blind spots for data and compliance control. Sure, you can just block local printing, until a pandemic shuts down your central locations and you are forced to make concessions within your security controls.
The Work-Life Balance
The pandemic has shown that employees have realised a new work life balance that in many cases, has bolstered productivity. Employers may need to consider that the next generation of work force may come to expect such opportunities for flexibility as technology continues to underpin how we work in many industries. It will be difficult to go back now in my opinion. Of course, not every industry has the option to operate as a remote workforce, and whilst there has been some influx of efficiency gains in terms of time (Doctors taking remote consultation via web conferencing for example), they still largely depend on physical face to face interactions. Any role that largely depends on data processing and interaction with technology, has seen a shift to more remote practices. Businesses are also shifting in terms of management thinking as a work culture evolves. Stanford now offers courses specifically designed to demonstrate how to lead effectively from home, which of course, you take from home.
Businesses that cannot provide the flexible approach to working for current and future talent may be at risk of skills shortages and business challenges if competitors already offer a similar opportunity. However, modern working approaches create a new set of challenges for centralised business processes. Most companies are adopting cloud based strategies to run parts of their supply chain or indeed to run entirely within the outsourced cloud platform environments. Either way, the flexibility that modern working brings can also create what is essentially micro-departments within the business that operate from home. Strategies to control the data and the processing within these extensions of the business can create blind spots for compliance and potential security issues. Considering both the long term strategies to attract and retain talent within a stretched marketplace by providing more freedom in working practices against the business responsibilities around data protection and compliance, should be an agenda item within all boardrooms.