IT Security in the Hybrid Work Era
Top Insights from Recast’s Security Webinar
As the many manifestations of hybrid work continue to reshape the business landscape, how can organizations stay secure? Recast Software recently hosted a webinar with two experts to discuss the security challenges of today.
Richard Campbell, a 19-year Microsoft MVP and technology consultant, and Danny Wheeler, Director of IT at Recast, shared valuable, real-world stories and insights on the shifting security landscape. The conversation touched on managing costs, the current hybrid endpoint management reality, and least privilege in practice, among other topics. Let’s dive into the key insights.
The Shift from CapEx to OpEx: Budgeting Reformed
Organizations should consider transitioning from a capital expenditure (CapEx) model to an operating expenditure (OpEx) model. Danny emphasized the impact, saying, “Moving to an OpEx model enables security products to become budgetable and stable expenditures, eliminating surprises.” It’s a strategic shift that better aligns with the fast-paced technological landscape. By adopting the OpEx model, companies don’t encounter unexpected costs, like the “five-year pop” in budget, and can instead plan for a more predictable and sustainable budget.
Security Policies and the Cloud
The shift to cloud certainly affects security policies. “With the shift to cloud and the integration of various devices, it’s no longer just about securing a perimeter. We have to think of security in a more holistic manner. It’s about education, adaptation, and consistent reassessment,” stated Richard. With a multitude of devices accessing data from different locations, traditional security barriers dissolve. What takes their place is a need for robust policies that address individual device security, data encryption, user authentication, and continuous monitoring.
When implementing new security policies, organizations must also consider how they align with broader business goals and regulatory compliance. Danny elaborated, “We have to walk the line between keeping our data and systems secure while not hindering the business process. Striking this balance requires a deep understanding of both technological and business aspects.” Ultimately, a well-crafted security policy must fortify the organization’s digital environment without unduly restricting operations.
Finding Balance: Hybrid as the New Normal
Both Danny and Richard emphasized that not all data or software should be in the cloud, and a hybrid approach can and even should be a new normal for many. They added that cloud “sticker shock” is real and validates the importance of forecasting costs well. This includes making wise decisions about which resources belong in the cloud and which should remain on-prem. Richard flushed out this point by saying, “Not everything should be in the cloud. I think more and more people are recognizing ‘these bits run better on Prem in this office’ or ‘with this group of people, these bits run better over there.’ This idea that we’re going to migrate everything to one place? All these absolutes are invariably wrong. There are always shades of gray.” Adopting a hybrid cloud strategy is increasingly viewed as a pragmatic approach that mitigates cost surprises and more finely-tunes resources based on their ideal environment—on-prem or cloud.
As more companies embrace using both on-prem and cloud solutions, it is also essential that security policies are integrated effectively across both on-premises and cloud environments.
Build a Robust Defense: Principled Least Privilege Use
Beyond MFA, Richard and Danny both emphasized the importance of activating the principle of least privilege. Richard stated, “Way too many folks, including sysadmins, are walking around with administrative rights. . . . I like the approach of starting with the SysAdmins themselves. Getting SysAdmins out of the habit of living in an administrator account and instead live as a domain user. Live like everyone else lives in the organization. Only have enough administration to elevate yourself for your task and then go back down to domain rights. I don’t know how we convince others to do this properly if we don’t do it ourselves as admins.”
“Way too many folks, including sysadmins, are walking around with administrative rights. . . . I like the approach of starting with the SysAdmins themselves.”Richard Campbell, Microsoft MVP and Creator of RunAs Radio, .NET Rocks, and Windows Weekly
Danny agreed, adding, “It’s hard to make the case that this is an important initiative to your organization when the people whose accounts can do the most damage are the ones that are not using some sort of least privilege strategy. So yeah, I agree completely.”
Both also agreed that any PAM software solutions put into action must allow for flexibility, enabling people to execute their work while adhering to security principles.
In sum, security requires more than multifactor authentication (MFA); it demands a comprehensive strategy that incorporates zero trust principles, with least privilege at the core. Organizations minimize vulnerabilities and create a more robust security posture when they enact these policies.
Navigating Legacy Systems: Challenges and Solutions
The discussion acknowledged the challenge of working with legacy systems, with Danny’s experience in the public sector serving as an example. Outdated software and new security protocols collide creating friction for IT teams. Both experts emphasized the importance of continuous dialogue with software developers, both in-house and third-party, to adapt their software for today’s security demands. When legacy software providers fail to heed your advice, transition to more secure software whenever possible. Take your company’s resources to a vendor that aligns with your security values.
Developing a Security Culture: More Than Just Policy
Last and perhaps most importantly, building a culture of security was a central theme throughout the 60-minute webinar. Developing a culture of security goes beyond mere policies and technology, however. It’s about fostering an environment where every member of the organization, from leadership to the front-line staff, understands the importance of security and feels accountable to maintain it.
Danny shared how Recast is walking this walk right now. “At Recast, we recently went through SOC 2 Type 1 and have started our Type 2 exercise. We’re dealing with policies around BYOD, acceptable use, and machines that are no longer on a VPN or within a security perimeter. We’re educating our workforce a lot more on zero trust. At the end of the day, your security culture does get driven a lot by the policies you put in place.”
Security must become a collective responsibility and a central part of an organization’s ethos. It’s not just about implementing the right tools but weaving security into the fabric of the organization’s culture. The goal is to create a mindset where security is viewed not as a hindrance, but as an integral part of successful and responsible business operation.
Building a Robust, Modern IT Security Infrastructure
Through their conversation, Danny and Richard offer insights and strategies for both SysAdmins and IT Directors to better navigate their security challenges. From clear-eyed budgeting to embracing well-tuned hybrid solutions to developing a robust security culture, this discussion underscores the multifaceted nature of modern IT security.