This year, Labor Day marked more than the end of summer. It also represented the unofficial start of an effort by companies to relocate many workers (including cybersecurity professionals) to their offices after nearly three years of working from home and remotely caused by the COVID-19 pandemic. .
From Apple to Google to The New York Times, employers are trying to reassign their employees to physical offices for at least part of the week, and many employees are pushing back or hesitating.
The same goes for cybersecurity professionals. While considered the frontline advocates for many organizations, these technologists have also embraced remote and hybrid working arrangements.
“Most cybersecurity jobs can be remote like other IT jobs. Many cybersecurity professionals are already working remotely, either as part of a remote team or as consultants hired on a project basis,” said Darryl MacLeod, Virtual CISO at LARES Consulting, a cybersecurity consulting firm in Denver who has been working remotely for more than a decade.
A survey released in August by the International Information System Security Certification Consortium (better known as (ISC)²) found that the most satisfied cybersecurity professionals at work are those who have a choice of where they work . The least satisfied are those who are told by their employer to return to the office.
“While choice reigns, working remotely still trumps returning to the office,” according to the (ISC)² survey, which included responses from 416 cyber professionals.
The (ISC)² report found that, despite a desire to work from home or remotely, the number of cyber professionals working remotely fell from 44% of respondents in 2021 to 33% this year, with 58% of respondents saying that their employer changed their remote work policies this year.
The study also says that while around 35% of respondents want to work remotely “100% of the time”, other participants noted that they saw benefits in returning to the office full-time or part-time. These benefits include social interactions and the ability to distinguish between work schedules and family life.
Remote work is here to stay
While cyber experts debate the pros and cons of having a remote workforce, these new hybrid work arrangements and schedules are here to stay. In an area like cybersecurity, with more job openings than potential workers, organizations that don’t offer flexible hours are likely to miss out on recruiting the talent they need.
“As remote work once again becomes a management choice, individuals and management are making those choices for what’s best for themselves and for their organization,” Chief Security Evangelist Claude Mandy told Dice. data at Symmetry Systems. “Unfortunately, in a competitive work industry like cyber, where the demand for cybersecurity professionals far exceeds the supply, this may prevent organizations that are unwilling or unable to support remote working from attracting cyber talents they desperately need.”
For cybersecurity professionals, hybrid or fully remote working offers benefits and reduces stress. “The main benefit of a fully remote workforce is the increased flexibility it gives workers,” MacLeod told Dice. “Remote workers can often set their hours and work from anywhere with an internet connection, which can lead to a more relaxed and less stressful work environment. It also allows organizations to tap into a global pool of qualified employees.
Stan Black, CISO of security firm Delinea, has already seen the benefits of leveraging a remote cyber workforce within his organization.
“Because our team is already 100% remote, we can source great talent in low-cost or lower-cost regions, which also helps us meet 24/7 business requirements across all time zones,” Black told Dice. “Also, cyber events and techniques often vary from region to region, so diversity brings broader perspectives to the team, and you can often achieve that through staffing ‘try before buying “. Finally, if your infrastructure is infiltrated, it’s easy to go out of band to ensure the attacker isn’t monitoring calls, meetings, messages, etc.
While many industry watchers see the benefits of working more remotely, others point to serious downsides, especially when it comes to cybersecurity. During an attack, breach or other security incident, being able to communicate with colleagues is important to ensure an appropriate response to the situation, said Oliver Tavakoli, CTO of Vectra.
“The downside is the possibility of miscommunication, especially in the middle of an active incident,” Tavakoli told Dice.
Scott Gerlach, co-founder and chief security officer at StackHawk, also noted that a more remote workforce can suffer from communication issues, especially during a cyber incident. “The downside comes primarily from a lack of communication. You need to be very intentional about how, when, and where you open lines of communication and use tools to create documentation, record meetings, and collect any other information you want to share,” Gerlach told Dice. “You can’t rely on ideation driving.”
Stay ahead while staying home
While cybersecurity professionals might prefer remote work — or at least the option of controlling whether or not they come into the office — experts noted that keeping up to date with skills and industry trends remains a must.
The biggest challenge for any cybersecurity professional, remote or not, is keeping up to date with the latest challenges, techniques and technologies and even new industry terms, Mandy said. The remedy for this is to stay curious about the industry.
“This ability to learn and grow over time doesn’t require professionals to be there in person, it requires curiosity,” Mandy added. “Being totally remote can sometimes encourage curious people to discover something new and find new ways of doing things on their own from outside their organization. This can include reading white papers on security data, a daily routine of listening to your favorite podcasts, hands-on experiences within Amazon Web Services, Azure, or Google Cloud Platform, and even working on an open source project.
With many open source projects available in various repositories, Gerlach encourages cybersecurity professionals to create home labs and experiment with new tools and technologies.
“Keeping your cybersecurity skills up to date has nothing to do with where you physically sit,” Gerlach noted. “Resources and information on new threats and defensive tactics are already widely distributed and easily accessible. Tools like Docker and Kubernetes make it easy to set up and affordable at-home labs to practice and learn. »
While some remote work will remain, in-person meetings with teammates never go out of style, and even meetings once a year can have a positive effect on communication.
“Most formal skills can be learned in online courses and by attending security conferences. But the skills needed to function as a cohesive team in the face of cybersecurity threats are harder to come by remotely. Remote teams should look to spend a week or two a year together to build organizational culture and ensure group cohesion,” Vectra’s Tavakoli said.