Shaping the future workplace: A workplace that’s secure | Fujitsu
Hello, my name is Alex Homer and today we are going to be talking about the importance of security in the future workplace. I´m
joined by Fujitsu´s David Smith and Alex Matthews from VMWare, both of whom know a thing or two about security in the workplace. Thank you for joining me. What we´re going
to be talking about today is really the employee. There are lots of things that people need
to consider in their working lives and security is yet another one.
It´s difficult for us all to remember that security is so important sometimes. But, how
do we prioritize security without burdening employees with endless processes, policies
and passwords, David? I´d say it´s one of the most important
questions that enterprises are facing today. Take any one of our normal working days. We
get up in the morning and before we leave the house we want to be able to check the
calendar and the address we´re going to. So do I take my work device out of the bag
and power that up? Or do I just grab my personal phone and look on the calendar on there? Carry
on through the day; let´s say I´m going to a client site. I want to be able to show
them my presentation. I get to their video conferencing suite and
they say, “Sorry, you can´t plug in your corporate laptop here. You´ve got to put
your files onto our devices so you can share them. Our security policy backs that.”
And you can look at anybody´s “day in the life” and see these different touch
points that we have to work through. They require us to do things that, as IT security
reps within our enterprises, feel inherently insecure.
So, historically what have we always done? We´ve come up with new security policies
which say “lets ban personal devices, because we can´t allow people to have corporate
data on those. “Let´s ban people from using USB ports and plugging their laptops
into other people´s corporate networks, because we can´t risk that there might be
a virus on there.” But actually, as a security team, I realize that people have to be able
to work so I should have an exception to those policies.
I should permit people to use these things. Then three weeks later when everybody´s
requested the exception, because we all need to, what happens to our policy? What´s happened
to that enterprise security?We´re finding that a lot of our enterprises are struggling
to make that balance. But there has to be a better way, David. There
has to be some way we can intrinsically have security built into a management solution,
that allows the workers to have that consumer experience but gives our IT security professionals
the security and compliance element, so that they´re confident that the solution
is secure in the data and the corporate assets for them. There must be a better way, David.
Do you know some examples where there are better ways?
Yes! Magically, as if it´s materialized out of nowhere, we have a much better way
to do it today. Realistically, we want to be able to secure
the devices for the corporation. We need to make sure that we have a user experience. So, to David´s point, these are almost diametrically
opposed views. I want a consumer grade experience with the corporate wrapper for security. But they have to be intricately linked. And
that´s where we are today with the Fujitsu portfolio, in particular. We can provide that seamless user experience,
but we have that corporate wrapper from a security perspective, to give that flexibility
and policy-based approach. But I would add that it´s still a tremendous
challenge. From an enterprise point of view, our security teams are used to being able
to write a policy document. They write a long document or maybe convert
that into a presentation. And we´re forcing our employees once a year to review the security
policies and try to remember these dos and don´ts
of how they should use the corporate services. And so, how do I go from that kind of model
where I dictate a list of rules, a list of commandments, through to something a bit more dynamic, a
bit more use-case sensitive, something that acknowledges the way people need to work? It´s quite a change for us corporately and
culturally within our security teams. The tools are starting to come through, but
we´ve still got a way to go in terms of addressing – How do we apply that? What approach do we take to break down that
problem and convert that into something which we can apply to the tool, to then have it
serve our enterprise? Absolutely. And it´s the people and the
process elements of that cultural change which are almost more difficult to implement than
the technology itself. Absolutely. You´re talking about understanding
people´s profiles, their personas. What do they do during that daily life? So then I can map out what is a reasonable
course of behavior. Historically it´s been much more of a manual
process. I´m designing security on a service by service or a system by system basis, based on the access rights I give to those
users once they connect to that service. And that kind of works, but it´s still crude.
If I´m going in to present to a board level meeting and I want to check the most recent
data from my financial systems beforehand from my hotel room, before I get into the
office in the morning, it´s probably banned. But it should still be allowed because as
a user that´s my role, that´s what I do and it´s part of my normal workday. So how do we then start to pull out the underlying
data from these platforms and understand what people´s roles are, and how to apply some of this policy sensitively?
That´s something which I think we´re just starting to bring through now, into our core
tools and technologies. I completely agree and that context is so
important. I need to be productive, but we also need to be able to have that security
and risk compliance element. So, you´re right. I should be able to access
my corporate data in a hotel. I should also be able to access it at any time of day, not just the 9-5 element from my working life.
But it should just be according to your role. The system needs to understand that that´s
part of your role, but it might not be part of someone else´s. We need to be able to detect – Who should
have access? What´s a normal pattern of behavior? – and be able to apply that
on the fly. Definitely.
This sounds like a different type of approach to how a lot of organizations and enterprises
have typically driven their security policies would that be fair to say?
This is a radically different approach. And to David´s point earlier, the people and
the process element, from an IT security perspective, make it a significant cultural shift. So,
what we´re talking about is context-sensitive role profiles that can be dynamically created for different
types of users accessing the same application. Now, if you tell all that to a traditional
IT security person, they will begin to cold sweat as they realize the implications that
that has for their daily lives and ask – How can I ensure that the right
users are really accessing the right data? This is a significant shift as we move into
the new way of working. I think things are moving together and converging.
Because if we look at the new roles that we�re seeing within enterprise IT, we´re starting to see much more focus on
having somebody that owns the digital workplace experience on behalf of employees. Somebody who´s starting to shape the fact
that the employee experience should be a balance between security and personal productivity. We´re starting to see people thinking about
the workflows, or if you want to call them the value streams, for the certain roles that
exist within our organizations: How do they add value to the customer engagements
that they have and start to map those out from end-to-end? We do that a lot within our
workplace assessments. But if we can start to map those and work
with those new leaders of digital workplace experience, then we can start to design that end-to-end
experience and to build in the security, the context. And as Alex was saying earlier, we´ll start
to be able to pull out the right bits of data, so that we can detect if something is fraudulent. For example, if you saw me connecting in from
London, from London, I seem to be in London a lot today – but then I´m in Moscow, and
back in London again 10 minutes later. What happened there? Was there something there
where somebody was attempting to use my identity and get in? We can start to pull that data out now and
to apply security in a more context-sensitive way. But it really does start with understanding
users, their roles, their personas and their workflow: what makes them productive.
And you talk about threat detection and monitoring David, about using the analytics behind our
workplace technology. But what about the user? We can´t take away
human error. Are there any considerations that departments
need in place to omit human error from workplace technology?
Completely. Think about how workers are moving to be much more mobile, so I need to be productive
wherever I happen to be in the world. That means I´m going to be using more portable
devices. There is a high tendency for some of those devices to get lost. In fact, let´s look at the UK. Last year,
over 20 thousand mobile phones were stolen, lost or otherwise separated from their owner.
Mine might have been about 10 or 12 of those. And likewise, a lot of my friends have been
in the same camp. But that means that a high proportion of that
environment is going to be corporately-based devices. That means that I am giving away the keys
to my kingdom, in terms of how my employees access my data, and how we secure it if that
mobile phone is parted from that user. So, the ability to effectively remotely wipe
or control those devices, if they are reported lost or stolen, is incredibly important. The same applies to any other type of mobile
device, whether it´s a laptop or a tablet, for example.
I think the main thing I was going to add was around the importance of the user within
that picture. The other thing that we´re starting to see
coming through is common technologies, both across mobile and desktops. Its that level of self service. So let´s
say we had a corporate policy where you can use your BYOD device, your personal device, but you have to register it; you have to bring
it in and give it to an IT person who will add it into the system, so that we can ensure
that we´ve registered your device to you. It´s not going to work, right? Because if
you lose your device, the last thing on your mind is – I have to reregister it at work.
You´re going to go and get yourself a new device. You´re going to get things up and running
as soon as you can, so that you can get back on and use that device as part of your life. We need to be enabling a lot more in the way
of self service, so people can fluidly, as a part of that process of getting that new
device and setting it up, onboard that security picture, completely seamlessly, as something in the
background that they´re not even aware of. That end user experience and that workflow
need to acknowledge human behavior and need to be flexible to that. It can´t put the burden of bureaucracy and
security too much onto the end user, because if you´ve lost your mobile phone you´re
in a stressful situation. The last thing you want to do is be confronted
with a 30-page form to review and sign before you can start to get it up and running again.
I need it to be running now. Or even the “better situation” where,
to report a stolen device, I have to log onto the corporate page which requires me to have
access from a device that I no longer have. There´s an issue here, so we do need very
user-friendly systems to make this work. Absolutely.
And who´s responsible for that, though, getting the end user experience right in the
workplace but also making it secure? Where do you see that responsibility lying?
Well that s a really interesting question. If you think about the traditional onboarding
of an employee into a company, that was typically always HR´s responsibility.
Then they would hand over to IT and say �I need some IT equipment. I need that person
to be productive. There was a clear line of demarcation between
“i´ve done my onboarding job” and “now it´s over to IT.” What we´re seeing
is that this needs to seamlessly come together. They have to have from day zero that onboarding
experience, powered by IT, as HR takes responsibility for the lifecycle of that employee. At the same time, you can´t forget there´s
a user involved here as well. You´re looking at a three-way relationship between the HR,
the IT and the user´s responsibility. If we look at that old model, you have a central
security team writing policy documents for everybody to either read or sign here, tick
the box and pretend they´ve read. A lot of the ownership of that model was that
the security guys would say, “We don´t own the risk; the business owns the risk. We can give you advice, and then it´s up
to the business if they want to take that advice or if they want to take the risk.”
That´s where these exceptions came from, because the security guys issued the policy
and the line of business then said, “That doesn´t work for us; we´re having an exception.” I spoke a minute ago about the fact that the
digital workplace experience design is now starting to come into the way that we provide
employee services. We´re starting to take the same approach
to designing employee services as we would do if we were launching a commercial service,
and that´s great for the consumer. As we spoke before about understanding the
user´s role profile, understanding their value stream, their “day in the life”
experience, we can then start to design in security as
a part of that workflow. As long as we´re working with somebody like
the head of end user experience or employee experience, the digital workplace owner, then we can work with them to design workflows
that do work, for those people that are really generating revenue within our organization,
who are helping us to add value. Great. Well if any of those people want to
get in touch with us then please do visit digitalworkplace.global.fujitsu.com to find out more about our digital workplace
services and the security that we can provide for your organization and your employees. That´s all we´ve got time for today. Thank
you both for joining me and see you next time.