By Christian Aboujaoude, chief technology officer at Keck Medicine, USC\n\nIn the pre-pandemic days, security solutions could be more basic. Securing the perimeter could be likened to locking the door of your house. But with remote workers taking devices off premises and sometimes using their own, securing the workplace requires a new approach. Sophisticated threats come from every angle, and preparing a complete defense is vital.\n\nWe are in an environment of constant change and unexpected events. Just when many people began welcoming a post-pandemic world, cases started rising again, and the need to apply proper controls, governance, education, and tools for remote workers once more became top of mind for many cybersecurity leaders.\n\nFor CISOs and their teams, the challenge is to build a culture that facilitates the ability to adapt to change on an ongoing, continuous basis. This requires a new mindset in securing all users \u2014 remote users, in particular. It also means evolving your approach so that cybersecurity is no longer viewed by business management as a cost center, but rather as a means of competitive differentiation and innovation for the organization.\n\nIn my view, there are three critical aspects to changing the culture and mindset to adapt to current and future cybersecurity challenges, particularly as remote work becomes more deeply ingrained as a business requirement:\n\n1. Education: Develop a deep understanding of every aspect of your organization and spend a lot of time and attention on education - for everyone, whether they are on your security teams, in your executive suite, front-line workers on-premises, remote workers, or anywhere else in your ecosystem.\n\n2. Technology: Even in some larger organizations, basic technologies - such as multi-factor authentication or secure VPN - are not given the priority necessary to allow remote workers to operate in a more controlled environment. It is important to have the basics under control before adding innovations, such as Zero Trust.\n\n3. Procedures and practices: It is vital to maintain a philosophy of ongoing education along with continuous evaluation of the technology your organization is using or, in some cases, not using. From a procedural perspective, you must understand everything in your environment. Once you understand it, you can assess and address its impact on your current risk and overall risk profile.\n\n1. Leveraging education to secure remote workers\n\nThe reason education tops my list is that over 80% of cybersecurity events relate to people. Everyone needs to truly understand what cybersecurity is \u2014 and that it\u2019s not just a password or two-factor authentication. Cybersecurity is an approach \u2014 a mechanism. It\u2019s how you go about conducting work. Achieving a strong cybersecurity posture takes cultural change, behavioral change, and constant learning.\n\nWhen users were largely on premises, most organizations could compensate for potentially dangerous behavior by having multiple controls to help protect them. However, when those same people go remote, there\u2019s a bit of a loss of control and governance. There are technologies to help cover user behavior, but it is better when the behavior doesn\u2019t exist in the first place.\n\nThis means that we must educate folks on cyber hygiene, making sure they understand that the steps they take at work may not be the steps they take when they are working remotely or from home. This is especially critical in this very open-ended environment, where a user\u2019s device may be used by other people in the home.\n\n2. Leveraging technology to secure remote workers\n\nStrong foundations are also important from a technological perspective. You must make sure you have controls, processes, and governance for multi-factor authentication and secure VPN. It\u2019s those things that pave the way for Zero Trust.\n\nMy best advice is to approach everything from the bottom up, understanding not just your inventory but every single behavior that takes place from a public-facing standpoint. This is especially important for remote workers. I good place to start is by asking yourself and your team key questions:\n\nFundamentally, you need technology tools that can exist on your network and identify all connected devices. I\u2019m talking about tools that are able to actually interrogate the network, understand packets, and capture specific metadata for each device to determine how it lives on the network.\n\n3. Leveraging procedures and practices to secure remote workers\n\nIf you haven\u2019t figured it out by now, I\u2019m a huge stickler for inventory. From a process standpoint, you must understand your inventory: what it is, what it means, and why it matters \u2014 as well as its impact on your business and your security posture. \n\nSo, from a procedure standpoint, you need something in place that is able to identify what you have in your environment. Then you must relate and correlate that information to any situation, to the point where you can say about any device: \u201cThis device is connected to this application that lives here and does that.\u201d\n\nFrom there, you can build a configuration management database (CMDB) approach to really understand your environment and have processes in place to integrate with your ITSM tool so you can execute the specific actions you need to take.\n\nMaintaining ongoing processes also relates back to my first point: education. CISOs need to ensure training and education are continuing when people work from home or remote locations, and they need to have tests, controls, processes, and governance to continuously identify and correct non-malicious but potentially dangerous behavior. Quick-hit training without repetition rarely are effective.\n\nMy advice for CISOs and other cyber leaders\n\nIf I could leave CISOs and other cybersecurity leaders with a key takeaway from this article, it would be this: Every CISO should figure out how to balance the business operations of their organization with a security mindset that is not destructive to the business but is, in fact, built into the fabric of the business. In order to do that, I urge all security professionals to take the time to understand as much as they can about the business in which they work.\n\nNote the emphasis on the business, not cybersecurity. Most security professionals know security exceptionally well. But if they don\u2019t have an equally exceptional understanding of their business or organizational needs, they are potentially setting themselves \u2014 and their organizations \u2014 up for failure.\n\nWhether you are the CISO or anyone on the security team, you need to be able to go to the people in any department and have detailed conversations with them related to their protection and their business needs. It may start with something simple: \u201cWe saw that you have these devices. They are not in compliance with our security posture, and we need to take this action or we will be forced to put it offline.\u201d\n\nOf course, the immediate reaction will be: \u201cYou can\u2019t do that!\u201d And the response is: \u201cYes, we know. That\u2019s why we have to fix the problem.\u201d A solution-focused and service-focused mindset is key.\n\nThe opportunity ahead\n\nRemote work is here to stay. To make it successful, you have to make it secure. Cybersecurity leaders and their teams have an opportunity to make huge contributions to their organizations over the next few years by developing cyber-aware cultures that are both agile and responsive to the changing needs of their organizations.\n\nBy focusing on the fundamentals, CISOs can prepare themselves, their teams, and their organizations to be ready for whatever comes next. As we\u2019ve learned all too well over the past few years, change is the only constant in cybersecurity. Be ready.\n\n\n\nFor more perspectives on cybersecurity, visit us online.\n\n\n\nAbout the author:\n\nSecurity Roundtable author, Christian Aboujaoude, is the chief technology officer at Keck Medicine, USC.