Security and HR teams must work together in a hybrid work world

Hybrid work is the new normal. The COVID-19 pandemic accelerated the distributed workforce trends that were already well underway thanks to the flexibility of cloud computing, a key aspect of digital transformation. Now, employees of a majority of businesses expect to be able to perform their jobs optimally from any location, using the devices of their choice.

Hybrid work expectations include:

• Fast, secure access to corporate resources from wherever employees are located, including seamless transitions into and out of the office network and access to local and cloud resources.
• Being able to use any device (that is, a personal iPhone or iPad or a work laptop) from any location — home, work, coffee shop, a plane — while trusting that security controls will be there.
• Less (or no) time spent commuting and no friction when requesting resources they need to do their jobs effectively.

Robust support for hybrid work isn’t just a means to happier and more productive employees. It also directly correlates to growth. Companies traditionally hamstrung by talent pools tied to office locations can now access the best talent in the world, regardless of location. And a recent Accenture study noted that nearly two-thirds of high-revenue-growth companies are now embracing fully hybrid workforce models, and that workers themselves prefer a hybrid model — instead of a prescribed “in the office here, out of the office there” model — 83% of the time. Today and for the foreseeable future, talent retention has made embracing hybrid work not just good business, but a matter of competition and survival.

Netskope’s chief people officer, Marilyn Miller, and I see this current environment as a massive opportunity for security and technology teams to get much more strategically aligned with human resources teams, also known as people teams. There’s long been an important relationship between these corporate functions, and creating a cyber-awareness culture — where security responsibilities are known to and practiced by all employees — has been a priority for Global 2000 enterprises for at least a decade. But in the hybrid work era, this relationship between security and HR needs to go well beyond working on cyber culture and assessing the risks of employees “on the way in” (when they start with the company) and “on the way out” (when they depart).

The evolution of this relationship shouldn’t be overlooked in the rush to establish functional hybrid work environments. Forward-thinking teams are already using their shared mission — both security and HR teams are invested in protecting sensitive data — as a way to start that evolution. I asked Marilyn to work with me on a shared set of suggestions for how security and HR/people teams can better collaborate.

The modern security team meets the modern people team

Remember: the security and HR leaders of 10 years ago were not dealing with today’s generational sea change of hybrid work. Talented employees today may feel less connected, and therefore less loyal, to employers, following shifts in employer ownership brought on by mergers and acquisitions, or by being in remote-first environments with limited physical connections to employers and managers. There are many other reasons, too, and most are newer challenges that have forced employers to question their playbooks for people management. This shift is also the perfect time to re-examine the role technology plays, including what security teams must do to keep up.

Our discussions with our peers in technology and HR organizations suggest the relationships among security and HR teams have a long way to go to become truly strategic. Here’s some actionable advice on how to accelerate and strengthen that collaboration:

Get back your visibility and invest in modern data protection

In a previous generation, critical company data sat inside the corporate network, easily guarded. Today, data moves and is accessed from everywhere, due in no small part to the explosion of cloud and SaaS applications — many of them unsanctioned by corporate IT teams — in use by the enterprise. Because of this shift, organizations using outdated security and networking technology have fallen behind, and are no longer able to monitor what their employees are doing with data, let alone interpret the context in which they seek to access data.

Modern technology frameworks such as Secure Access Service Edge (SASE) prioritize data protection suited to an era when cloud applications dominate business. Teams must invest in this technology to get back visibility into what’s happening with their data. The best solutions offer forensics and insight into questionable employee behavior: Not just the explosion of movement of company data into personal apps that comes during the last 30 days of employment, but the subtler signs that employees have been moving important company data into personal cloud application instances, perhaps for a much longer period than a few months. Modern data protection — remember that shared mission! — is achieved when security controls follow data wherever it moves and access to data is governed by the context with which access is being requested.

Using security as a cultural enabler

The security team has for so long been the department of “No, you can’t do that.” But forward-thinking teams are now employing real-time (or just-in-time) coaching techniques — powered by advancements in AI for data protection — to help guide employees toward safer behavior. For example, when an employee appears to be entering sensitive data, such as a social security number, into a website prompt, or sending screenshot images through workforce applications like Slack, solutions can pop up and engage the employee to question (not automatically block) the activity.

This is as much a cultural shift as it is a technology shift. Security teams understand this as an example of what technology can do to manage risky behavior. HR teams understand it as a benefit for employee experience. Marrying the thinking among those teams creates a powerful demonstration of culture: ”We’re here to help you and de-risk your experience to make your work, and the time you spend here, better.” It also provides more protection to the company than hoping employees remember cyber-awareness training.

Insist on accountability

Sometimes there’s a fine line between “Big Brother”-style surveillance of employees (“We’re watching you”) and creating a trust balance among work-from-anywhere employees who are no longer being careful with company resources or are growing absentminded about security hygiene, certain that questionable behavior isn’t being watched while they’re home or at the local coffee shop. When security and HR are both preaching enablement for all to embrace hybrid work, teams feel more connected and rogue behavior is minimized. When trust is violated, leadership must also speak with one voice, and address violations swiftly and specifically.

Collaboration between security and HR is imperative

A final note: This new and better collaboration among security teams and HR will inevitably change the ways both teams hire. You will need more people — especially senior leaders — who can act independently, and who can go into a “higher gear” when it comes to managing a workforce that is both diverse and dispersed.

In your hiring conversations, spend more time uncovering whether your prospective hires are thinking about these challenges for a hybrid work era, or merely trying to graft old-school thinking onto the way we live and do business now. It will save you a lot of time and management headaches if you identify and prioritize forward-thinkers who want to solve today’s and tomorrow’s talent retention challenges and view technology solutions as going hand-in-hand with workforce culture and employee experience. 

Jason Clark is chief strategy officer and chief security officer at Netskope.