Business headlines are filled with the latest security breaches in organizations that many would hope were impenetrable.
While there are many ways that cybersecurity can be put at risk, there are common elements that can be addressed to ensure the safety of an enterprise.
Security and remote working
Remote working undoubtedly changed the workplace and the tools staff use. However, Calatayud notes: “I think remote work, at a technical level, is very similar to how many CISOs should protect their corporate environment.
“In other words, I’d always say, can we make the corporate environment, a glorified internet cafe, so that they can have the same experience and the same security, whether they’re in the office or whether they’re remote?”
There are variables that security professionals and workers must consider. Calatayud comments: “There’s still a difference in your home, your guard is down in certain ways. And the balance of what you’re doing on that laptop for work versus what you’re doing for personal is further blurred.”
Now, “The home becomes its own target. Which is different than being on the road because it’s hard for the adversary to breach in that scenario as they don’t know where you are”.
Calatayud explains the danger this presents: “You have untrusted people, and you don’t know who’s in that home as far as kids or anyone else.
“And the devices that are on that same Wi-Fi network, are not controlled by the corporation, because they’re your iPads, and it’s your kids’ devices. So you’ve got a bit of a hot more of a hostile environment than you traditionally had.”
As a result, “it makes you want to approach the idea of zero trust or the idea of multi-factor authentication very strongly because it’s no longer just about protecting the device or the employee, it’s now protecting the employee, the device, and the network that they’re coming on and making sure there’s trust and isolation as much as possible”.
Of course, security teams need staff to buy-in to their initiatives for them to be effective. Calatayud compares the importance of security education to how people look both ways as they cross the street.
Unpacking this analogy he adds that if “there’s a stoplight that makes sure that the people that aren’t paying attention can still cross the street safely” then that helps everyone.
With that in mind, Calatayud notes that there is a balancing act. Reflecting on his own programs designed to stop cybersecurity breaches coming from employees Calatayud comments: “If I make a policy change, and I’ll send the policy changes to employees, I want to measure how many people actually processed what I sent.”
To do this he will send over an option to review or an audit, this means there is data on who has completed education programs and it is simple to report back to senior leaders.
Employees can also be incentivized to stay on top of security, for instance in a previous role “we would walk around the corporate offices and we would take pictures of really bad examples of clean desks [an organization’s policy on how employees should leave their working space when they leave the office].”
Sometimes we would share that with management, never to expose employees, but we’d say look this is the culture we have. Here’s the issue.”
Comparatively, desks that were clean and not a risk would receive a small cash incentive. Equally, some policy releases are accompanied by a gift card to encourage readership.
Leaders need to see the importance of cybersecurity too – especially if it may impact the workflow of employees.
Contemplating this, Calatayud says: “There’s a couple of things that I do when I think about getting buy-in, from either from employees or from management.
“The first is having empathy, understanding what you’re trying to do while understanding the organization, so when you make changes you understand how it impacts people.”
Calatayud reflects that when he was working in healthcare it was essential that a doctor’s job was not impeded by security, and as a result, the tools used to verify users were intended to be seamless and implemented concepts like facial recognition.
Additionally, making it clear that security can bolster the investments of leaders long-term can be a powerful way to show the importance of security. Particularly as new tools are rolled out amid a hybrid working environment.
Cloud security and the future
Remote and flexible work has made it nearly impossible to patrol desks in the modern workplace. As a result of dispersed systems, cloud computing and security have become essential to organizations.
From a personal perspective, Calatayud touches on cloud security: “I think cloud security is important to me because it’s the future of business.
“There’s not a single industry that I haven’t had a conversation with, that isn’t thinking about doing some level of cloud investment for their future. So to me, that means at some point in our industry, there’s going to be organizations where the only thing the only way they get service is from their home”
Calatayud notes that he is addressing this area with Aqua Security through an open-source model that is allowing cloud security to be looked at from different perspectives.
What’s clear from this conversation is that cloud security is essential going forward, and it’s time to ensure your workplace is safe now.
Want to hear more from UNLEASH? Sign up for free access to all our online content, exclusive reports, as well as discounts for our events.
Sign up to the UNLEASH Newsletter
Get the Editor’s picks of the week delivered straight to your inbox!