CSO Insights: SBV’s Ian Keller on the Challenges and Opportunities of Working Remotely

The Covid-19 pandemic has forced businesses to change the way they operate. While more organizations have been adopting remote work over the past few years as an option for employees, it has very much become a necessity these days.

Of course, such an abrupt change in the way an organization does its business comes with a unique set challenges, especially when it comes to security. In fact, for people like Ian Keller, Chief Security Officer (CSO) of SBV Services in South Africa, what companies are experiencing right now might be considered the new normal.

SBV Services provides end-to-end cash management to banks and federal reserves by processing, classifying, and distributing cash to different parts of the country. Due to the nature of the business, the company has both a physical component, comprised of vehicles and security personnel, as well as a back-end component that looks after the company’s systems. While the essential services portion of the business is still out and about (taking the necessary health precautions, of course), most of the administrative work is now done from home.

A veteran of many industries, Keller possesses a Master’s Degree in Information System Management with a focus on risk reduction in financial services markets — making him uniquely suited to his role as CSO.

Keller recently sat down with Trend Micro and shared his thoughts on how his organization is coping with the current pandemic, the main challenges they faced when transitioning their staff to remote work, as well as how they plan to move forward.

On building organizational resilience

In a sense, SBV was fortunate because they had already spent a couple of years enhancing their systems as part of its digitization and Industry 4.0 evolution. This included making sure that adequate VPN connections were in place, as well as ensuring that their security technology was seamless when shifting from an office environment to a work-from-home environment.

“We’ve been spending a lot of time getting all those blocks in place so when this happened, I think the only thing we weren’t ready for was the fact that it was driven by a pandemic versus organizational change,” Keller mentions, “And so the impact was reasonably low, and the transition was quite seamless. Obviously, you have to work out the nuances of how you measure your staff in terms of deliverables, performance ratings, bonuses, and that type of stuff. But the rest of it, technology-wise, it helped a lot. The technology we have deployed has given us the ability to operate remotely and still have the same level of security.”

One of the challenges with remote work is that one household often has to share a single connection. While most businesses provide their employees with VPN connections for accessing systems and services, there is still the potential for cross-contamination between the endpoints, or the different machines on the network.

For Keller, companies have plenty of options for hardening physical endpoints when it comes to the technology stack. Security teams also need to start focusing heavily on end user behavior and device analytics as companies move to a remote work set up.

He also reiterates the importance of zero trust-networks and the need for constant verification. With staff doing their work remotely, the need for constant verification plays an even larger role in security, something that SBV had already been doing for some time. “The fact that we’ve started building zero-trust networks a couple of years ago sort of played into the right space. The guys who haven’t done the zero-trust network adoption are now lagging behind. From our side, we’ve done the zero trust-style networks. We’ve got the right technologies in place in terms of endpoint defense.”

On facing the challenges of remote work

Transitioning to a work environment has its fair share of hiccups. For many organizations, remote work is an option for a portion of the staff, and the sudden need for everyone to be able to work from home can prove to be a challenge.

I think where we are now, and I think this going to be one of those interesting waves to ride in, is that we’re now finding what the new norm is. We’re building it as we’re going along, so we’re defining what’s expected of a guy working from home.

Shoring up a company’s infrastructure to make it ready for a shift to a remote work environment involves ensuring not only the availability of the applications — with proper protections — that employees use regularly, but that support services via remote desktop are also in place.

Still, even with the right technology and systems in place, the people side of the equation plays a significant role, especially in terms of security. Securing endpoints in an office environment is simpler, given that the company’s IT staff controls most of the infrastructure. This becomes more of a challenge in a home setting, where delineating between work and personal life becomes a challenge:

I think that’s where we are from a risk perspective. We’ve got all the relevant bits deployed: locking down USB ports, having antivirus deployed, monitoring the endpoint to make sure that if we see something, we can do something about it. But the problem is if the computer right next to you is on the network, and it’s infected because your kids have been surfing wherever, and that stuff hits your machine from a zero-day perspective. I have a fantastic toolset, but for the people who don’t have it, they’ve got a problem.”

Keller continues:“Now you’re sitting at home, you’ve got multiple devices — if you’ve got a household with adults, your kids are working-age but still living at home because it’s their first couple of years working. They’ve got an office device, you’ve got your stuff, and not all of them are configured equally; not all of them have the same protection.”

Keller also noted that people tend to work longer due to the absence of a divide between their work and home environment. This can lead to carelessness when it comes to security, or even worse — burnout:

“I think where we are now, and I think this is going to be one of those interesting waves to ride, is that we’re now finding what the new norm is. We’re building it as we’re going along, so we’re defining what’s expected from a guy working from home. What is considered adequate? What is considered excessive? How are you going to deal with your work-life balance because it’s in the same spot? How are you going to balance your social life or your private life with your business life seeing that it’s literally out the door, and if I go out of that – that’s supposedly my personal life and I have to walk past it 20 times a day.

That’s the next wave of evolution that we’re now busy with. And security is the one riding at the back of the surfboard. If you’ve got that visualization — you’ve got the surfboard and the surfer thinking about all that stuff, and you’ve got security sitting right on the back. And now you need to play catch up with bleeding-edge technology, and you’ve still got to have that balance going.”

On riding the new wave of changes to the working environment and the need for adjustments going forward

The current situation has given people, especially executives who often have a very traditional mindset in terms of “seats equals work,” the opportunity to see the value of a remote workforce. As companies start embracing the thought process that work can be done wherever the employee is located, security needs to keep in step.

Keller notes the challenges of handling home devices that have to share an environment with other home devices. He also emphasizes the importance of redesigning security to cope with that reality while remaining business-relevant:

“The technology now isn’t where it’s supposed to be or where it should be to be able to enable this type of work. We have seen over the last 30 years was that the remote work capability was being able to VPN in, take a look at something, get the report out, and be able to go back and do your own thing, then close the door.”, Keller notes, “Now the door is constantly open, with people coming in 24/7.  And the technology has to adapt to this. I see the next evolution in technology from a security point of view is to have a lot more AI/machine learning components to it. To see that this is the way your home network looks, and this is the type of threats it is picking up.”

I think we’re at the beginning of a brand-new digital age. I don’t see us going back to the way it was ever again – not permanently anyway. Too many things have changed – that horse has bolted.

Going forward, Keller notes that many organizations will have to prioritize which technologies to implement in the future by asking whether it makes sense, not just security-wise, but economically. For example, a company that is looking to retain their remote work setup and maintain minimal on-premise endpoints might have to reconsider whether technologies like network access controls make sense.

As he puts it: “So, we’ve changed the mindset so that if we’re forking out a million dollars for a technology or, we need to bring back to the business $1.5 million dollars’ worth of value, or a percentage like 20% more of what we’ve spent.  When you change that paradigm in terms of thinking, now it’s no longer just buying a cup for the sake of a cup, it’s now about how this is going to make business work better. How is it going to fit my business?”

When the world goes back into a semblance of normalcy, Keller believes that many companies will keep some of the policies and adjustments they enacted to cope with the changes in the working environment.

But he believes that it has to be controlled better. SBV had already started rolling out the infrastructure for remote work to their executives, but the Covid-19 situation forced them to extend those capabilities to more people. The difference going forward is not going to be as much on the policy stack than it has to do with the enforcement of that policy.

One of the key issues is accountability, especially in a work-from-home environment where there is no one to hold people accountable, especially when it comes to security.

“You’ve got a lot more control in an office space versus the home space. So we need to figure that out. That’s the balancing act we need to figure out. Keller says, “How are we building this? How are we going to keep moving forward while making sure we still meet all the relevant business objectives?”

“It’s going to be interesting times.”