Whether discomfort comes from the unknowns of a new way of working, a little mistrust, or perhaps not believing remote work, I find that companies who are resistant to it tend to fall behind in terms of attracting top talent, maintaining global reach and frankly, moving with the times.
A version of this article appeared in TFIR. It has been updated and syndicated here.
They say change is the only constant in life, but 2020 has really brought a test for many all over the world. The global COVID-19 pandemic has forced us to think - at a deep level - about how we connect. Self-isolation, social distancing - these have been some of the adaptations we've made in the physical world, and despite the fact that so many of us spend so much time online, it's quite a different scenario to not have any other choice when it comes to communicating and, if possible, working. It is all at once a tragedy, and an awakening.
Like many tech companies, flexible working is not new to us and working from home is one of the perks of the job. Even as "early" as 2009, I was working remotely from Belgium for companies in Silicon Valley. The technology was way less advanced back then, but it was still doable. Even for us right now, however, it was an adjustment to have every single team member working from home until further notice. I have seen so many companies make this decision as well, including many who were not as prepared as others for managing a remote workforce.
Whether discomfort comes from the unknowns of a new way of working, a little mistrust, or perhaps not "believing" in remote work, I find that companies who are resistant to it tend to fall behind in terms of attracting top talent, maintaining global reach and frankly, moving with the times. This current crisis has left many with no choice but to ignite a remote workforce, as the alternative is a complete shutdown of business amidst a chaotic economic climate.
If there is one positive we can take from this tragedy, it's that people will have seen the benefit of a digital workforce, and the myriad of ways in which a team can connect despite not being physically together. And the cybersecurity industry is one that can truly thrive from a work-anywhere, always-on approach.
Attackers didn't go into lockdown - they're abundantly active and taking advantage of this crisis, leveraging worldwide panic and uncertainty to carry out cyberattacks on medical facilities. In a situation such as this, it's not far-fetched to see a spike in cyberattacks - especially ransomware. It is, after all, stealing to survive in precarious economic times. This doesn't make it okay, and the fact remains that we can still work, train and fight against cyberattacks anywhere there is an internet connection.
The future is flexible, and this is how we - and the cybersecurity industry as a whole - can make it work now and into the future:
Before any sort of forced quarantine situation, global teams still had to find a way to collaborate when required. Affordable conference calls made their debut in the same year as the Rolling Stones (1964, that is - and no doubt those early adopters had the same, "are you there"? "no, you go ahead" issues we face today, even though we can see each other on video).
In 2020, digital communications technology is an enormous part of the multi-trillion-dollar ICT industry, with cloud-native, mobile and social platforms dominating and replacing legacy tech. Innovations like Slack, Zoom, and Discord have kept us more connected than ever, especially at work. And communication is just one aspect of the story.
Digital services that are accessible anywhere with an internet connection, on-demand, that fulfill a base need - whether it's a connection, entertainment, productivity - are part of our flexible future. As customers ourselves we seek hyper-personalization, and as a business, we seek to deliver a personal, digital experience that is of the same uncompromising quality no matter where it is accessed from.
In every industry, every day, web-based applications are being created to streamline processes, revolutionize the existing ways we live and work, and solve problems we may not have realized we had. We are nowhere near the peak of cybersecurity tools and training that can be accessed on-demand, in ways that are engaging and useful to the user, with tangible benefit to the business.
Developers appreciate flexibility in their day jobs, and our focus on practical, fun secure coding training, as well as workflow integration, is crafted with these end-users in mind. Tools should be pick-up-and-play so as to be effortless, with valuable training not seen as a chore. With the cybersecurity industry such a vast playing field, the time is ripe to innovate in multiple areas of attack and defense, where security-first methodologies like DevSecOps can still thrive even if everyone is at home. It's about collaboration, and a considered suite of tools for each member of the team to do their job effectively regardless of their physical location.
One advantage of flexible work is that your office commute is wiped out on the days you're performing duties from home. For some, that could be around two hours of quality, focused time won back. In an ideal world, all staff would have time in their normal working hours to learn and develop their skills, and this can be navigated much easier in the right remote environment. It's beneficial to your remote superstars, who can feel challenged and supported by further learning.
With the cybersecurity landscape changing by the second, frequent training is a must to keep pace with potential threats that could affect the organization. And comprehensive, measurable training that is customized to the needs of the business is a huge step in the right direction. These were some of the core factors in the design of the Secure Code Warrior platform; we wanted training that could be accessed anywhere, right when you needed it, in the development language and framework of the user's choice.
Developers have a fraught relationship with security, and in a lot of ways, they've not been catered to in a specific enough way to engage properly with security best practices. On-demand, gamified training can help win them over no matter where they are; this is also imperative for ensuring that offshore teams and vendors display adequate security awareness as well, especially when involved in any sort of tinkering with an organization's software.
Keeping your cohort engaged and upskilled with training that will help the organization (not to mention their own career) is a very effective glue when it comes to retaining your best and most loyal talent... an absolute necessity as we face an ongoing cybersecurity skills shortage.
It's a rather old-school position that in order to be productive, you have to be visible in an office from nine until five. And yet, so many companies (even some of the new, exciting ones) still operate with this notion in mind. There is a deep sense of mistrust in their own workforce, as though the mere suggestion of working from home has them picturing their teams gaming in their underwear instead of doing their job.
Either that or they simply haven't taken the plunge into viable remote working.
Naturally, team members do need to prove they can maintain productivity at home by showing output, however, you need to give your cohort the best chance to succeed away from the office. Ask yourself:
In the current climate, many businesses were faced with a decision to go remote with the operations or shut down entirely. Some businesses that chose to move to a remote workforce may not have been all that prepared, and it's possible there will be some kinks to iron out... but the elephant in the room is that these businesses are likely exposing themselves to some security risks, as well.
There are several threat vectors to consider, since staff are likely on their own network, and may be using a range of devices to access company accounts, each with their own security needs that may or may not be in effect.
In remote working situations, everyone tends to receive an increase of email, on top of having to sort out various logins, systems, and setups. It's all too easy for socially engineered attacks and malware to slip through the cracks on a bunch of devices out of the in-house security scope. This is not a reason to abandon remote work, it is a golden opportunity to learn by doing and make it as robust as possible for the future. And in security-focused organizations, well, this is a good opportunity to audit processes and "eat your own dog food" when it comes to security best practices for everyone.
Speaking of blunders, it's also important to assess your remote workspace for any potential threats... mostly to your pride, like this poor couple. Moral of the story: make sure everyone is wearing pants if you're on a video call.
It is deeply upsetting to see the effects of COVID-19 all over the world, and now more than ever is a time to pull together and consider other people in this global health crisis. The thing is, attackers are actively taking advantage of this widespread fear and pandemonium, perhaps out of desperation to put food on the table. We as a society are incredibly vulnerable at this time.
Healthcare institutions, including a vaccine testing center, have been hammered with ransomware and DDoS attacks, not to mention those trying to take advantage of distracted and overworked finance and government organizations by launching phishing and malware campaigns against them. Another looming threat surrounds the vaccine itself; it has been reported that the Trump administration had offered a German firm large sums of money to develop a COVID-19 vaccine for the United States'exclusive use. The vaccine data is possibly the most valuable information on Earth at present, which would be a very attractive bounty for an attacker.
This is an all-too-timely reminder that while we self-isolate from the very real threat of a physical virus, our digital heartbeat is also under attack. Security awareness is of utmost importance in every organization, and adequate training should be provided at every level - even measures like enforcing password management tool use, and learning how to spot a phishing email are helpful.
And when it comes to developers, they are the first line of defense in securing the code actively produced within the business, and they can be a valuable asset with your AppSec team in avoiding further pain from a cyberattack by closing the back doors created by common vulnerabilities.
An extremely unfortunate byproduct of mass lockdown has been the economic downturn, forcing many people out of jobs in the hardest-hit sectors. This has all compounded rather suddenly, and it is an experience many of us likely haven't lived through in our lifetimes.
While not every digital native business is an automatic recession-buster (far from it), by their nature, companies that deal in digital are far more agile, adaptable and sustainable when even the most left-field of circumstances come to pass.
Our company can be run efficiently and effectively with a remote workforce, and this is an added layer of protection for our valued team and the clients they support as well. We consider viable secure code training an essential part of modern businesses, and if we're chosen, we can deliver and pivot as needed. Many companies by nature of the products or services they sell do not have the same luxury, but it may be a positive surprise for them to investigate where processes can be digitized, future-proofed and made as on-demand as possible in even the most traditional spaces.
It's a tad dramatic, but I'm reminded of the famous quote from Jurassic Park where Dr. Ian Malcolm says, "life finds a way". It truly does, and that has been very apparent in our company-wide switch to remote work. Teams that didn't interact a whole lot before are discovering common interests in drop-in/drop-out watercooler chats, online office games, and a mutual global office Spotify playlist. There is always a way to forge a meaningful relationship, and my advice is to let teams explore and grow with it organically.
For our clients, it has been awesome to see that their commitment to honing secure coding skills among developers has transcended any remote working hiccups. They have been utilizing our tournaments feature, and while these are usually run in-person with a bit of fanfare, their virtual versions have been driving healthy engagement, friendly competition and an excellent (productive) distraction from day-to-day activities usually completed in a solitary fashion. Much like videogames are now a far more social event than they once were, this type of on-the-job training drives connection not just with the course material, but with each other. And it's available to anyone, anywhere. As a security geek I'm definitely biased, but hey, this is as good a time as any to help foster a love of secure coding among developers. They are all security superheroes in waiting, and it's time to bolster your front lines in the most fun way possible.