CONTRIBUTOR
Chief Operating Officer, COO
Techstrong Group

Synopsis

The sudden pivot to remote work at the start of the COVID-19 pandemic introduced an entirely new security paradigm that many organizations still are grappling with, almost two years later. Technology can help solve some of the security issues that have arisen, but it’s only part of the equation.

In this Digital CxO Leadership Insights series video, Charlene O’Hanlon speaks with Caleb Merriman, CISO at Deltek, about the role of communication among leaders in advancing security that doesn’t hinder productivity among employees.

Transcript

Charlene O’Hanlon: Welcome, everybody, to another one of our Digital CxO Leadership Series videos. I’m Charlene O’Hanlon. I’m very excited now to have a conversation with Caleb Merriman, who is the CISO over at a company called Deltek.

Caleb, thank you so much for getting on Zoom with me and having a conversation. I appreciate it.

Caleb Merriman: It’s a pleasure to be here. Thanks.

O’Hanlon: So I’d like to talk to you about this topic that seems to be on a lot of people’s minds these days, and that is this push to a remote and a hybrid work environment and the cybersecurity implications thereof. Obviously, organizations can throw all kinds of technology at the problem, but at the end of the day, it really seems like it comes down to communication and relationships between members of different organizations – or different departments within the organization.

What I’m thinking of is, from the C-level perspective, there needs to be some hard conversations among the CIOs and the CISOs, to make sure that all employees get what they need, not only to remain productive but also to keep the company secure. So I’m interested in finding out, from your perspective, where you see that happening and what is happening within your organization. I guess we could start there. Just take it from a much broader perspective of the CISO and the CIO having those conversations.

Merriman: Yeah, absolutely. Obviously, the pandemic has accelerated what I believe was already a trend in progress toward more remote work. So this isn’t brand new in supporting this, but it’s certainly accelerated a great deal.

I think the key things on the IT side, really, that have enabled remote work, that has so many benefits, right. I mean there’s work/life balance. There’s the impact on the environment. There’s being always available, the ability to remote in from anywhere. It expands our ability of getting access to a much larger workforce. There’s different roles of workers that we can bring in.

So there are so many benefits of remote work that I think this trend has not only accelerated, but I think it will continue, and we won’t see a return, at least for those types of businesses that don’t require physical involvement. I don’t think we’re going to see a return back to the way things were. So remote is here to stay and the trend has been accelerated, but it’s certainly not the case that it wasn’t already moving in that direction.

That’s really largely because of the proliferation of high-speed internet and mobile devices. We now have fully functional computing devices like mobile phones and laptops, Wi-Fi and high-speed Internet availability that really allow people to work from anywhere.

On top of that, we’ve seen the increase of collaboration tools like Zoom, for example, or Teams. Those tools really enable us to work in a way like you and I are working today. We’re not in the same physical location, but we’re able to work and communicate as if we were.

So I think those things really have driven the move toward more remote work. On the top layer of that, it’s really the expansion of cloud computing and SaaS applications.

So I think there are a lot of concerns that are raised there. You asked about the security and this is where the CIO, who is looking at those technologies and making sure that they’re enabling the business, has to balance that a little bit with the security risk. You mentioned some kind of conflict. I don’t really see it as a conflict, but really working together to appropriately address the usability as well as the security of the functions, the technology that we bring to the organization.

I’ll pause there for just a moment to allow you to redirect, please.

O’Hanlon: No, no. I’m sorry. I didn’t mean to interrupt you there. I guess I should not have posed it as a conflict and that certainly wasn’t my intention. But I do believe that until maybe as recently as, well, at the start of the pandemic, but obviously since then, companies have had to take a hard look at how they are equipping their employees to work remotely and in a hybrid environment.

There have been instances, obviously, with every company, in every industry, where companies rushed to get their employees set up remotely and didn’t consider a lot of the cybersecurity implications thereof. So now, they’re having to kind of turn back and fix the mistakes that were made inadvertently.

This is a conversation that obviously if organizations had had more time to prepare, to get their entire workforce to work remotely, probably a lot of the same decisions that were made probably would not have been made. There would have been a lot more foresight, forethought in it, and recognizing the implications of pretty much any part of the remote work environment.

So do you think that organizations are now kind of taking a long view, if you will, of the technology that they need to consider offering to their employees, recognizing that this hybrid environment is probably going to be a permanent fixture?

Merriman: Yeah, absolutely. As I mentioned, I really think that this is a trend that’s been around for a long time and will continue. The pandemic certainly accelerated that, but this is something that we’re not going to go back to everybody working from an office going forward. Obviously, there are certain types of functions that require people to be physically present. You can’t ship a package completely virtually, but for the most part, a lot of the work that we do day-to-day we can do remotely. So I do think that that’s something that we have to take a long view on, and that we have to consider as the way things are going to be going forward.

You mentioned a little bit about maybe a rush. I maybe don’t see it exactly that way, because I see some businesses have already embraced remote work. For example, my security team at Deltek is 100 percent remote. I was actually hired before the pandemic as a remote employee at Deltek, and I have several security people around the globe actually that all work together remotely. We have very few people who are even in the same city as others on my team.

I’ve only met physically, of the 30-or-so people that report up to me, I’ve only met physically three of them, and two of those would be because I worked with them elsewhere, before Deltek.

O’Hanlon: Yeah, right. That seems to be the –

Merriman: Yeah, not to contradict, but I think some companies had a jump on it. You even asked in your previous question where we were. I think Deltek was maybe a little ahead of the curve, and that was fortunate because it allowed us to be more resilient. That’s one of the benefits of remote work is just that resiliency and the fact that we can provide support around the clock by having people working in different geographies.

If you think about a lot of organizations that did fall into the camp that you’re talking about and had to make some changes, and maybe did so in a way that they didn’t consider all the security implications, and we saw some rise of different kinds of threats during that period of time. I’d say some of the key things that offer an attack vector in security are around Wi-Fi networks, personal devices, physical security, and authentication vectors.

So if we’re going to look at what changed, I think more emphasis in those areas. Now we know people are working from their home wi-fi networks. So you question the security of that. In many cases, they’re working with devices that either are personal devices or at least are outside of the physical control of the corporation, and that can introduce some risk, just physical security alone, right, anything that might be viewable over my laptop. Am I working from an area where others can see the information? Then certainly the challenges around overall authentication is just huge when you look in that arena.

But honestly, Charlene, I think that technology is always moving and there’s certain things that may accelerate the need. Necessity is the mother of invention. So I see a lot of things have adapted to the new environment around security as well.

O’Hanlon: I agree with you. We’ve seen a lot of that with just the technologies that have become so widely used over the last 18 months. Take Zoom for example. You remember at the beginning of the pandemic when everybody was on Zoom. People were Zoom bombing and there were not a lot of security controls around using that technology, but Zoom has just taken great strides to lock down its platform.

They’re not the only company. So they recognize the impact of this remote and hybrid work environment, and the fact that cybersecurity needs to be a much more prevalent part of the conversation, I guess, or at least a consideration for organizations.

With that in mind, do you think that organizations are going to be taking more of a security-centric approach to how they acquire technology and adopt technology moving forward? How much more impact is cybersecurity going to have on technology buying decisions?

Merriman: That’s a great question. It certainly is something that is a trend that I’m seeing today. It used to be the case that companies like Deltek were selling software, but now we’re not just selling software. We have moved from a solo act to a trio act. We now sell software. We sell the environment that hosts the software, and we sell the security of the whole solution.

I do think that our customers, and we as a customer to other SaaS providers, are definitely looking at the security of those solutions. I think that that really should be the case. It is part of the product, part of the solution today, and you really should be looking at that.

I actually think that’s one of the key things that companies should be looking at and examining, is who they’re partnering with. So this trend to remote has forced a trend toward cloud computing and SaaS applications. I think there are a lot of people who fear that there’s an increase in risk with that.

I would actually offer up that, if done correctly, cloud computing can be more secure than traditional computing models. So it really comes down to who you’re partnering with, and also ensuring that those kinds of sanctioned partners are the only ones that really have access to your employees.

I was reading that recently, when we talk about SaaS implications and use for a given company, most IT people think that they have tens of applications that their employees are using, when in fact, as you look into it, there are thousands of SaaS applications that their employees are using typically. So that attack surface is much, much bigger than most IT people think.

So it’s really critically important that we authenticate the users correctly through those sanctioned applications that we’re evaluating the security of those SaaS partners, but also that we’re restricting the connections and capability and perimeter of our data to unsanctioned applications. So I think those are key things.

O’Hanlon: Yeah. I think identity and access management in general is going to be a much larger part of the conversation moving forward. To your point, we’re using on-premise. We’re using cloud apps. We’re using – a number of organizations are now adopting edge computing.

There’s a huge, huge attack surface that needs to be protected nowadays. We don’t know where employees are going at any given moment. So I think the need for greater security control over just who has access to the data I think is going to be a huge thing, a huge part of the conversation moving forward, if it isn’t already.

So hopefully with so many organizations moving forward and moving forward quickly with their digital transformation initiatives that cybersecurity, hopefully, has been top of mind as they undergo those things, and they look at these technologies such as IAM and other cybersecurity controls that will enable them to make sure that both their employees and their data is locked down and only accessible to those who really need it.

Caleb, what else do we need to know before we close things out?

Merriman: Well, you talked about attack surface, and I think that’s really an interesting topic in and of itself because this trend toward more cloud, more SaaS, remote work has really changed that attack surface from what we call the lollipop model, where you had kind of a crunchy exterior and a soft interior, because you were running your own datacenter and protecting it from the Internet, as opposed to actually running your business through the Internet.

So to me, the area that we need to protect, as you rightly talked about, is focusing on IAM and focusing on application security for those applications, but also ensuring that we’re not using applications to conduct our business. I think focusing on those things will allow us to be more secure in a remote environment than we ever were in the past.

O’Hanlon: That’s a strong statement and I like it. I think that organizations – just those three, I think they will reap rewards well beyond what they are experiencing today, just in the fact that their data is that much more protected. We are moving into kind of a brave new world of working that we’ve kind of dipped our toes in over the last 19 months, as people and organizations kind of felt their way into, “Well, is this going to be doable for the long run?” I think we’ve all pretty much recognized that, yes, it can be done and done successfully over the long run. So we’ll just have to see what phase two brings as far as cybersecurity controls, and just what cybersecurity in general brings.

Caleb, thank you so much for having the conversation with me. I do appreciate it. It’s always a pleasure having the conversation with you, and I do appreciate your expertise and your insights.

Merriman: Thank you for the opportunity, Charlene. I appreciate it.

O’Hanlon: All right. This is Charlene O’Hanlon for Digital CxO Leadership Insights. I’ll see you next time.