Lessons from US CyberWeek: Securing the remote workforce

This year U.S. CyberWeek is a digital experience, featuring hundreds of events and C-suite leaders from tech, gov and academia who have come together to exchange information, share best practices and discuss how we can revolutionise the way we protect against and overcome cyberthreats. As the flagship daily event, CyberTalks showcases influential leaders for daily lightning talks, keynotes and fireside chats. Here’s what we learnt from day #1.

Securing new ground and the acceleration of Zero Trust

Given the state of world affairs, it’s no surprise that this year’s talks kicked off with some candid conversations around securing the workforce while transitioning to remote work. Francisco Salguero, CIO of the U.S. Federal Communications Commission, and Sean Frazier, Advisory CISO for Duo Security, kicked the discussion off with an inside understanding of how the FCC faced challenges in this ever-changing work environment. The global pandemic accelerated the FCC’s move to Zero Trust, which has been on the horizon for the organisation with POC’s in the works prior to the pandemic striking.

Challenges with BYOD and adopting a cloud platform to host all necessary systems highlighted the need for clear policies and procedures surrounding secure access management to information systems. According to Frazier, user experience is the “holy grail” of security. He continued to explain that if users are inconvenienced enough, they will find a means to circumvent security measures all together.

As Mike Tyson said, “Everyone has a plan until they get punched in the face.” COVID-19 was the punch in the face that showed organisations around the world the need for Zero Trust.

The importance of secure authentication and identity verification

Dovarius Peoples, CIO of United States Army Corps of Engineers, and Rick Pina, CTA for Worldwide Technology, discussed cyber security concerns in the work from home environment as it related to mission success. Both agreed there needs to be a strong focus on network and end user device security to provide a reliable environment for ‘completing the mission’. The way to get there is Identity Access Management (IAM) and Privileged Access Management (PAM) –  the two key tenets of a fortified information security program. According to Pina, challenges in the remote workforce centre around three main areas:

  1. Connectivity: No one was prepared for the scale, scope and size of the pandemic-induced WFH environment.
  2. Collaboration: Employees needed to be able to continue to operate. New tools needed to be implemented, and FAST!
  3. Visibility: A newfound need for total asset visibility.

Ensuring secure authentication and identity verification will aide in the creation of a robust WFH cloud-based architecture.

Workforce, workplace and workload take on new meaning

Beth Cappello, acting CIO of the U.S. Department of Homeland Security (DHS), Mike Younkers, Senior Director of Systems Engineering, U.S. Fed, Cisco, and Billy Mitchell, Editor in Chief of FedScoop, rounded off the conversation with a discussion on continuity of operations through proper planning and preparation. Work from home was not a foreign concept for the U.S. DHS. According to Cappello, the number of remote employees connecting to the VPN pre-COVID-19 is estimated to be approximately 10,000 employees. Almost overnight, that number grew to over 75,000 daily connections. Younkers noted that agencies, like DHS, who had a WFH plan in place were able to scale more quickly. Organisations with older technology made it difficult to keep up with scale. He went on to note that workforce, workplace and workload have each taken on new significance. The workforce is no longer managed within the confinement of the facility. The workplace is now everywhere, and the workload is distributed in ways never before imagined.

Solutions must start with the end user

Zero Trust architecture was the common thread amongst all three discussions. Identity is the linchpin of the access control component to Zero Trust. Ubiquitous availability of systems and data with secure access requires cloud adoption scalability to an extent never anticipated. Software-defined network access is key to quick adoption to a Zero Trust cloud environment. But, at the end of the day, if your user experience is not positive, all your hard work will be for naught because the users will find a work around. Implementing an identity solution that is secure, portable, and easy to use is the future of securing a remote workforce.

Check back tomorrow for more updates from U.S CyberWeek 2020. Daltrey.com/blog/