Why security strategies need a new perspective

After a stream of ransomware campaigns, data leaks, and attacks on critical infrastructure, businesses understand their digitization strategy needs to be complemented by a well-designed cybersecurity strategy. But, confronted with a complex and confusing threat landscape and an equally multi-faceted security vendor landscape, many are uncertain what their security strategy should look like.

In the current debate, one essential factor is often overlooked: the people most relevant for your security strategy may not even work for your company yet (and no, I’m not talking about those incredibly hard-to-find security professionals.)

Many cybersecurity discussions focus on specific threats: ransomware, intellectual property theft, or any of the numerous digital holes allowing threat actors to break into company networks and wreak havoc. A second, equally prevalent strand of debate focuses on individual components of the environment that need protection: a company’s business-critical core applications, its email and collaboration infrastructure, the cloud services it uses, its website and e-commerce applications, or – in the manufacturing industry – the increasingly internet-connected manufacturing plants with their often insufficient mechanisms for securing operational technology (OT) infrastructure.

A third aspect tends to come into play only as an afterthought: the employees. When they are mentioned in the security debate, it tends to be either as targets for social engineering campaigns, as “dumb users” clicking on malicious links that open doors for threat actors, or as malevolent insiders exfiltrating sensitive data. Rarely, however, are employees given the full weight they deserve in security discussions: the pivotal role around which all other aspects need to revolve. It is employees, after all, who work with all these business-critical applications and sensitive data pools, and they are the people who drive every company’s business. In security strategies, employees need to take center stage, instead of being relegated to the wings.

When it comes to designing a cybersecurity strategy, it makes sense to move beyond all the noise about the latest and most sophisticated attacks and the latest and most sophisticated security solutions, and focus attention on the employees instead – but not necessarily on the current staff. Rather, the fundamental security strategy question is: what will the needs and the security requirements of my employees be in four years’ time?

The workforce of 2026 will be digital – much more digital than today’s – even in areas that traditionally have been considered less prone to digitization, such as workers on factory floors, in communal services, or in agriculture. At the same time, employees already working digitally today will most likely not be the office workers that used to dominate many business campuses in pre-COVID lockdown times. The reason for that is that even before the pandemic, digital work had shifted towards flexible hybrid work. The latest generations of digital workers have long progressed to using mobile, sometimes even privately-owned devices to access a steadily growing range of cloud services, in addition to corporate resources, from anywhere. The pandemic, with its recurring lockdowns across many countries, has simply accelerated this trend, and has made it more obvious to the public.

The digital workforce – especially the highly skilled professionals that businesses compete for in the global “war for talent” – will increasingly insist on being able to work efficiently, but at the same time conveniently and securely, wherever they want or need to engage. Some will bring their own devices, some will prefer to use corporate-owned ones, and some will use a mix of both.

At the same time, the move towards cloud services is bound to intensify, while many businesses (e.g., manufacturing) will also continue to deploy a growing number of applications at the edge of their networks. This will result in a progressively complex hybrid application landscape consisting of on-premises legacy technologies, modern on-premises or cloud-based applications, mobile apps, and a dynamic set of cloud services. Here, the challenge will not only be to protect employees in working with this elaborate mix of applications and services – it will also mean keeping use of unwanted apps and services at bay, or at least monitoring it closely.

Taking the work, collaboration, and usability needs of their future workforce as a reference point, decision makers can evaluate: What will be the most likely – and most critical – security risks for this workforce? For example, high-profile employees will sooner or later find themselves in the crosshairs of targeted attacks, be it by cybercriminals or state-backed threat actors. At the same time, it is important to remember that basically every employee, from the call center agent to the HR or finance team, will be targeted – after all, a successful attack hinges on a single person clicking on a malicious link.

Once the risk landscape of the future workforce is established, numerous questions follow naturally:

• What will employees’ most pressing needs be when it comes to working securely from anywhere, anytime, with any device of their choice, and with their preferred set of apps and services?
• How flexible and scalable will the security architecture need to be to cope with the dynamic nature of the hybrid multi-cloud infrastructure accessed by the distributed workforce?
• Most importantly, how can employees’ security needs be balanced with a smooth user experience – especially considering that complex security tools as well as slow app and data accessibility will entice employees to start looking for workarounds, thereby weakening the company’s security posture?
• And how can this security posture be monitored continuously without running the risk of impeding employees’ productivity and motivation?

What is now called the “new normal” of flexible remote work will soon be the “well-established normal“. The whole digital workforce, not just highly skilled individuals, will expect to be able to work flexibly, remotely, in accordance with their individual needs, and securely. They will want – and need – to decide for themselves what is best suited to their work style, and to the current task at hand. The security architecture will have to support the full spectrum of these needs and requirements. Decision makers should plan for the workforce their business will depend upon in the future, not for the problems they battle today – even if that means planning for the security of employees they don’t even have yet.