The corona-virus pandemic has fundamentally changed the way many people and organizations operate. While many countries have started progress towards opening up and returning to normal, companies are faced with the decision of whether or not having a remote workforce makes sense for them. Working remotely might be a normal thing for some, but with the advent of the COVID-19 pandemic, a new, massive portion of the global workforce is being thrown into it without any training or past experience.
As a security professional when thinking about working remotely I focused on the 3 main points: People, Process and Technology. Notice that people are first and technology is just an enabler to the business. A technology-first approach often leads to unhappy people, who break processes to be productive or at least work in a manner that's most desirable to them.
Major observations from the past couple months... Many organizations might not be as prepared for this as they thought and the adjustment period was hard on some than others.
People are the foundation of your organization. Without them the processes and technology will not function, so ensure that they are considered first. People need to be able to be connected to each other and communicate in order to be productive. The workforce needs to know how to do this securely without endangering the business. Awareness and training are critical for this item:
- Why (Why is it important?)
- What (What is the impact if it is not done?)
- When/Where (When/Where is it appropriate and should be used?)
When working remotely communication and even over-communication is critical. This can be in the forms of Instant Messages, Slack, MS Teams, emails, internal blogs or virtual Town Hall sessions to update your employees and other employees on what is happening and how it impacts them. For me, each medium has its own pros and cons and the topic of the conversation should be considered when selecting a medium (i.e. major issues should be addressed via email, not Slack, etc). Without the “water cooler” moments, I look for new ways to interact with my peers like virtual Lunch-and-Learns, peer presentations (10-minute tech talks), morning coffee sessions or virtual happy hours. Having non-work related chat environments where we can talk about topics like pets, food, travel or random hacks of the day has been important for keeping humanity. This is a great way for me to release stress and engage with others topics that make me feel connected to others.
My employer wellness benefits like employee assistance, virtual coaches, wellness programs, and other resources which I take full advantage of. If you don’t have these, find creative ways to with your peers or those in the community to do so. I am also a member of #TinkerTribe which is a group of professionals who have come together to share ideas and support each other.
If I had to give only one tip to try to make your life easier, it would be to set up a separate workspace at home, this allows you to mentally separate work and home life. Ideally, this location should be as distraction-free as possible to avoid pets, children and partners distracting and interrupting calls or video meetings. I would encourage you to have a dedicated space in the home that is ONLY used for work, so your brain is in the "work mode." Similar to how the bedroom should not have a computer or TV, so the brain knows "this is the room we sleep in."
The transition to working remotely, shouldn’t mean that established processes are no longer being followed. And it also doesn’t mean that you do all the same things just virtually.
Things might need to be done differently and processes might need to be adjusted slightly. As a security professional, I would highlight any concerns and discuss with the business and management. For example, if written approval is needed for a document, creating an alternative process to ensure that the validation continues and is traceable (e.g DocuSign). Ensure people are aware where policies and procedures are stored and are accessible by sending reminders with internal links. Attackers will try to take advantage of this change, so ensure that there is sufficient and refreshed training in the required processes. This is also a great time for security awareness refreshers, especially those focused on phishing, malicious links and out of the ordinary processes.
While working remotely, it is important to establish work hours and expectations of availability. Working from home makes getting into the “Work” mindset initially difficult, and distractions are often unending. If this is not the case for you, think about the situations about others on your team or who you might interact with. Be clear about deadlines of when work is supposed to be accomplished.
Just because you are now closer to your work machines/home workspace, does not mean that you should be expected to work 24/7, this will only lead to burn out. Keeping traditional working hours, or as close to it.
Remember communication is key, continue to or schedule new Check-in times with your team, One-on-Ones, or daily Stand-Ups. I would encourage you and your team to enable video, it does give the warm feeling of human interaction. Encourage participation from your all meeting members as it’s much easier for the extroverts to dominate virtual meetings by talking over everyone due to the inherent technical limitations.
Thinking about working remotely as a security professional, all I can think about is how things can go wrong for the non-technical workforce trying to work from home, hotel or a local cafe (which things return to normal).
Ensure that your team thinks about how to make connecting to company resources as simple as possible, whether using self-connecting VPN (Virtual Private Network) connections or using web-proxy solutions. Next, if this is going to be a process change for the workforce, create training videos, how-to’s and documentation that lays it out step-by-step. Consider updating awareness programs for the changing concerns of working remotely and providing your team with frequent reminders through helpful tips, tricks or new articles from outside sources.
If your organization has not implemented MFA, now might be a great time to consider it because it's harder for your security teams to validate legitimate users from not when everyone is external.
Ensure that your organization’s crown jewels are protected and you can monitor to ensure its not slipping out the side door. I know I simplified it a lot, but it's a process and involves walking the business through identifying what is critical, thinking of ways to protect it and ensuring that the protection does not outweigh the risks or prohibit the business from functioning efficiently.
If you need some guidance in this area, check out NIST also has provided guidance on Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security ( https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf )
Additional tips and tricks:
Carve out space and time away from distractions. Distractions come in all shapes and sizes: kids, food-sites/Amazon/eBay, sometimes even email for some of us. We remote workers have to exercise great discipline to ensure we're productive. We're grown-ups, and "shouldn't need supervision to be productive." However, we need to be honest with ourselves.
Set specific hours. Don't short work, duh... but don't work all the time either! Balance is important.
Take breaks like you would at work! Go outside and get some sunlight on your skin (helps absorb the vitamin D, which helps with happiness and cognitive power). Think about how you used to operate back in the office: didn’t you take a break maybe once an hour or so to get up and walk around? Perhaps you’d take 10 minutes now and then to research a purchase on Amazon, buy concert tickets or even just scroll through Twitter. THIS IS ALL FINE AND NORMAL. Take these mental health breaks when you need them; they’re critical to productivity and reducing burn-out.
Meditation and breathing exercises help reduce stress and anxiety, and now it is so much easier to do at home than in the office. Use these opportunities to help ensure that you can focus on your mental health if needed.
Take a walk in the morning before work. The view will change your perspective, and help unclog the brain.
Make sure your family (if applicable) knows when you are and are not working! Otherwise, you may find a great balance but your family always feels like you're working and tensions will escalate.
Self-motivate appropriately. Set goals for yourself, determine what benefits those goals will have, determine a path to achieve them, and go at it! When you fall down, get back up, remember the value you're going after, and run at it again!
Self-limit appropriately. Don't allow stress to overwhelm you. Manage and reduce stress (there are many papers on this on the Internet and books on this topic). A little stress can be motivating, but can quickly become debilitating and draining.
Be sure to schedule critical thinking, and even break times for yourself! One of the biggest caveats of working remotely is the fear that you’ll be judged as non-productive. This predominantly stems from the comfort of being in your own home, and it’s very normal. Just like you will block on time on your calendar at work for critical tasks or thinking time, continue to do so.
And if you need a little extra support, take advantage of provided employee wellness programs, they are there to support you!
Want to join our substantial remote workforce? We’re hiring.
Have complex security problems? We are happy to help resolve them, feel free to contact us.