Contributed by Brian Madden, Lead Feld Technologist, End-User Computing, VMware
This article first appeared in CISO MAG. To read more articles like these, subscribe to CISO MAG here: https://cisomag.eccouncil.org/magazine/
I joined VMware a little over a year ago and since then, I’ve traveled to 18 countries and 26 U.S. states to meet with over 160 current and prospective customers. During these customer visits, I listen to their end-user computing plans and strategy, explain VMware’s vision and product roadmap, and discuss how those two might align. The most surprising thing to me after all these meetings is how similar most customers are, particularly when it comes to their most pressing end-user computing challenges.
I know this goes against everything we learn from Dale Carnegie or from Sales Training 101 – “Make every customer feel special!”. and “Each customer is a unique snowflake!” While every customer and conversation is indeed unique, I’ve found that every customer is more or less fighting the same battles when it comes to locking down devices, apps and data.
Here are my top three observations:
Battle #1: A Dissolving Security Perimeter
Do you remember the days when every employee came into the office, logged into a stationary device that was connected to the corporate network, and IT could definitively identify the security perimeter? Those days are far behind us as employees demand to work from anywhere, including from locations outside of areas where IT has control. Employees also want to access apps and data from a variety of devices, even if IT doesn’t “own” them.
As the number of devices accessing corporate data grows, IT faces an expanding security perimeter problem which in turn results in a larger attack surface. To address this, many companies are adopting a “Zero Trust” approach. Put simply, Zero Trust means that all sources attempting to access company data – either from inside or outside a secure company network – must continuously be verified. This “never trust, always verify” mentality ensures the right people have the right level of access to the right resources and in the right context. While there is no silver bullet when it comes to achieving a Zero Trust security architecture, identity, access, and device management are the core technologies that organizations should start with on their journeys.
By implementing these technologies as part of a broader security architecture, IT can verify user identity and device compliance as individuals access company resources irrespective of their physical location.
Battle #2: If Security Policy Diminishes Experience, Employees Will Go Rogue
No matter what security approach IT takes, it must not (but oftentimes does) get in the way of employees’ digital experience. As they watch the corporate security perimeter dissolve, typical IT response and policy is to block application access, which in turn obstructs employee experience and productivity. This will not work. The simple truth is that if IT doesn’t let the employee work in the way they want, employees will find a way to circumvent security tools and processes, putting the organization at even greater risk
VMware recently commissioned research that demonstrates a direct correlation between providing employees with a positive digital experience (i.e., device choice/ flexibility, seamless access to apps, remote work capabilities) and an organization’s competitive position, revenue growth and employee sentiment. So, there is a lot on the line when it comes to making sure your security strategy jives with employee experience.
Again, back to the Zero Trust discussion: With the right architecture in place that puts employee-friendly policies/ tools at the center, IT teams can strike a balance between enterprise security and employee experience. Identity verification, for example, is something employees are used to with the advent of fingerprint and facial recognition security technology. When leveraged to protect company information, the overall experience becomes more natural, familiar, and seamless for employees while also providing IT with the reassurance they need when it comes to security. Win-win.
Battle #3: Security Tool Overload
Another common security pitfall I see customers falling for is buying more products and adding more agents to employee devices. Did you know that cybersecurity teams use an average of over 80 different security products from 40 different vendors? That is crazy. In this security product arms race, what ultimately ends up happening is that InfoSec teams are left with a whole system tray full of agents and nothing is really talking to each other.
The CISO doesn’t know whether the organization is any more secure. Rather, all they know is that they continue to buy more products with the hope of covering every security vulnerability. A new approach is required – one that shifts the mindset away from detecting threats by using more tools, that sends too many alerts and one that burns out IT and InfoSec. This new approach needs to start with a digital workspace platform that has intrinsic security built-in and leverages intelligence from all sources to secure users from apps, endpoints and the infrastructure. So, find solace in the fact that you are fighting the same security battles as your fellow CISO.
The challenge for most organizations is they don’t know where to start. The answer is like that old saying, “How do you eat an elephant? One bite at a time.” A full end-user computing transformation is probably ten (or more?) separate projects, which could take years. The important thing is to focus on small steps that are quicker and easier to implement, but that also provide real value.
The opinions expressed within this article are the personal opinions of the author. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.