Hollee Mangrum-Willis, ISACA Deputy Director of One in Tech

Lessons Learned from a Year of Remote Work

Industry Voices Trending
Hollee Mangrum-Willis Headshot
Screenshot of the PAGE TO PODCAST host Hollee Mangrum-Willis, ISACA Deputy Director of One in Tech; Tom Conkle, CEO, Optic Cyber Solutions; and Kelly Hood, EVP, Optic Cyber Solutions.

Here’s what we’ve learned about cybersecurity from a year of remote work.

Working remotely with unsecure networks presents many challenges. Optic Cyber Solutions’ Kelly Hood and Tom Conkle discuss what we’ve learned over the last few years about how to improve cybersecurity for remote staff. 

Show more

You’ll learn

  • Technical solutions to improving security using VPNs, enabling MFA, encryption, and more 

  • Real-world examples of security challenges faced by companies with remote teams

  • Effective ways to protect organizational data through training and awareness 

Who is this for?

Security Professionals Business Leaders

Host

Hollee Mangrum-Willis Headshot
Hollee Mangrum-Willis
ISACA Deputy Director of One in Tech

Guest speakers

Tom Conkle
CEO, Optic Cyber Solutions
Kelly Hood
EVP, Optic Cyber Solutions 
Transcript

0:00 [Music]

0:06 this is isakka's page 2 podcast [Music]

0:13 hello everyone and thank you for joining us today my name is holly mangram willis

0:18 and i am the deputy director of isaac's foundation one in tech joining me today are kelly hood and

0:26 thomas concl cyber security engineers for optic cyber solutions they are also the authors of a

0:34 blog post on isaka.org entitled lessons learned from a year of

0:40 remote work published last fall now because they are the experts i am going

0:45 to allow them to introduce themselves and tell you a little bit more about who they are and what they do so if we could

0:52 start off first with kelly kelly please introduce yourself and welcome

0:57 hi thank you so much we're so excited to be here today to talk with you about working remotely and all the the

1:03 exciting challenges we've seen over the last few years it's funny um so

1:08 as we i guess before we get into that yeah my name is kelly hood i work for optic cyber solutions as you mentioned

1:14 um so most of what we do is we do a lot of assessments implementation advising helping companies figure out what it is

1:20 that they need to do to secure their their business how they protect their business protecting their data and

1:27 we've been doing those assessments and helping them with those challenges a lot over the last few years

1:32 fantastic thank you so much kelly and tom please introduce yourself

1:37 hi hello and yeah thank you for giving us the opportunity to talk uh to you today looking forward to this discussion

1:43 um as you mentioned yes tom conkel uh with optic cyber solutions i'm a cyber security engineer have about 20 years of

1:49 experience working with organizations and helping them perform security assessments and understand what are the

1:54 challenges that they face in security and how do we put operational practices in place so that they can manage their

2:00 business appropriately and securely with that so um as you mentioned you know within the last couple of years with

2:06 with the pandemic and everything we've been working with a lot of organizations and helping them transition to either a

2:12 full remote work capacity or a hybrid capacity and looking forward to sharing some of that experiences with you today

2:17 well thank you so much tom and let's just hop right in what have you both found

2:23 were the biggest pain points in helping organizations transition to

2:29 this work from home and hybrid model um because i know everyone

2:36 a lot of employees myself included were like yes

2:41 and everyone was excited but there were a lot of things that were on it that were um not anticipated in that

2:47 transition which of course is where you have come in so what were the what were the biggest challenges that you found

2:54 needed to be addressed yeah i think that's a great question and really one of the biggest things is just

2:59 the change like you mentioned how it was really a change that everybody had to make very quickly

3:04 um and it hadn't really been anticipated before some companies we worked with had actually had had a partially remote

3:10 workforce already which helped them a great deal but really that that speed of change that was required as we all went

3:17 and started working from home um making sure that we had the right security protections in place and what does that

3:22 mean from home really figuring that out i think was one of the initially one of the biggest problems of what does it

3:27 look like to operate securely from from your home absolutely now tom

3:34 can you talk a little bit about because because kelly mentioned speed

3:39 right so in the overall landscape of the enterprise security

3:47 wheelhouse right what was the overarching challenge for the business as far as having to transition

3:54 so quickly and you know be solution oriented in a way that they've never had to be

4:00 before right exactly because it hits so quickly for most organizations no one had really

4:06 or very few organizations had planned for something like this and sending their entire workforce home uh almost

4:11 overnight uh with it so in a lot of cases organizations took workstations right didn't even have laptops uh for

4:18 for their employees so they sent their workstations home with employees uh and told them to just continue working and

4:24 didn't have really the resources and the capabilities they needed to keep up and working so we did see a lot of solutions

4:29 you know at first where people just went from home joined their home network uh

4:35 and were able to continue moving on and then you know over time we were able to start layering in some of the security

4:41 protections but even then that came with challenges because of the pace in which it was moving forward we saw a lot of

4:46 organizations starting implementing vpns right so that we could have a

4:51 private secure network you know from the remote worker into our environment into

4:57 the corporate environment we could monitor the traffic and look at it but that caused problems organizations couldn't handle the increase in

5:03 bandwidth that was requiring as the connections were coming into place so they had to quickly adjust for that you

5:09 know in the converse of that of the organizations that didn't uh implement vpn technologies uh you

5:15 know they had they were using a lot of cloud services many of us use you know things like office 365 uh or amazon web

5:22 services and we don't have to normally go back to the corporate network so they were you know when they were sent home

5:27 and said to continue doing your job right they would just connect directly to these resources and in effect bypass

5:34 some of the enterprise solutions and capabilities that we had and then this led to challenges you know uh because

5:39 people weren't coming onto the corporate network and enabling the vpn they weren't getting updated security policies they weren't getting updated

5:45 security patches so we had to go back and implement capabilities for these organizations that said you know we need

5:52 to monitor to make sure that people are connecting back to the enterprise that they're getting the that uh hygiene uh

5:59 information pushed to them this updated security policies getting the patches applied appropriately to help us kind of

6:05 adjust for that that quick transition so so it's funny tom i as you were

6:10 giving your response i was watching uh you looked a little jovial and had a

6:16 little bit of smirk and and the reason why i picked up on it i said tom is thinking about all of the

6:24 face palm moments he's encountered and trying to fix

6:30 you know in trying to better secure uh infrastructure as folks will work from

6:37 home can you can either of you share like one or two of those facepalm moments that companies or even employees

6:45 didn't realize were a thing that needed to be considered in this transition to

6:50 hybrid and work from home models there's so many to choose from

6:56 with that i think some of the the biggest things that i i don't know interesting things um that i

7:04 found is actually the uh printers there are still plenty of people that like to print out and read and work from hard

7:11 copy and in order to keep them up and running the organizations told them you know here just just take the printer

7:17 home we'll let you have the printer and in a sense they really didn't realize what that meant right so if you sent you

7:22 know your finance team home with a printer and said you know here's your capability and didn't realize well

7:29 that means they're going to be printing our financial tables they're going to be printing you know our bonus structure right and having this paper lay around

7:35 at their um you know in their home office or other locations right not knowing where it was being secured right

7:41 we had to go back and say okay now when we issue a printer we need to issue a shredder right so that if they no

7:47 longer need to need that sensitive information they're printing how do we protect it right or we're going to provide them a lock box so that as they

7:53 print the material and then when they go away at night they can uh lock up those financial papers so that they don't

8:00 become you know coloring pages uh for the kids when they get bored later that evening

8:05 that's terrible not coloring pages oh i know there are cfos everywhere that

8:11 are like yes it happened it happened so

8:17 thank you so thank you for sharing that kelly do you have any facebook moments that that you've encountered

8:23 right i think so much of it comes back to those yeah difference of expectations where you assume of course you know

8:28 they're going to be protecting that information that you're sending them home with whether it's you know printing out the financial information or even

8:35 you know who you're letting come through your house so many people didn't have a home office or you know still don't have you know a designated office in their

8:42 home and so they're working out of the dining room table or on the couch and as you're doing that you're you're having

8:47 these you know potentially sensitive discussions about you know either you know business plans or customer

8:52 information and then if you're having those conversations while your spouse is cooking dinner in the other room

8:57 and just really thinking you know it's you know having discussing those you know the expectations of who's around and how do

9:04 you handle having that type of information in a home environment now so in your opinion what who

9:12 what entity was harder to adopt um

9:17 safer in some more secure protocols what where was it the employees which you know could range

9:25 could run the gamut right or was it the enterprises who

9:30 you know didn't who may not have seen the the benefit in

9:36 better security that's such a good question because i think it's really it's kind of every

9:42 you know it's such a challenge on both sides especially as organizations transitioned we saw in most cases

9:48 that you know as the companies that were able to transition to working from home often you know able to keep doing

9:54 business and kind of business as usual but it was that security piece as you mentioned that was often lacking that we

10:00 didn't realize until later or that there wasn't time to address so everybody was continuing to you know run payroll every

10:06 month or you know having the doing you know achieving their job and you know doing those things it just was done in a

10:12 less secure manner that now we're having to kind of look back and say oh how do we clean that up how do we do that a little better especially now that we're

10:18 seeing that most companies are staying remote or at least partially remote as it's you know we found that balance that

10:24 employees really enjoy and it really helps is how do we how do we do this in a more secure way long term knowing that we're

10:30 still going to be protecting ourselves thank you for that um

10:36 what advice or what considerations [Music]

10:42 would you offer companies who are trying to make the decision um for more permanent work from home or

10:50 hybrid models what consider what things should they be considering in that decision-making process

10:57 um you know maybe even some blind spots that they may not be attuned to um for a

11:05 longer term solution because a lot of this work and we can agree a lot of this work was done

11:10 um or this transition was done thinking that it was just a fluke or a phase no one ever saw this happening or

11:16 continuing for a year or multiple years so now because of course and you know a lot of

11:23 the examples that you've given have been financial so of course companies are looking at their bottom lines right so

11:31 as they make these decisions about more permanent solutions what are things that enterprises should

11:38 be considering um for long-term implementation of these

11:43 work models yeah that's a that's a very good question and unfortunately there's quite

11:48 a lot of things to consider um but i think it ultimately goes back to just like any other business decision right

11:53 so as we make this you know come to the realization of this understanding that you know uh remote

11:59 work is probably here to stay for the most most organizations how are we going to handle that from a business side

12:04 right what does the business aspects mean because some organizations it's you know uh that provide customer service

12:10 for example they're really interested in availability and making sure that their staff are available to get to those customers questions and concerns so in

12:16 that case we made to make sure that we have capabilities in place so that they have uh you know resources available to

12:22 them so that they can get on to the internet right do they have you know a hot spot as a backup so that you know if

12:28 their home network goes down that they can jump onto the the hotspot because the availability is the most critical

12:34 thing to them where other organizations are really worried about the confidentiality of information and that financial data that we've been talking

12:40 about right so that's when we need to look a little bit more closer at do they have the ability to secure their data

12:45 right do we have you know the vpn type technologies and those capabilities in place so that as they transfer the data

12:51 from their their network into the enterprise network that it remains protected so i think it is a longer term

12:58 business kind of discussion to say what are we trying to protect and then putting those capabilities in place and again just like everything else i think

13:05 most users uh you know they want to do the right thing um as long as it's easy right and it's

13:10 something that helps fit into their job so are there ways that we can put capabilities in place

13:16 such as the vpn so that you know if once they connect their workstation the vpn will uh create the connection for them

13:22 so that we can isolate them from their home network into our enterprise network

13:27 and minimize uh the the the risk then posed from there being on their home network right most users

13:33 are already getting more comfortable with things like multi-factor authentication even with doing personal banking and things like that so are

13:40 there things you know capabilities that we can help send uh with our employees so that they can use those types of

13:46 technologies uh in a more consistent basis so that they

13:51 can continue working remotely thank you tom and that actually brings me to my very next question um because

13:59 you said continue working on a consistent basis and so as as we make this transition to more permanent models

14:06 right more sustainable models that's gonna have to include some training right

14:11 um and you know in my job so as the deputy director of one in tech we are

14:17 tasked with you know providing pathways to sustain and diversify the landscape of digital

14:24 trust right of of the industry and so what that lent what that lends itself to

14:29 is us building more inclusive models so that regardless of

14:34 gender culture ethnicity um or age

14:40 people can feel included in the industry so what have you found

14:46 are different types of training methods that are inclusive to everyone who has

14:52 to work from home and adjust to a more permanent

14:57 with training just like you know and everything else that we're talking about home people wanted the flexibility and being granted access to it so you know

15:05 working from home one of the biggest things is to remind people uh that you know while you are working from home it

15:11 is an alternate work site right when you had to go to the office you had to badge in you had to protect your information none of this changes we still need to

15:17 protect it making sure that people are provided that training so that we have you know whether it's video snippets

15:22 that they can watch on their own time when it's convenient for them that they're aware of it is one method that we can do it uh making sure that you

15:30 know people have that ready access to it one of the things we found most effective though from many training uh

15:36 aspects is you know how do we make it more real for them so they you know so while we can find uh you know training

15:43 resources that are available on the internet there's plenty of trade security training companies out there but really a lot of the effective

15:49 training comes whenever we can personalize it so that they can see themselves in it and they can see how it's related to um their you know the

15:57 way that they're operating in their their business so again making it you know you know more

16:02 on demand so that they can take the training ones necessary for them and that they can relate to it or two of the biggest things that i've seen uh help

16:09 get you know the point across thank you kelly did you want to weigh in right i think you both made great points

16:15 about just the the relatability of it and making you being able to see yourself in that training if it feels like just a checklist of make sure you

16:22 use the vpn make sure you're using multi-factor authentication you know just do this do that do that you know you're gonna take the training hopefully

16:29 pass the quiz at the end and then move on with your day and forget about it but if we can really focus that training on

16:34 you know factoring that into how do you how do you operate on a daily basis how do we build this into your normal routine you know how do you you know

16:41 making it more personalized and more you know scenario based or using examples or we see a lot more of the fishing

16:47 training that's going on with sending you know phishing emails um where it's just more more hands-on i think all of

16:53 those things are great ways to to make those those concepts stick a little bit more so that it's not just oh i do my

16:59 annual security training and then or i think it was annual maybe it was two years ago you know making it a little

17:04 bit easier to remember and you're actually retaining that information rather than being just a kind of a check box of you know well we we've achieved

17:11 training okay so we've talked to we've talked a lot

17:16 about um existing security setups and evolving

17:22 our security setups um or infrastructure partners evolving

17:28 our security infrastructure for these work from home and hybrid models what about the companies who

17:34 don't know where they stand in the in the landscape right so

17:40 how what tips or recommendations do you have for enterprises looking to assess

17:46 how secure they are and how far they need to go to achieve optimal

17:52 security yeah i think that's a great question because it varies so widely from company

17:57 to company what what's important for one company may not be important for another we all know we need to secure our

18:03 business and make sure we're operating securely but but what does that mean to you and i think in a lot of cases and

18:08 kind of going back to an earlier point tom made about thinking about your risks you know is it the confidentiality of

18:13 your data you're worried about that you need to protect that financial information or healthcare information is it the availability of your services

18:20 that you may be in a customer-facing business and you need to make sure that you're always available for a phone call

18:25 or if you're maybe selling products that you want to make sure that's available for purchase you know really thinking

18:30 about your business is that they have the confidentiality integrity availability and and breaking that down for

18:36 you know what is it that matters to us and then taking that trans translating that for security to say

18:42 so how do i protect that what are those key capabilities i need to have in place that ensures those those business needs

18:48 are met and then you can kind of prioritize and go from there and figure out you know what are those technical solutions and there's a lot of

18:54 commonalities there that we're seeing that we've mentioned with the you know multi-factor authentication making sure that people aren't getting into systems

19:00 they shouldn't be using the vpn to help protect those network connections and um you know using you know having

19:07 encrypting information on our drive so there's a lot of commonalities but you know the how you do that and how to

19:13 prioritize it and where to where to focus that dollar because we all know resources are limited time and money um

19:19 and being able to go or being maybe able to be confident that you're putting those resources to the right places

19:25 thank you and tom can you in in your response can you also talk a little bit about how full disk

19:32 encryption comes into play here absolutely um and i think like kelly said it's always important to understand

19:38 you know the business side what are we trying to protect and how it's being protected and we do see increased in the

19:44 amount of full drive encryptions that are used on the remote workstations that are being sent out in the field um you know in many

19:51 cases right it we're no longer taking the performance hit right for encryption so

19:56 it from a you know keeping people working it's not harming them there but what it does is it adds that extra layer

20:03 of security to us so that when people you know shut down their workstation at the end of the day we know that that data is encrypted

20:09 right so now we have ciphertext instead of sensitive financial information um you know so that if someone was to walk

20:16 in to the um to their home office or you know someone was on their way uh you

20:21 know and left it in their car and you know someone you know stole the laptop or something like that they're

20:27 not stealing the financial data they're stealing that encrypted data that we know we have confidence that has been

20:32 protected um and you know gonna help protect the confidentiality of that information because you know a lot of

20:39 times you know while there are target attacks where people are trying to steal our corporate information all the time that happens at everything but when

20:45 laptops are left laying around whether it's you know at a remote site or you know whether we um just get up to walk

20:52 away from it for a minute or leave it in our car as we run into the grocery store right people aren't necessarily looking

20:58 for the data on it to begin with that they're looking for is the laptop right something that they can go and sell

21:04 and make a profit on um so by having that full drive encryption in there we just help eliminate that additional

21:10 concern as to whether the you know the data got disclosed whether you know someone is going to use it right we know

21:17 that they didn't have access to it by ensuring that all data on the drive was encrypted

21:23 thank you i appreciate that so we've come to the portion where i like to rub

21:30 a crystal ball and kind of look into the future of of securing our work from home um

21:39 infrastructures right so my first question in that regard

21:44 is do you expect advances in artificial intelligence and other emerging technologies

21:51 to make more of an impact on remote working in the future

21:57 i've enjoyed the uh the field for as long as i have simply because it's a challenge and trying to keep up right it's always

22:03 evolving always trying to understand even with the advent of um you know mobile phones and mobile

22:09 devices and of themselves and people bringing you know having bring your own devices uh concepts to the enterprise

22:15 right that we had to deal with that was a challenge right so yes you know as new technologies advance yeah definitely i

22:21 see increased challenges there and staying ahead um but i also see a lot of opportunity with that as well right so

22:28 as machine learning gets a little bit more improved right are we going to have better capabilities of reviewing you

22:33 know audit logs today audit logs you know there's a ton of data we have a lot of different uh system uh information and event

22:39 monitoring systems or sims that will correlate and look at the data but if we have machine learning concepts in there

22:45 are there better more analytical tools that we can apply to it to look for trends so that instead of waiting until

22:51 a breach occurs and trying to figure out what happened what data they got and get back can we start looking for those indicators a little bit sooner and um be

22:59 able to take actions across forum and help right can we be able to help you know monitor people as they say we work

23:06 remotely so that we could have you know um capabilities of detecting you know um

23:13 uh misuse of systems again so that hopefully we can be more on the preventative side of it so i i

23:18 definitely agree yeah those changes and technologies are going to continue to be challenges but they also bring great

23:24 opportunities for us to continue the field and continue improving our capabilities for providing better

23:29 recommendations and ways to secure data thank you kelly did you have something you wanted to add

23:36 yeah and i think that's a great point that it's just with with those with challenges with challenge brings opportunity and i think we have

23:42 definitely seen a lot of challenges over the last few years with this transition to working remotely but with that we've

23:47 seen also just the way we operate has changed you know moving more into cloud environment rather than having all the

23:53 on-prem systems and and a lot of it and being able to thinking about security from another perspective i think in a

23:59 lot of cases it's forcing companies to to think how do we how do we build security in rather than assuming um that

24:05 it's being that the users are going to which help us achieve that and obviously we've got the training but um but yeah i

24:11 definitely think as as industry changes that's one of the things that's exciting about this field is that there there's

24:17 always changes and we're always going to see that and being able to kind of be along for the ride and and help with

24:22 that um i think is exciting so kelly specific to vpns how do you see

24:30 that evolving in the coming years um especially for usage in remote work

24:38 right i think we're definitely seeing increased adoption of vpns more and more companies are using that you know

24:44 back to how tom i think was talking earlier about protecting making sure that we're not using our local network

24:50 so you know your home network that once you're connected to that vpn you're essentially on your corporate network

24:55 and um and that you that the company then has more control over over that traffic and what's occurring

25:01 there so i think we're definitely going to be seeing um continued increases there as with the

25:06 other technologies just making it easier on the user side where they there's less that they need to

25:11 worry about and more that can be kind of automated in the background by following you know the procedures laid out for

25:17 them so we are going to wrap up in

25:23 a few but i want you to take a moment and think about

25:29 a phrase or just a few words that you would like every

25:36 enterprise to keep at the forefront kind of a a secure model a security uh motto

25:45 and maybe if those words don't apply to the employee

25:50 a security motto for the employee

25:55 that they should that that they should keep in the forefront as they do their as they you know

26:03 uh navigate between hybrid models or working from home or adjusting to working from home and doing so

26:10 much more securely um and intentionally

26:15 it goes back a lot to what we've been talking about all the whole time here we you know in

26:21 you know a lot of organizations when we very very started working with them right we said all right people are going to be uh working you know working

26:27 remotely or they're going to be working from home and it was startling to me or you know enlightening i guess maybe is a better

26:33 word for it is when we just changed the way that we described it instead of you know people are not working from home

26:38 but they're working at an alternate work site that happens to be their home right and getting that mentality of all

26:44 right no it is an alternate work site yes i know when i go into the office again back to i had to badge in i had to

26:50 keep my desk clean i had to lock things up appropriately right none of that has changed right none of those things that

26:55 we cared about in the office uh go away when we're working from home right and if we think of it as an alternate work

27:01 site i think it helps us to keep that mentality in place that says oh that is right i am at work right i do need to

27:08 protect the data i do need to be careful of who's behind me who's listening into these conversations you know none of us

27:14 want to want to say that our spouses are untrusted but do they need to know the you know the bonus structure for our

27:19 company do they need to know annual salaries or our plan going forward not that we think they're going to do anything malicious with it but again we

27:26 need to make sure that we contain that data or in most cases we don't but we need to protect that data so if we just

27:31 remember we're working in an alternate work site and you wouldn't have people you know in your office just hanging out

27:37 if you were having those kind of conversations you know maybe they shouldn't be in the dining room with you working at an alternate work site kelly

27:46 do you have anything you would like to add or a model you would like to share right no that's funny from the employee

27:52 perspective i was in a similar vein i think thinking about you know would i do this if i was in the office so i think

27:58 that's the same kind of perspective of thinking of home as being that alternate work site rather than being your home

28:03 which it is but yeah what if if i'm going to do something is this something i would still do if i was at the office

28:08 and kind of thinking that through and then from kind of a corporate perspective from an enterprise perspective i think one of the the keys

28:15 especially back to the prioritizing and resourcing and figuring out what matters is just kind of slowing down a little

28:21 bit when you have a second and thinking you know what's most important for the business you know as we roll out these

28:27 additional security capabilities as we think about you know how to you know improve the security or you know

28:34 looking back at how we've been operating over the last few years is it good enough you know we think we need to stop

28:39 and think about what what matters most you know is it back to the confidentiality the integrity the

28:44 availability of our systems or our data that question always jumps out at me

28:49 what do i care about what matters most to us as a business that is incredible and unfortunately

28:57 that is all the time we have this has been such fruitful discussion and i'm sure beneficial to all who will tune in

29:05 and see it um and listen to it and i sincerely thank kelly and tom for

29:11 joining us today and sharing their insights um is there anything else that you all

29:17 would like to add before we get out of here i don't think so actually i want to

29:22 thank you for inviting us to beyond today we're excited to be able to share our experiences and and talk through

29:28 some uh baseball moments and so thank you very much yeah thank you

29:33 thank you so very much uh we appreciate you and we look forward to you sharing

29:39 your next blog post and insights on isaaca.org

29:44 to our isakka community make sure that you check out the original blog post

29:50 lessons learned from a year of remote work on isaka.org

29:56 that's all the time that we have for today thank you for joining us and until next time take care and stay safe

30:05 thank you for joining us today for this episode of page to podcast we hope you enjoyed this episode

Show more