This year, Labor Day marked more than the end of summer. It also represented the unofficial start of an effort by companies to move many workers (including cybersecurity pros) back into offices after nearly three years of work-from-home and remote arrangements brought on by the COVID-19 pandemic.
The same is true for cybersecurity professionals. Although they are seen as the front-line defenders for many organizations, these technologists have also embraced remote and hybrid work arrangements.
“Most cybersecurity jobs can be remote like other IT jobs. Many cybersecurity professionals already work remotely, either as part of a remote team or as consultants who are brought in on a project basis,” said Darryl MacLeod, virtual CISO at LARES Consulting, a cybersecurity consulting firm in Denver, who has worked remotely for over a decade.
An August survey released by the International Information System Security Certification Consortium (better known as (ISC)²) found that the cybersecurity professionals with the highest job satisfaction are those given the choice of where they work. The least satisfied are those who are told to return to the office by their employer.
“While choice rules, working remotely still trumps going back to the office,” according to the (ISC)² poll, which included responses from 416 cyber professionals.
The (ISC)² report found that, despite the desire to work from home or remote, the number of cyber professionals who worked remotely dropped from 44 percent of respondents in 2021 to 33 percent this year, with 58 percent of those surveyed reporting that their employer changed remote work policies this year.
The study also indicates that, while about 35 percent of respondents want to work remotely “100 percent of the time,” other participants noted they see benefits in returning to the office either full- or part-time. These perks include social interactions and the ability to delineate between work schedules and home life.
Remote Work Is Here to Stay
While cyber experts debate the pros and cons of having a remote workforce, these new arrangements and hybrid work schedules are here to stay. In a field such as cybersecurity, with more job openings than potential workers, organizations that do not offer flexible schedules will likely miss out on recruiting the talent they need.
“As remote working becomes a management choice again, both individuals and management are making these choices for what is best for themselves and their organization,” Claude Mandy, chief evangelist for data security at Symmetry Systems, told Dice. “Unfortunately, in a competitive labor industry like cyber—where the demand for cyber security professionals far outweighs the supply—this can leave organizations that are unwilling or unable to support remote work unable to attract the cyber talent they desperately need.”
For cybersecurity professionals, hybrid or all-remote work provides benefits and reduces stress. “The main upside to an all-remote workforce is the increased flexibility it affords workers,” MacLeod told Dice. “Remote workers can often set their hours and work from anywhere with an internet connection, which can lead to a more relaxed and less stressful work environment. It also allows organizations to be able to draw from a global pool of qualified employees.”
Stan Black, CISO at security firm Delinea, has already seen the benefits of relying on a remote cyber workforce within his organization.
“Since our team is already 100 percent remote, we can go after great talent in low—or lower-cost—regions, which also helps us meet the demands of 24/7 business across all time zones,” Black told Dice. “Additionally, cyber events and techniques often vary by region, so diversity brings broader perspectives to the team, and you can often get it through ‘try before you buy’ staffing. Finally, if your infrastructure is infiltrated, it’s easy to go out of band to ensure the attacker isn’t monitoring calls, meetings, messages, etc.”
While many industry observers see benefits to more remote work, others point to serious drawbacks, especially in cybersecurity. During an attack, breach or another security incident, it’s important to be able to communicate with coworkers to ensure a proper response to the situation, said Oliver Tavakoli, CTO of Vectra.
“The downside is the possibility of miscommunications—particularly in the midst of an active incident,” Tavakoli told Dice.
Scott Gerlach, co-founder and chief security officer at StackHawk, also noted that a more remote workforce can suffer communication issues, especially during a cyber incident. “The downside mostly comes from a lack of communication. You have to be very intentional about how, when and where you open lines of communication and utilize tools to create documentation, record meetings, and collect any other information you want to share,” Gerlach told Dice. “You can’t rely on drive-by ideation.”
Keeping Ahead While Staying Home
While cybersecurity professionals might prefer remote work—or at least the option of controlling whether they come into the office or not—experts noted that keeping up with skills and industry trends remains a must.
The biggest challenge for any cybersecurity professional—remote or not—is keeping up with the latest challenges, techniques and technologies and even new industry terms, Mandy said. The cure for this is to stay curious about the industry.
“This ability to learn and grow over time doesn’t require professionals to be there in person—it requires curiosity,” Mandy added. “Being fully remote can sometimes encourage people with curiosity to discover something new and figure out new ways of doing things on their own from outside their organization. This can include reading data security whitepapers, a daily routine that involves listening to your favorite podcasts, hands-on experimenting within Amazon Web Services, Azure or Google Cloud Platform, and even working on an open-source project.”
With numerous open-source projects available within various repositories, Gerlach encourages cybersecurity professionals to build home labs and experiment with newer tools and technologies.
“Keeping your skillset up-to-date in cybersecurity has nothing to do with where you sit physically,” Gerlach noted. “Resources and information about new threats and defensive tactics are already widely distributed and easily obtainable. Tooling like Docker and Kubernetes make having a home lab easy to set up and affordable to practice and learn.”
While some remote working will remain, in-person meetings with teammates never go out of style, and even once-a-year get-togethers can have a positive effect on communication.
“Most of the formal skills can be acquired in online classes and by attending security conferences. But the skills involved in operating as a cohesive team in the face of cybersecurity threats are harder to obtain remotely. Remote teams should look to spend a week or two a year together to reinforce organizational culture and ensure group cohesion,” said Vectra’s Tavakoli.