In this Help Net Security interview, Sean Cordero, CISO at Zscaler, talks about securing hybrid work and the new challenges it presents to cybersecurity teams. He discusses how hybrid work has exposed gaps in traditional security models while offering advice on balancing security with user experience.
Cordero also covers the implementation of zero-trust principles and strategies for fostering a security-first culture in hybrid environments.
How has the rise of hybrid work reshaped the threat landscape for CISOs and security teams?
Hybrid work has helped reshape the threat landscape, but it did not do it all by itself. Threat actors have always evolved their capabilities, but their intent has been mostly the same.
Hybrid work has reshaped some CISO and security teams’ understanding of their own capabilities to detect and defend. Hybrid and remote work has highlighted the incompleteness of or lack of efficacy of the controls they rely upon irrespective of where an individual is working when remote or when directly connected into a corporate network.
The exposure that is often associated with remote and hybrid work has been there for decades. Today, it is spoken about as if it’s unique and entirely applicable to our new operating model. But the exposure was there in the early to mid-2000s, when the cost of replicating technical controls was cost and operationally prohibitive. Since then, new cloud-delivered security technologies provide uniform and usually superior controls than what can be found within a traditional LAN or WAN.
The truth is that even when employees are in the office, connected to a managed LAN or WAN via a VPN, the technical controls used to address these risks may be ineffective. SSL/TLS inspection, application-based access, in-line malware, and data loss protection, etc., may not be in play today. The better question enterprises may want to ask is by how much has hybrid work expanded the attack surface?
Are there particular trade-offs between security and user convenience that organizations should navigate?
There has always been an inverse relationship between great user experience and great security. Ideally, organizations get the balance right by factoring in the environment they’re operating in and their risk targets. I think of user convenience as a subjective perception created when an individual is working to complete a task or fulfill a role specific to supporting the goals of the organization. If their workflows align to the regulatory or contractual requirements in a way that also maximizes the usability of the tools provided to them, you can call deem the user experience as navigated optimally.
Some helpful questions to ask:
- What are the fundamental controls I need to have in place to meet my obligations to my customers and business partners?
- What are the regulatory or industry-specific controls that must be addressed?
- How am I meeting these controls administratively and reflecting them in my technology?
- For the controls I do have today, are they effective?
- How do I shore up the gaps?
What I’ve found is that when convenience and security are unbalanced, the rebalancing act is rarely doing more of the same. It’s a paradigm shift in service and security delivery that meets the users where they are in the way they work in support of organizational goals.
Many experts advocate for zero-trust principles in securing hybrid work environments. What are the key steps organizations should take to implement this effectively?
Zero trust can appear daunting, and it will be for an organization that is unclear on the specific risk and business outcomes they are looking to achieve with it. Without this clarity of envisioned outcomes, it’s easy to overextend and miss the bigger picture when beginning the journey. Here are four steps to make sure a CISO does not slip into that trap:
1. Select the risk and business outcomes you believe the adoption of zero trust will provide.
2. Define an initial area of focus for adoption of the principles. For example, secure access to the public internet (web, SaaS, etc.); secure access to private applications (zero trust application-based access; and secure access to/from backend systems, such as by segmentation and access control for third parties.
3. Understand existing control efficacy and alignment to zero trust principles. Does the existing set of technical controls work today and are they aligned to the defined risk outcomes?
4. As capabilities are assessed, ensure that the identified technical controls have built-in functionality to facilitate the transition from one model to another. For example, use machine learning or artificial intelligence to make risk-based decision-making faster and more accurate.
What technologies or practices can help organizations manage and secure sensitive data in a hybrid setting?
The practices and technologies I see as being critical to successful protection in a hybrid setting include uniformity of control, quality of telemetry, and completeness of coverage for common sources of data loss. Combine insights from obtained data, and a consistent set of risk insights to make more informed decisions about the managed fleet of devices.
Many organizations are stuck with technologies that have few or no ways to connect with other solutions. They also have limited capabilities across their entire set of products. This can lead to incomplete data or insights to provide assurances over the efficacy of controls.
The riskiest channels for data loss should be covered in a uniform manner. For example, ensuring that controls applied via in-line CASB, OOB CASB, and end-point DLP all reflect the intended controls. While in theory this appears simple, it is a complex issue when there are multiple, disparate controls in use that may or may not interoperate with each other.
What strategies have you seen succeed in cultivating a security-first culture in hybrid workplaces?
Number one is a high frequency of easily understood communication. This may come in the form of awareness training, routine and specialized outreach, and role-relevant education.
Second, is champion-building and ease of engagement. Does your program and your team provide an accessible method to seek guidance and a way for an end user to engage with the security subject matter experts? These can be in the form of internal chat channels, and internal forums where clarification and guidance can be provided.
Lastly, consider how the lack of control uniformity overcomplicates the experience for the user. When security controls applied to their devices or the resources they are interacting with are inconsistent or are in flux, the reactions are often negative and work against the security program. Today, there is no reason that security controls on a user or device should be different based on where they are working from. The user experience should match this.