As recently published on Infosecurity Magazine
Far from damaging the economy, figures released by the Office for National Statistics (ONS) reveal that working from home may have actually boosted productivity during the COVID-19 pandemic. Fewer hours may have been worked, but output per hour was 2.3% higher for Q4 2021 compared to the same period pre-pandemic in 2019. Yet, tech firms are still keen to herd their staff back into the office, with Microsoft stating that, from the end of February, its employees must return to the workplace within 30 days, although some will have the option to work from home half the time.
The general consensus is that some form of hybrid working will persist for office workers because it’s proven so popular, but that won’t necessarily hold true for many of us in the security sector. It’s become apparent that some jobs are better suited to remote working than others. So, while security operations and SOC analysts can work from home, those tasked with disaster recovery or physically managing equipment may find their ability to work from home curtailed.
The Facebook outage that took place in October last year due is a case in point. It’s already being hailed as an example of why remote working isn’t sustainable in tech. A result of a badly executed routine configuration update, there was a significant delay in bringing services back online that was attributed to the fact only 25% of Facebook’s staff were in the office. Those on call were unable to physically access the buildings until the servers were back up and running, extending the downtime which is estimated to have cost the company over $60m.
So does this mean more people were needed on the ground, or is it more a question of whether adequate incident response processes were in place? Facebook insiders claim the company ‘Storm tested’ for just such an eventuality but had it done so with a limited team? It’s often not the technology that’s the stumbling block when it comes to supporting a remote workforce – significant strides have been made in securing IT infrastructure with the move away from VPNs to zero trust systems, etc., but the policies that govern how we work. If security processes haven’t been sufficiently adapted or even rewritten entirely to reflect the new norm, then such incidents will prove hard to manage.
A Force for Good
In fact, remote working has been credited for accelerating digital transformation rather than being a disruptive or negative force. It’s led to unprecedented investment in systems to support secure remote access and has placed cybersecurity uppermost in the minds of key decision-makers, according to the World Economic Forum in its Global Cybersecurity Outlook in 2022 report. Not only that, but the report claims remote or hybrid working is second only to automation in its potential power to transform the cybersecurity sector even further over the next two years.
The danger is that tech companies could be headed for a recruitment crisis by trying to reset the workforce. Up to 85% of staff say they want a hybrid approach, but a third of businesses are unsure whether this can happen, according to the ONS. In addition, many employers are finding they now have to offer roles that would previously have been classed as consultancy under IR35, making those roles less desirable, and the talent pool itself is rapidly shrinking. A recent report from the DCMS suggested that with only 7500 coming into the profession each year, there is an annual shortfall of 10,000. Add to that the emergence of new roles in cloud security, AI and DevSecOps, each of which has its own specialist skillsets, and it’s easy to see why the security professional now has the upper hand.
Yet, there are also other reasons to consider flexible working. The sector has high burn-out rates, with 88% of security professionals reporting being moderately or tremendously stressed, according to the WEF report. Moreover, remote working can significantly improve mental well-being by enabling people to spend less time commuting and more with their loved ones. There’s also anecdotal evidence to suggest that home working is advantageous for promoting diversity and inclusivity, with women of color, for instance, reporting that they felt they no longer had to deal with microaggression or bias.
So perhaps rather than looking at how we can get the genie back in the bottle, we need to look at how we can support the security sector. That means taking a top-down approach, redesigning the security structure and using the technology we have to emancipate professionals. Because if businesses hope to attract and retain talent, they’re going to have to seriously consider how their staff want to work.