As I walk across the lobby after my commute to the city and use my ID card to activate the turnstile, I wave to the security team and head to the elevator. Arriving on my team floor, I once again use my ID card to enter the office.
“Good morning, Sowmya.”
“How’s the family, Ivan?”
“Good to see y’all. I’m going to get a cup of coffee and then we can begin our daily kick-off session.”
I miss those days.
For the past 20 months, and into the foreseeable future, this daily routine has been replaced—for myself, my colleague and co-author Alpa, and many others—by a short trip to a desk, kitchen table, or sometimes a local coffee shop to begin the workday.
Despite what some lament as a loss of interpersonal interactions and the physical connectedness provided by traditional in-person workplaces, many companies have recognized the value in transitioning to “work from anywhere” models. These radical changes to where work is performed and what tools are required to operate in a remote environment require us to address workplace safety and security from a new perspective.
To begin, we must first ask: what is the “new workplace?”
For the purpose of this article, we will consider the following major categories of the “new workplace,” which apply to both our company as well as our vendor and service provider locations:
1. Stable: remote with managed access, such as a dedicated home office
2. Uncontrolled: anyplace with open access, Wi-Fi, and/or cell connectivity
What does this new paradigm mean for those of us who are trying to maintain a reasonable level of safety and security for our teams, processes, and products?
Without the benefit of basic security control concepts—including physical barriers; access management systems using cards and biometrics; function-specific controlled areas for our traders, auditors, finance, and AD&M coworkers; for example—we are left operating in unchartered territory.
Having a reasonable level of comfort knowing that everyone in a designated area has some level of entitlement to the data we are each working on is no longer a reality. The luxury of visitor management is gone; anyone can be looking over an employee’s shoulder in an uncontrolled remote work environment.
Data exposure has reached new levels of concern. We have transitioned from controlled environments with minimal and manageable risk to open-access spaces and unmanageable pedestrian traffic. We can partially address this elevated data and privacy exposure with technology, but the ability to mitigate risk is limited at best.
Beyond data, process, and product concerns are the ever more critical matter of employee mental and physical well-being. Alpa and I always used the classic “management by walking around” practice, but we no longer have the benefit of interacting with our teammates face-to-face. We have lost the chance to regularly speak with our teams and possibly pick up on a minor change in one’s demeanor. We have lost the chance to sense a degree of stress or hear about a personal challenge that one might not be comfortable mentioning on a video call. Gone is the ability to support our teammates with early detection and personal intervention.
Let’s face it, we are operating in a whole new space. Alpa and I must reimagine our management styles to recapture what has been lost. And, when it comes to data governance, our reliance on physically controlling who is in the immediate area of our data is no longer a reality in the “new workplace.” Therefore, it’s imperative for any company managing sensitive and high-risk operations to redesign their Risk & Control Self-Assessment programs and protocols.
The new approach to workplace safety and security must also address infrastructure uncertainty. Our workforce and vendors are operating from dispersed locations, which means that there are more variables outside of our control. These include:
- Information compromise
While there are some risk prevention tools available—such as enhanced multifactor system access, download, and printing restrictions, and some form of screenshot deterrence—early detection is more critical than ever.
Risk Early Warning protocols are now essential, and to be successful must include:
- Continuous, multicategory risk intelligence to identify exposures
- Expanded application/system access log monitoring
- Cross vertical trend analytics
- Enhanced RCSA monitoring
The availability of full-stack risk monitoring for both vendors and the many locations we operate from poses major challenges in our ability to manage this vast amount of data, eliminate all the noise, and implement a program of Actionable Alert processing. Many of us employ a variety of information sources and struggle to have a clear, concise picture of our risk environment.
Whether it is identifying and reacting to a staff well-being issue, a location crisis, or a data exposure; an agile, tested, and rehearsed risk-specific response protocol should include, at a minimum, the following components:
- Incident notification
It’s clear that we all need updated solutions to managing risk in the new workplace. Identifying and understanding the exposures and vulnerabilities in this new environment allow us to refine our application of Risk Early Warning protocols.