Taking the first steps toward a hybrid-first cybersecurity environment

Hybrid cybersecurity

Ian Jennings, CEO Technical & Operations, BlueFort Security, gives us his insights into the future of the workplace and the hybrid environment.

With the New Year in full swing, physical offices have remained largely empty, and while official work from home advice is still in place, it’s become clear over the last two years that, by and large, people enjoy flexible working.  With ‘Plan B’ restrictions coming to an end in the UK, the question of an office return is in the air.  But while people will be free to return to the workplace, it’s unlikely things will ever go back to the way they were pre-pandemic. 

With a successful vaccine rollout, many businesses took an optimistic outlook in the second half of 2021.  Some, such as business answering services provider Moneypenny, brought virtually all of their staff back to the office as soon as reasonably possible.  Many organizations, however, have taken a hybrid approach.  Indeed, a closer inspection of Google’s billion-dollar bet on a return to office working reveals a clear ambition to create a new and permanent hybrid working culture; a working culture where employees are encouraged – but not required – to be in the office.  

Hybrid working cybersecurity challenges

A long-term hybrid working culture – particularly following two years of employees largely working remotely – presents a significant challenge for Chief Information Security Officers (CISOs).  In a recent survey of 600 UK CISOs, 30% admitted that since March 2020 they have lost track of movers, joiners, and leavers.  What’s more, 29% stated they are missing corporate devices.  The key challenge that CISOs are facing is mitigating the ever-increasing cybersecurity risk brought about from the growing complexity of their IT environments.  Their number one priority in 2022 will be IT discovery.  After all, it’s virtually impossible to effectively protect what you don’t know is there.

Security teams must now contend with user sprawl and device sprawl.  In the past, their focus would have been on securing one main location – the office.  Now, location is a fluid notion.  The concept of networking in this context is increasingly difficult to define.  To help overcome this challenge it’s vital to compile an in-depth – and ongoing – view of the organization’s IT estate.  Only by knowing what assets you have within your environment can you apply effective security controls. 

A hybrid-first security mindset

Procedures and processes for this new world need to be reviewed from the ground up – all with a hybrid-first policy.  The challenge is not insurmountable for security leaders that remain flexible and adopt new ideas.  Desmond Tutu once said that “there is only one way to eat an elephant: a bite at a time.”  What he meant is that everything in life that seems daunting, overwhelming, and even impossible can be accomplished gradually by taking things one step at a time.  For CISOs facing this challenge, the overarching focus should be on improving visibility, intelligence, and control over their network and devices.  Breaking this down, there are three key first steps CISOs should be considering:

1. Visibility: Focus on identity

Identity runs through the core of visibility, intelligence, and control.  Start by establishing who your users are, what they have access to, and building a robust joiners and leavers program.  Any and every user account that has been neglected in some way over the last two years is a potential weak point.  The culmination of this has led directly to the data sprawl now endemic in organizations.  Security teams need to understand everything that is happening on the network in an identity context – whether that’s a human user or a connected device – before they can begin to get them under control.

2. Intelligence: Look at new technologies

A new hybrid-first security framework requires modern technology solutions.  Extended detection and response (XDR) is a good example.  Many CISOs will be grappling with the decision of where to focus their immediate efforts – applications, devices, or the network.  XDR pulls all three areas together.  As well as the network, XDR gives visibility into the cloud and certain software as a service (SaaS) applications – visibility on the application level as well as the device. 

These capabilities will be crucial in a new hybrid-first framework, moving the traditional security operations center (SOC) focus from the office network to a much wider and deeper view of the organization’s environment.  The threat landscape is now fundamentally different.  Less focus on the office and network and more focus on applications and devices will provide a better and more holistic view of risk, what’s happening in the environment, and where the organization’s exposure resides.

3. Control: Design from the ground up

Security strategies that were created even three years ago are now obsolete.  The pace of change is increasing exponentially and sitting on the fence is no longer an option.  CISOs need to adopt policies and procedures that deal with location independence and network independence.  Hybrid working is now ‘business as usual’ and CISOs must work to design modern, fit-for-purpose hybrid-working strategies from the ground up.  Perhaps the worst thing any CISO could do as employees return to the office is to carry on as though they were operating in a pre-pandemic world. 

Read More:

The hybrid-first world has new and very different demands, but the mistake to avoid is viewing this as a bad thing.  There is a multitude of benefits to be realized.  Ultimately, organizations will have more secure applications and devices.  As policies and procedures mature, organizations will enjoy more agile and robust business processes.  But before this can happen, there is baggage to dispose of, plasters to remove, and new perspectives to cultivate.  For those willing to think differently, hybrid working will ultimately provide the catalyst for a more secure environment.

Click here to discover more of our podcasts

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Ian Jennings

Ian co-founded BlueFort Security with David Henderson in 2007 to deliver cyber-security specialist technical expertise and support to businesses that were becoming increasingly at risk from ever-sophisticated cyber attacks. Together the pair have built an award-winning business with a proven track record in delivering complex solutions around remote access, cloud transformation, and zero-trust application delivery.

Ian has 20 plus years of cyber security technical skills and knowledge which underpin the services and support that BlueFort Security delivers to its customers. Under Ian's guidance, the BlueFort team has secured a wide range of cyber security credentials including Cyber Essentials Plus, ISO27001, ISO9001, as well as a number of vendor-specific accreditations including FireEye partner recognition award 2018, RSA partner of the year 2018, MobileIron outstanding engineer award 2015 and RSA Top partner of the year 2011.

Prior to founding BlueFort Security, Ian held senior technical roles with Armadillo Managed Services and Interop Technologies. He holds a BSC in Computer Science and Management Studies from the University of Leeds.

Birmingham Unveils the UK’s Best Emerging HealthTech Advances

Kosta Mavroulakis • 03rd April 2025

The National HealthTech Series hosted its latest event in Birmingham this month, showcasing innovative startups driving advanced health technology, including AI-assisted diagnostics, wearable devices and revolutionary educational tools for healthcare professionals. Health stakeholders drawn from the NHS, universities, industry and front-line patient care met with new and emerging businesses to define the future trajectory of...

Why DEIB is Imperative to Tech’s Future

Hadas Almog from AppsFlyer • 17th March 2025

We’ve been seeing Diversity, Equity, Inclusion, and Belonging (DEIB) initiatives being cut time and time again throughout the tech industry. DEIB dedicated roles have been eliminated, employee resource groups have lost funding, and initiatives once considered crucial have been deprioritised in favour of “more immediate business needs.” The justification for these cuts is often the...

The need to eradicate platform dependence

Sue Azari • 10th March 2025

The advertising industry is undergoing a seismic shift. Connected TV (CTV), Retail Media Networks (RMNs), and omnichannel strategies are rapidly redefining how brands engage with consumers. As digital privacy regulations evolve and platform dynamics shift, advertisers must recognise a fundamental truth. You cannot build a sustainable business on borrowed ground. The recent uncertainty surrounding TikTok...

The need to clean data for effective insight

David Sheldrake • 05th March 2025

There is more data today than ever before. In fact, the total amount of data created, captured, copied, and consumed globally has now reached an incredible 149 zettabytes. The growth of the big mountain is not expected to slow down, either, with it expected to reach almost 400 zettabytes within the next three years. Whilst...

What can be done to democratize VDI?

Dennis Damen • 05th March 2025

Virtual Desktop Infrastructure (VDI) offers businesses enhanced security, scalability, and compliance, yet it remains a niche technology. One of the biggest barriers to widespread adoption is a severe talent gap. Many IT professionals lack hands-on VDI experience, as their careers begin with physical machines and increasingly shift toward cloud-based services. This shortage has created a...

Tech and Business Outlook: US Confident, European Sentiment Mixed

Viva Technology • 11th February 2025

The VivaTech Confidence Barometer, now in its second edition, reveals strong confidence among tech executives regarding the impact of emerging technologies on business competitiveness, particularly AI, which is expected to have the most significant impact in the near future. Surveying tech leaders from Europe and North America, 81% recognize their companies as competitive internationally, with...