The CISO’s Dilemma: Balancing Security, Productivity With a Housebound Workforce

How are CISOs managing the tug-of-war between IT security and worker productivity in this new, remote-first era?

Before the pandemic, remote work was already on a gradual rise. A FlexJobs survey revealed a 159% increase in remote work in the U.S. between 2005 and 2017—but even then, in 2017, only an estimated 3.4% of the total U.S. workforce was remote. Today that number has climbed to a whopping 42%, according to new research out of Stanford.

It’s no secret that the pandemic has dramatically accelerated the trend toward work-from-home. However, what many of us innocently believed was temporary back in Spring 2020 has since developed into an indefinite timeline. Seventy-eight percent of CISOs surveyed for a joint study by Hysolate and Team8 believe that one-quarter to three-quarters of their workforce will operate remotely indefinitely.

I recently reviewed “The CISO’s Dilemma,” a report detailing the results of this joint study. It delved into how aspects of this new world order impact CISOs at Fortune 2000 companies and the large remote workforce they now manage.

What’s clear is that this massive uptick in at-home work has exposed weak spots in some companies’ traditional approaches to managing remote IT employees—or in some cases, what could be considered non-approaches in their informality. These legacy approaches were conceived of before this new normal, long before it expanded into the indefinite timeline we find ourselves in today. What worked for a few odd or occasional work-from-home employees may not work for the masses. To be sustainable, secure and productive in the long-term, companies need to figure out how to thrive in this new reality.

CISOs Balancing Security, Productivity in a Remote-First World

Out of the CISOs surveyed, 87% believe that remote work is a permanent workflow. Just 13% believe they will go back to full-time office-based work. Clearly, we’re working with a new majority rule.

This rapid ballooning of the at-home workforce has exacerbated an existing dilemma CISOs had already been facing on a smaller scale: whether to favor worker productivity or corporate security when employees are at home under less managerial oversight and increasingly using non-company devices.

As the report notes, “Legacy remote work solutions have established worker productivity and corporate security as competing priorities in a zero-sum game …” In other words, by favoring one, you lose some of the other—at least, that’s how some see it. It’s a game but not a particularly fun one and it’s leaving some CISOs feeling pulled in competing directions.

This challenging dilemma may lend some context to another telling statistic: CISOs self-reported an estimated 8% increase in whiskey consumption and a 20% increase in wine consumption since the pandemic began. Not that they’re alone, by any means. If we’re to read into this, we might guess that these folks, like so many these days, are understandably stressed.

With this in mind, one central question the survey sought to answer was: How are different companies playing this game? Are they finding a centerline or diverging to one side of the security-versus-productivity question? As it turns out, there are surprising divisions in companies’ handling of policies around endpoint security, web browsing, third-party app use and BYOD (bring your own device).

As an example, among CISOs surveyed:

  • 26% have introduced more stringent endpoint security and corporate access measures since the pandemic’s arrival.
  • 35% have relaxed their security policies to foster greater productivity among remote workers.
  • 39% have left their security policies the same.

CISOs are split on how to approach this dilemma. The report asked: Are these last 39% of companies not making changes because they are comfortable with their security posture? Or is it because they don’t know what changes to make?

Web Browsing: To Surf or Not to Surf

Whether to allow free surfing of the web is a key if not obvious question regarding security and productivity. On the one hand, freewheeling access to the web introduces security issues and the temptation to stray from work. At the same time, strict limitations can unintentionally keep employees from accessing websites they may legitimately need—not to mention it feels like Big Brother.

Sixty-two percent said their companies restrict access to certain websites on corporate devices, so it’s safe to say that most favor some formality with how employees use company devices. How strict that is and which sites are restricted would depend on the company. With each company’s needs and risk factors being unique, it’s always worth stopping and considering what’s best for your situation.

Third-Party Apps: To Install or Not to Install

Next up is the question of whether to allow installation and use of third-party apps. Again, restricting third-party apps can negate potential security threats and time-wasting. Simultaneously, being too strict can hamper productivity, as some apps such as Slack and Microsoft Teams—among the most popular third-party apps employees seek to install—can be used to increase efficiency, communication and, you might argue, morale. And higher morale, as we know, boosts productivity.

More than 70% of CISOs surveyed reported not allowing third-party apps to be installed on corporate devices. Similar to web browsing, it seems the trend is toward more restrictions rather than fewer. However, half of CISOs believe that allowing employees to install third-party apps and browse the web freely would increase productivity, while on the flip side, 81% report a reluctance to grant admin rights on employees’ company devices due to security concerns. You can see the pickle they’re in and how security tends to win in the tug-of-war between security and productivity. This may not come as much of a surprise—after all, the title is chief information security officer, not chief information productivity officer.

Managing BYOD Policies

“The issue of accessing corporate assets from non-corporate-managed endpoints introduces another layer of complexity for CISOs who are navigating the shift to remote-first,” according to the report. Here, of course, we’re talking about the trend of employees using their personal devices—aka BYOD.

Today, more than 1 in 5 companies do not allow employees to use BYODs to access company assets. For those that do allow it, coming up with BYOD policies that allow workers to securely access these assets remotely presents an added dilemma. Unfortunately, there is no one leading or standard approach, meaning companies need to decide for themselves what’s best.

Choices, Choices: Accessing Corporate Assets From Home

The various methods being employed for accessing corporate assets on BYODs include:

  • 4% use zero-trust architecture.
  • 13% utilize multi-factor authentication.
  • 24% utilize VPNs.
  • 36% deploy virtual desktop infrastructure (VDI) or desktop as a service (DaaS).
  • 22% do not allow access to corporate networks or applications from a non-corporate device.

Overwhelmingly, we see the trend is the use of VDI or DaaS, as we see the 36% jump to more than 75% when corporate devices are taken into account. The problem is, however, that only a small fraction CISOs—fewer than 1 in 5—believe their employees are happy with their company’s VDI or DaaS solution. On top of that, most CISOs don’t find these solutions to be a good investment, with more than three-quarters of CISOs reporting that their ROI in using VDI or DaaS has been medium to low.

The report—which, full disclosure, leads to a pitch for Hysolate’s Isolated Workspace-as-a-Service (IWaaS)—argued that traditional VDI, DaaS and VPN solutions no longer make the cut in the remote-first era, citing high costs, low ROI, reduced productivity, increased employee frustration, lack of flexibility and the difficult position they can impose on leaders to compromise between security and productivity.

Where Do CISOs Go From Here?

At a recent Virtual Gartner Security & Risk Management Summit, Senior Research Director Jonathan Care distilled the central problem highlighted by this report:

“Before the pandemic, most enterprises designed their risk appetites around the assumption that remote working was the exception, rather than the norm. When that scenario was flipped, risks such as always-on VPNs and BYOD, which were previously a lower priority for security leaders, suddenly became top of mind. This forced security teams to rapidly reassess their enterprise’s risk landscape and deploy new solutions and policies accordingly.”

To be secure and productive through the long-term of home officing, it’s clear companies and their CISOs have their work cut out for them.

Avatar photo

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst based in Seattle. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high impact blog on API strategy for providers. He loves discovering new trends, researching new technology, and writing on topics like DevOps, REST design, GraphQL, SaaS marketing, IoT, AI, and more. He also gets out into the world to speak occasionally.

bill-doerrfeld has 22 posts and counting.See all posts by bill-doerrfeld