CISO Forum Summary – Best Practices for Managing a Hybrid Security Team..

 CISO Executive Forum Summary – Best Practices for Managing a Hybrid Security Team

Every month, Fortify Experts holds CISO Round Tables discussing the latest trends and topics.  Recently, we discussed how these successful security leaders have been able to create higher-performing security teams.  Here is a summary of their top tips or suggestions on how to better manage a hybrid/remote team.

Challenges with Hybrid/Remote Teams:

• One CISO said remote or hybrid teams raise the following questions:
  • Are your systems architected correctly to handle a large number of remote people?
  • How do you prevent your remoteness from setting you up for failure?
• One CISO rolled out a hybrid option 2 years ago.  It has been challenging meshing all of the teams together.  He believes that the infrastructure team is critical for all of it to work properly.
• He said language, communication, and time zones all play a factor in how successful a hybrid security team can be.
• Another CISO of 6,000 employees, allows each director the flexibility to choose how hybrid they want to be with their teams.
• One CISO said they had initial difficulty while transitioning to remote work because they didn’t have all the controls at home that they had in the office.
• Remote workers pose a schedule coordination issue which gets very frustrating with the hybrid systems.
• One leader said her goal was not to make remote workers feel like 3rd Class citizens.

WFH and/or BYOD Policies:

• She initiated a Work-from-Home policy that would allow people to have 1 or 2 days to work from home. Her company already had a hybrid foundation in place, especially since they have been doing it off and on for about two years now.
• One CISO did not have a Work-from-Home policy, but her company has a Bring Your Own Device (BYOD) policy to help them know what kind of devices they can or cannot use for work.
• Another leader did have a Work-from-Home policy before the pandemic however, many positions would still need to come into the office because they were accustomed to their desktops, and during the pandemic, it was a rush to get laptops that were unfortunately backlogged. So they had to temporarily implement a BYOD policy where they had to implement some safeguards.
• A Work-from-Home policy should also provide guidelines around an Acceptable Use Policy for security measures.

Suggestions:

• Establish specific work-from-home days because it would be better to align teams to be in the office on the same days.
• Tell employees they cannot print certain documents at home with important information on them.

Connectivity and Bandwidth Challenges:

• People believed that their ISP was delivering a certain level of service, but with all of the kids being home, it caused all ISPs to provide terrible service to people who thought it was good.
• One CISO sent documents titled “Helpful Hints” to help employees who have kids at home to help employees understand the demands of streaming services and bandwidth issues that could impact their work. Although HR didn’t like it, the goal was to help moderate the bandwidth of individual households.
• One other suggestion was to advise people to get 5G internet through a cellular system that would allow them to use a directional antenna that points at one of the towers which will enable them to have better service even with a slow ISP.
• When some people working from home connected via ethernet, it made them have a public IP address.  The security team had to help employees figure out how to remove it from public view.
• One leader said going remote impacted him negatively because he lives in Idaho, and Fiber optics cables are not everywhere. It went from only 20-25 people on a VPN to over 5,000. People were having problems, which impacted what they could do and how well they could get it done.  More solutions are finally coming online for the more rural areas.

Hiring Hybrid & Remote Talent

• A survey said that 80% of people said that if their employer were to force them to return to the office, they would find a job elsewhere. This will become an issue that many companies will have to deal with in the future.
• When hiring people have them submit a screenshot of a speed test to make sure they have fast internet. The speed test has become a requirement for employment, and if their internet is not up to speed, they will not be hired.   It has been helpful to have this guideline when recruiting new employees because they can know what to expect before they even interview for this position. With the guidelines, they can upgrade their bandwidth or find a way to increase their internet speed to be up to par with the standards of the policy.
• Remote roles have allowed one CISO to finally recruit outside of his small town in Idaho because not many want to live there.
• However, this has a negative impact as well, because many people in remote areas are also finding better remote jobs elsewhere.
• One CISO said remote hiring has been a multiplier because they have so many locations in the US. Complete remote work has freed them up to hiring people where they are located, which has helped them hire many more employees and aren’t limited to just location.
• Creating a hybrid culture needs to be high on the list of importance because, the cost of turnover is enormous, and the best people are getting picked off is also a considerable cost.