The study into the opinions of Chief Information Security Officers is titled ‘The CISO’s Dilemma: How Chief Information Security Officers Are Balancing Enterprise Endpoint Security and Worker Productivity in Response to COVID-19‘ and it comes from Hysolate and Team8 .
The responses revealed deep divisions in how different companies are responding in the face of real business continuity challenges posed by the pandemic. There are also issues revealed about how CISOs are coping, in that 40 percent of CISOs report consuming more wine, coffee and whiskey since the beginning of the pandemic.
For example, 26 percent of CISOs surveyed have introduced more stringent endpoint security and corporate access measures since the arrival of the pandemic, while 35 percent have relaxed their security policies in order to foster greater productivity among remote workers; 39% have left their security policies the same.
It is evident that the majority of companies (61 percent) felt that they were not ready for the changes that the pandemic forced. What remains unclear is whether the other 39% who have made no changes are standing pat because they are comfortable with their company’s security posture or because they don’t know what changes to make and what side to choose – security or productivity.
The study yielded four key findings:
New form of working
COVID-19 has accelerated the arrival of the Remote-First era. It appears, from the research, that work-from-home is here to stay, and companies need to figure out how to thrive in the new reality.
Just 13 percent of CISOs believe they will go back to all employees in the office all the time. For the rest, the question is, to what extent will remote work be the new reality? Fewer than one in ten respondents believe that more than three-quarters of their workforce will remain remote, whereas 78 percent believe that somewhere between one-quarter and three-quarters of their workforce will operate remotely indefinitely.
Security vs productivity
Many firms face the confluct between corporate security or worker productivity. Remote-first has, according to the report, exacerbated the CISO’s dilemma: CISOs are split on whether to favor worker productivity or corporate security when enacting remote-first policies.
The review finds that the new remote-first stance companies have been forced to assume in the wake of COVID-19 has deepened the CISO’s dilemma: Is it more important to structure less stringent security policies to promote worker productivity? Or is it more important to sacrifice user experience in favor of maximizing corporate security? How should they formulate endpoint security and corporate access policies to best address the massive shift to remote work?
BOYD
Bring-your-own-device (BYOD) policies further confuse organizations’ approaches to remote secure access. The survey finds tThere is no singular leading approach to enabling access to corporate assets via non-corporate endpoints.
In response, more than half of the organizations we surveyed have implemented either virtual desktop infrastructure (VDI), desktop-as-a-service (DaaS) or virtual private network (VPN) for their BYOD security.
Ready for remote first?
The business world appears ready for a new and better approach to the remote-first era. The report finds that CISOs know that today’s remote access solutions leave little to be desired from the perspectives of user experience, corporate security and operational efficiency.
In relation to this, at a recent Virtual Gartner Security & Risk Management Summit, Senior Research Director Jonathan Care said the following: “Before the pandemic, most enterprises designed their risk appetites around the assumption that remote working was the exception, rather than the norm. When that scenario was flipped, risks such as always-on VPNs and bring-your-own-device, which were previously a lower priority for security leaders, suddenly became top of mind. This forced security teams to rapidly reassess their enterprise’s risk landscape and deploy new solutions and policies accordingly.”
