I’m sure you know this, but in case you’re living under a rock (or a place without Internet connectivity, and haven’t seen a newspaper, or magazine recently…wait, has anyone seen those recently?) you know we not only just crossed into a new year, but also a new decade! Goodbye 2010s and hello 2020s, change is afoot.
In this post we will look at six major trends, but not just in IT or cybersecurity, but also in the workplace in general, and how we, as IT professionals, can understand the cybersecurity implications.
Before we get into the list let’s talk about an important principle in security and cybersecurity, the CIA Triad.
As you see in the graphic, the CIA Triad has three sides, Confidentiality, Integrity and Availability. For our purposes here are short and simple definitions:
- Confidentiality: ensuring data and systems/resources are not accessed by unauthorized entities.
- Integrity: ensuring data and systems/resources have not been changed in an unauthorized way.
- Availability: ensuring authorized individuals and systems can access data/systems/resources without undue burden or delay.
In IT, and especially cybersecurity, we’re all about locking things down (confidentiality) and protecting them from being messed up (integrity), but we place somewhat less value on making them easy to access (availability). At least that’s been my experience.
Why am I bringing up the CIA Triad in a blog post about work and technology trends? Because, as you’ll see, availability is a major factor in several of them, including anywhere, anytime, and multiple device availability.
Let’s jump into the list!
- AI - Artificial Intelligence
Is AI in your organization? AI may already be part of your workplace or those of partners, clients, and customers. Chatbots continue to make headway in the first line of support communications, job candidates are being screened by AI systems, AI aids in workplace efficiency, and shows up as actual robots (Hello sci-fi!) in manufacturing and other areas. Forbes gives several great examples.
Cybersecurity implications of AI in the workplace: At its base, AI is software, hardware, or a combination of both. Keeping apps updated, installing the latest stable firmware, using reliable sourcing channels, and classic hardening techniques (including physical security) will go a long way to secure your AI systems.
- Focus on Reskilling and Upskilling
I don’t remember these words being used 20 years ago, but they are all over workplaces today. As new technologies emerge, some skills fall out of common use (I still have that NT 4 MCSE) and other skills jump to prominence. For example, the growth in need for Cloud Architect capabilities.
Demands for new skills leave an organization with three options:
In the tight labor market at the beginning of 2020, finding the right people, with the right skills may not be an option. But even if you hire the right people today, you’re going to need new skills 6 months from now. This is an upward spiral, and frankly, often it’s more cost effective to train your existing staff. In 2020, reskilling and upskilling can be used to fill many of these skill gaps.
Reskilling means training a person to gain the skills for a completely new role, often because their old role is no longer valuable to the organization. Upskilling means training a person with new skills that are necessary for the changes in their current role. Either way, training makes the employee more valuable, and allows the organization to stay competitive…and relevant, in the marketplace.
Cybersecurity implications of reskilling and upskilling: New technologies mean new opportunities, and new threats. When creating a training plan, integrating good cybersecurity skills as part of the overall curriculum can actually improve your overall security posture.
- Soft Skills and Personal Development
Speaking of skills, we are seeing a major shift regarding non-role-related skills. Previously, job postings often listed primarily “hard” skills such as experience with a particular application, accounts payable, HR, programming languages, etc. But, pushed by the demand for better worker engagement, the need for improving culture, and the realization that hard skills are only 15% of what a person needs to succeed in a role, or in the workplace in general, organizations have begun to value soft skills, including customer service skills, even for non-customer facing roles.
In one example, JPMorgan (a bank) significantly decreased its hiring percentage of people with finance and business degrees in favor of those with science, math, international relations, political science and psychology degrees. On the other side, it’s clear that hiring primarily for hard skills isn’t the best strategy as “almost half of new hires (48%) fail within 18 months. Just 11 percent of those failures are due to a lack of hard skills; the rest (89%) stem from a lack of soft skills”.
Notes on soft vs. hard skills:
- Consider hard skills to be just one factor in hiring or promotional decisions. In promotions to a leadership position of any type, hard skills should be one of the least important considerations.
- Be careful when writing job postings and adding too many hard skills to the list. You could lose some of the best candidates who lack one or two of the hard skills listed.
- Weigh soft skills as more valuable than hard skills. Hard skills can be taught much more easily.
- For existing staff who lack soft skills, invest in training for soft skills, but if they are unwilling to change then consider modifying their role to be less people facing.
Cybersecurity implications of soft and hard skills: Hard skills are used in creating cybersecurity technical controls, but in preventing breaches, security awareness training must be implemented. According to Verizon, 90% of data breaches have a phishing or social engineering component. Which means a combination of technical controls (such as multi-factor authentication), security policies, and training in security awareness (soft skills to recognize the oddities of a well-crafted social engineering attempt) together create the best strategy.
Check out our NIST Cybersecurity Framework Certification training for more on these topics.
- Workplace Flexibility
Millennials (and as Gen Z enters the workforce) recognize the power of technology in shaping how, when and where work can be done. Remote work has become an accepted standard practice for a large percentage of organizations and continues to grow in popularity. Remote work is good for the environment (another factor important to many), the business, and the remote workers are generally happier and work more hours.
Another factor in workplace flexibility that’s starting to become recognized? A four-day work week. Companies around the world are either experimenting with or have transitioned to this model. Microsoft Japan is one example, and productivity increased 40%. In fact, multiple studies have shown that a four-day work week is better for the organization and the employees. Engagement increases, productivity increases, and worker happiness increases.
Cybersecurity implications of workplace flexibility: Remote work affects cybersecurity in a few different ways:
- Security of the connection to the organization
When a staff member connects from the outside (home, a coffee shop, hotel, etc.) the first question a security professional should consider is, how do we secure the connection? Most organizations will take advantage of VPNs, and from a security point of view, since all connections to internal resources should be encrypted, this is a great solution. In addition, access to web-based resources should always use HTTPS (hypertext transfer protocol secure).
- Security of the device connecting to the organization
VPNs are great, but an insecure device connected to your internal network creates a giant security hole. It is recommended that personal laptops and desktops should not be using the corporate VPN, it should only allow devices issued by the organization, over which you have policy and security control. However, in consideration of the CIA Triad, some organizations may elect to allow personally owned laptops and desktops. Personally, I think that availability (the A in the CIA triad) is not significantly affected by requiring users to always connect the VPN via a corporate owned and managed device. The decision must be made by each organization, and there are several options, such as BYOD (Bring Your Own Device); CYOD (Choose Your Own Device); COPE (Company Owned/Personally Enabled); and COBO (Company Owned/Business Only).
You’ll notice I didn’t specifically mention smartphones. Except in the case of highly secure industries (military, government, critical infrastructure) many organizations allow BYOD with MDM (mobile device management) solutions. This is a good compromise between security and availability, if the organization has policies that manage corporate data storage, the ability for remote wipe, etc.
For more information on these topics check out Securing Windows Serer 2016, Implementing Cisco IOS Network Security, CompTIA Security+, CompTIA CYSA+, and Certified Ethical Hacker.
- Work hours
If your organization restricts when people can access resources based on a time range (such as 9am – 5pm) those policies may need to be adjusted for remote/flexible workers. They occasionally will work outside the range.
- Four day work week
The four-day work week doesn’t have any specific implications for cybersecurity outside of an already well-crafted cybersecurity program. For more details on analyzing your current cybersecurity program, and improving it by aligning with the NIST Cybersecurity Framework, check out our NIST Cybersecurity Framework Assessment Program.
- Becoming Platform Agnostic
Way back in 2013 Microsoft made a bold move. It introduced the Office apps for iOS and Android, for free. In late 2019 it released the most current version, combining the apps into a single download and install, all accessible under the Office moniker. Other software manufacturers and app authors have followed suit, just not always free. In fact, at this point, the operating system is becoming less of the primary focus for computing tasks, and the shift is toward the software itself.
The platform (hardware and operating system) is not yet irrelevant, but becoming platform agnostic is the direction of technology. I move relatively seamlessly from creative work (such as writing) to administrative work using both mobile operating systems and Windows operating systems.
The rise of Chromebooks supports the idea that having a specific platform is no longer a major factor in some device purchase decisions. Between web-based versions of applications, PC installs and mobile apps we truly are approaching the age of any device, anywhere, anytime.
Cybersecurity implications of becoming platform agnostic:
We still must consider the security of the platform (hardware and operating system) in a platform agnostic scenario but recognize our control of the platform is significantly diminished. MDM for BYOD will help in this regard. Due to the change in focus to the applications, our application security needs to be given a VERY high priority. In fact, the new CYSA+ exam (in beta as of this writing and live in April 2020) has an entire section dedication to application software security. More details on LRS Education Services CYSA+ training.
- New Privacy and Security Laws
You may remember that the EU’s GDPR (General Data Protection Regulation) came into effect in May 2018. You may also know that the California Consumer Privacy Act is now live as well. In the United States, at least 11 states have enacted, or will soon enact new privacy and or security rules.
The laws govern how private data must be managed and consumer options for how their data is used and or removed. The security laws deal with data breaches, defining private information, access controls, etc. Some of theses new laws and regulations will affect the Internet far outside state or national boundaries as organizations provide services to clients around the world. It’s likely at some point the federal government of the United States will create centralized privacy regulations as well.
Cybersecurity implications of new privacy and security laws:
Each organization must analyze what jurisdictions they are in and what regulations and laws apply. From there changes to internal policies and adding user capabilities for managing individual data may be necessary. There will be significant work involved, but it’s better overall for businesses to allocate the time and resources rather than face stiff penalties. Work with your legal and or compliance personnel (or bring in outside professionals if necessary).
This is certainly not an exhaustive list, but we hope it’s given you a glimpse of the recent changes and near future of the workplace and the cybersecurity implications. Over the last decade we have seen many changes in cybersecurity and the workplace, and in this new decade the pace is only accelerating. Some of the changes we’ve listed here already have broad acceptance and others are relatively new to the marketplace. At LRS Education Services we love seeing changes, because we’re all about helping you grow in your skills, abilities, and perspective.
What are your thoughts on the areas we’ve mentioned in this article? We always appreciate hearing from our readers! Drop us a line at firstname.lastname@example.org.
Happy New Year!
– Troy Stoneking
NIST Cybersecurity Professional (NCSP) Trainer and Practitioner, CompTIA CSAP, CySA+, Security+, Microsoft MCT, MCSE, CWNP, ITIL Practitioner