Standards that Protect the Organization
A lot of younger staff will be asking to work from home. So, how do we set the standards that protect the organization but also allow them to work?
Hi - thanks for your question.
While I can't give you a direct answer on how to set standards as those are driven by the organization’s strategic goals and governance models, I can suggest some items to think through to help you achieve an answer the best suits your organizations needs.
First, it looks like your question is based more on wanting to establish a more permanent capability that allows for telework rather than one driven by temporary event, such as the COVID quarantine. Assuming that, the standards should first be based on a clear understanding of the following;
1. How do you preserve or enhance the strategic intent of the organization when deploying to a functional telework model? What potentially suffers? This is the first step to understanding the business and operational impacts when considering a functional telework model. In talking with our clients based on the current reality, that that personal efficiencies are improved, better quality work is produced, and people are overall happier.
2. What does the telework user require to be effective working in a predominantly extended edge model? This is more about change management and protecting performance. In working with our clients, we found that users want to be permissive in their use of telework edge devices. The goal is to try to minimize explicit actions a user needs to perform in order to protect assets, so they can concentrate on their profession.
3. Given your organization's current cyber security posture, what additional risks would telework impose on the organization from the edge to the enterprise? Most will find that their entire strategy is based on a layered perimeter defense model. This type of model is necessary but insufficient for protecting the organization from the data to the datacenter.
4. How does the organization calibrate their existing posture to support extending a functional model to the edge. This process is about understanding the users need of behavioral and mental permissiveness and calibrating to meet the needs of the organization. It’s important to represent the user's need for freedom. In my experience in both government and commercial, I found that if an organization is lacking a data protection strategy that aligns with the business goals of the organization, the performance goals of the person, and the technical goals of IT/Cyber, then the organization is open to compromised at many levels.
5. If you decide you want to implement a data protection strategy and want to figure out what might be best for your organization, here is a link to a short LinkedIn article I wrote on abstracted data protection. The key here is to make sure you're not being sold a perimeter solution that is masquerading as an abstracted data protection solution. If you are, then you'll end up right where you started, and possibly in the news.
<a href=" removed link "> removed link
Best of Luck and feel free to contact me if you want to discuss further.