September 28, 2016

How new ways of working challenge corporate security: no longer us and them

Markus Melin

Head of Tieto Security Services, Tieto

Over the last few years, the many digital work platforms by companies such as Uber, Taskrabbit, Thumbtack and Etsy have paved way to a fundamental change in the way we work and create value in the economy. Monday to Friday 9-to-5 employment may not be totally bygone, but it is supplemented and even challenged with new modes of doing work. These so-called gigging platforms allow people to work for several companies at the same time, bringing challenges to the traditional corporate security model.

In the traditional corporate security model, employees may have different access to different data and business assets. However, the basic idea is quite clear: there are employees and others. Likewise the whole corporation can be divided into “inside” and “outside”. Quite physically, actually – you can’t just walk into an office. This age-old duality of “us” and “them” has defined the discussion of corporate security, as well as the established solutions since the beginning.

Of course, things such as partner extranets have muddled this line by granting outsiders limited access to digital corporate premises, but this has been more a matter of tedious tolerance than a real shift in the model. Increasingly, however, driven by major trends such as the move to mobility and cloud as normal ways of doing business, companies need to do away with the inside/outside dichotomy, as employees and corporate assets can no longer be confined to a physical or logical perimeter..

But the old ways sit deep in the security community, and sometimes with good reason.

When people work for many organizations at the same time/The challenge of multi-vacancies

It would be easy to dismiss the gigging culture as a passing fad more suitable to foodies and waitresses than serious employment, were it not that it is starting to get established in a wide range of traditional, “serious” industries as well.For corporations it is often tempting to hire different kinds of talent piece-meal as short term contractors when needed. The job may be short-term, or maybe the skill is so special there is not enough demand for a full-time employee.

But employees also need to make a living, meaning they often work for many organizations at the same time. This work often takes place in irregular ways, regardless of time or location.

Thus traditional security measures based on employment or physical location no longer work. The division between employees and others is going away.

Two approaches to rethink security

This, of course, means serious rethinking for those taking care of corporate security. How to be compatible with a workforce that is no longer easily defined into “us and “them”.

There is a “soft” approach which emphasizes security culture instead of technical controls, as exemplified by Gartner’s People Centric Security thinking. This stipulates that if people are empowered to make their own decisions and educated what their actions mean security-wise, a culture of awareness and care will prevail.

This is easier said than done, though, since you can’t expect die-hard corporate loyalty from people working for multiple companies in parallel. But it may lead to more sustainable results than a purely technical approach. (And of course, people centric approach doesn’t mean there’s no technical security infrastructure.)

Then there is a “hard” approach which takes the new situation more as a technological challenge. An example of this is Google’s BeyondCorp model, where they dismiss of the concept of an internal network altogether and assume  anyone accessing the corporate assets as inherently untrustworthy. After all, people do very sensitive things such as banking or dating on the Internet so no problem with that. The mode of operation is just very different from the traditional closed corporate network.

The gigging economy is here to stay and we’ll be digging further into this thematic in later blog posts. For now, pay a thought to what these trends might mean for your organization.

Read more about our approach to security here.

Stay up-to-date

Get all the latest blogs sent you now!