The biggest security challenges of hybrid work [Q&A]
The shift to remote and hybrid working has led to many problems for IT teams, not least that it offers an expanded attack surface. Add in the threat from cybercriminals looking to capitalize on advanced AI capabilities to create malware and you have some major challenges.
We spoke to Doug Kersten, CISO of enterprise collaboration specialist Appfire, to discuss the key security challenges product and DevOps teams face today and how to overcome them.
BN: What does the future of cybersecurity -- specifically related to workplace/project management -- look like to you?
DK: If asked a year ago, this would have been a much easier question. The answer would have been more of the same; push further left and continue to build buy-in with the associated teams. However, with the advent of generative AI, many areas that we thought were solidly addressed moved onto shaky ground. Areas that were black and white became gray. As an example, by setting specific rules around the handling of protected data in non-production environments, we thought we were golden. However, AI used in the development process has the potential to expose protected data and intellectual property in unexpected ways.
In the short term, it will be critical for cybersecurity teams to re-evaluate the impact of AI on the workplace and project management. For us, that has meant a more hands on approach by our legal, privacy, and security teams with our DevOps teams, and a re-thinking by our product teams on how we approach AI and its integration into our products and workspaces. This will lead to longer term solutions that will involve tighter technical and non-technical cross-team collaborations than we have seen in the past. It is no longer possible for one team to retain all of the expertise necessary in this new world, and it is critical when dealing with AI to ensure that a human always remains in the process. There are many possibilities on how this will play out, and we are seeing some early indications today, but it could be much different than we all expect.
BN: What are the potential cons to AI's rise in prominence from a security threat perspective?
DK: In addition to the cybersecurity challenges the industry is well aware of -- like compliance, securing the cloud, and combating ransomware -- AI has introduced an entirely new array of concerns organizations need to prepare for. For example, while AI is being used to create 'good' software -- software that has positive, socially redeeming qualities -- threat actors are working to identify opportunities to exploit the technology to their advantage, creating even more deceitful malware and infiltrating networks with increased ease. You can already see this happening in phishing attacks as a result of the threat actor/AI partnership. Threat actors are using AI to speak in, literally, the same voice as company leadership during phishing attacks (whether in text, audio, or video) in an attempt to increase the likelihood of a successful compromise. AI has allowed a type of attack that would not have been possible in the past; one that also chips away at normal trust paradigms (i.e. seeding thoughts such as, 'when I talk to my boss on the phone, is it really her?').
While AI will offer opportunities to develop even more effective solutions, it’s critical that cybersecurity leaders are extremely vigilant and proactive in identifying the potential concerns presented by AI and malicious actors' behavior. The AI world is in such flux, security leaders must take a daily, proactive interest in the changes that are occurring. Just like OpenAI has become the fastest growing internet company ever, based on active users, the changes to the security world resulting from regenerative AI will also be accelerated. If you're not prepared for it, there is the potential for it to become a significant stressor on the cybersecurity and carefully built security cultures within organizations.
BN: How is AI positively contributing to developments in cybersecurity?
DK: AI will be used to create software and services that ultimately help prevent threats from infiltrating company networks and will support the development of innovative solutions to proactively protect against even the most aggressive threats.
For example, AI-based solutions can help streamline monitoring processes so security teams can spend more time addressing threats versus searching for them. It will also help identify attacks that would have been almost impossible to detect in the past before their successful execution. This will ultimately reduce the need for less experienced security practitioners. For the industry, this is an overall positive because it will help address the long-term concern the industry has had with the ability to fill security positions. Some might consider this a negative, but, we’ve seen over and over again technology increasing efficiency -- removing the need for basic skill sets -- while providing an overall positive impact to society.
One area where thought should be given is, however, is how will cybersecurity leaders develop senior employees with a more limited pool of junior employees to pull from? This will require re-thinking around training and career development; and will introduce additional change.
BN: How does a shared responsibility model help organizations protect their cloud-based environments?
DK: Hybrid and remote work have contributed to an increase in the use of cloud-based applications in almost every industry, with a large number of employees accessing data from varying locations, networks, and devices. This presents concerns related to overseeing data movement, file access and sharing, and more. Moreover, without every employee being aware of the key indicators and frequency of cloud-based security compromises -- and knowing what to do in the event of a present threat -- there’s a much greater likelihood of security risks getting missed.
By establishing a shared responsibility model for security with cloud providers, it's implied that all parties are aware of their role in protecting the company's data from unauthorized individuals and, thus, both are able to better focus on what they need to do to address a security concern.
BN: How do you build trust among your customers and partners while keeping compliance, privacy, and security top of mind?
DK: Security, privacy, and compliance are the key building blocks of trust. If you want to foster trust, this is the best way to demonstrate that you are trustworthy. Thinking about trust this way results in an improved dedication by companies to provide the necessary resources for improving and maintaining security, privacy and compliance within their organizations, products, and services. Handling trust in this way also empowers other parts of the organization, such as sales and support, to speak confidently and transparently to customers, further increasing trust.
Communication and transparency between a company and their customers and partners is incredibly important. However, many companies fail to provide the necessary visibility into how they address these key trust pillars. Although it seems counter-intuitive, once you get over the mental hurdle, working this way with your customers provides many advantages. For example, if you operate from a position of trust, it is easier to share information that could be considered negative and search for common resolution. Solving common problems together builds a stronger relationship, increases trust, and ultimately increases the likelihood of future success for the company, customer, and partner.
Companies need to make sure customers and partners have the necessary tools to verify security, privacy and compliance and have a centralized point of communication and transparency. At Appfire, we created the Appfire Trust Center as a resource to answer customers, prospects, and partners' security questions or address concerns, and to be a place to access the most recent information related to how Appfire is protecting the security of their data. The Trust Center gives our stakeholders visibility into the product controls that we have in place -- instilling a higher level of comfort in their decision to do business with us. It's an excellent way to get to know us and fosters a consensus of trust that can be built on to expand relationships and, ultimately, the success of both parties.
Image credit: videoflow/depositphotos.com