Explain IT: Season 4, Episode 2 - Securing the remote workforce

Playing now - Securing the remote workforce

0:00
37:53

In the first episode in our remote working deep dive mini-series, we're taking a look at what new threats security teams are facing in a remote world, how they can start to address these challenges, and what the future of end user security will look like as remote working continues to dominate the way many organisations operate. 

From L to R: Nicolas Fischbach, Adam Louca, Zac Abbott
Host:
Zac Abbott
Zac Abbott Senior Account Manager Softcat
Guests:
Adam Louca
Adam Louca Chief Security Technologist Softcat
Nicolas Fischbach
Nicolas Fischbach Global CTO and Vice President of SASE Engineering Forcepoint
Key takeaways
  • The way we secure users and manage their behaviour has had to change in the switch to remote working. 
  • There are two elements – ensuring the technical security controls are in place to protect users, and also that people are still aware of the security risks and behave accordingly whilst working from home.
  • There has been an evolution of security, with businesses strengthening their security posture as they realised remote working was here to stay.
  • Organisations are starting to invest in technologies that protect the user wherever they are working, making the digital workplace completely mobile.
  • There is a shift towards identity-based approaches for network security.
  • It’s important for the user to understand exactly what they have access to and why – taking a ‘zero-trust’, or better termed ‘risk adaptive’ approach.
  • Users should be trained in maintaining the best security awareness, to understand how they can play their part and help make security stronger. With this training, organisations can trust their users to be more aware of security and the associated threats.

“You want the end user to understand why his access is blocked. You want to do it in computer time, machine time not in human time. You want to protect the data when you need to but the user needs to understand why he’s blocked and you want to help the helpdesk, and you also want to make sure that every soc analyst doesn't have to look at every single event.”

Zac Abbott: Hello and welcome to Explain IT, brought to you by Softcat; the show for IT professionals by IT professionals that aims to simplify the complex and overcomplicated bits of Enterprise IT without compromising on the detail. I'm your host Zac Abbott and over the next few episodes we’ll be doing something a bit different. Remote working and the digital workplace has dominated so many of our lives and is still something that many of you and your organisations are dealing with the consequences of, so we’ll be taking a closer look at some of these core components of remote working in the coming episodes. These deep dive episodes will include topics such as the transition of company culture to remote working and the next step in remote working. In today's episode we’ll be talking about how to secure the remote workforce. Over the next 30 ish minutes I'll be talking to our guests about what the biggest security challenges of migrating to remote working have created, how these challenges can be addressed and look at where this might lead us all in the future. Joining me today on the episode is Adam Louca chief technologist for cybersecurity and Nico Fischbach, global CTO and vice president of SASE engineering for Forcepoint. Is it ‘sass’ or ‘sassy’?

Nico Fischbach: It's ‘sassy’, sassy like Adam.

Zac Abbott: It's so Sassy.

Nico Fischbach: Adam is sassy.

Zac Abbott: Welcome to the show guys, thanks for joining me. Nico it's fantastic to have you on the show. Could you just explain to us a little bit about your role at Forcepoint and maybe how we got to where you are today?

Nico Fischbach: I joined Forcepoint 4 years ago and the global CTO and VP of SASE engineering. There's a couple of other things I'm doing, so I also run companywide innovation. And I also run what we call  XLabs. XLabs is a security research lab where we do all the cool research. Before that I spent 16,17 years at Colts in the city of London Telecom, moved up the ranks and at some point Matt Moynahan, the previous CEO of Forcepoint, reached out and he convinced me to join the Dark Side, aka work for the vendor. I can tell you the ride has been a fantastic ride so far. 

Zac Abbott: Now Nico, before we start the show I always like to ask our guests more of an off-topic question to get to know them a little better, so with that in mind, Adam you think of one too, what is your most useless talent?

Nico Fischbach: So I don't know if it's a useless one, but it's one I've never used, but it’s a funny one. People on the podcast - it’s audio only so they will have to Google me and see if it's actually true or not but a lot of people sometimes approach me like, “Are you Bruce Willis?”. A few years ago on a German highway I was driving and then the car next to me that I just passed, pulls up in my lane again and the guy puts up a sign like “Are you Bruce Willis?” as I'm driving. That was the first time years ago and then four or five years ago in Hong Kong I was there with the team, local team, we going for drinks one of the evenings to celebrate a win and we take pictures and people started to queue.

Zac Abbott: That's amazing.

Nico Fischbach: And people were saying, “Would you mind I want to take a picture with you,” and I was like, “I'm not who you think I am,” and they're like, “But you’re Bruce Willis,” and I'm like, “No I’m not,” so there's been this running joke and me responding and my wife is not Demi Moore, which sometimes xxx off my wife. But let’s put that as most useless skill and people have to Google me and see if that's true or not. 

Zac Abbott: For the benefit of the listeners, we’re talking very much Die Hard 4 and not Die Hard 1. Just so you can get an idea which is great because actually also quite Die Hard 4ish, Adam Louca, let's hear your most useless talent and I'll compare.

Adam Louca: I'm upset because I feel like as a second class Bruce Willis I’m xxxx. My most useless talent is the ability to rap almost all of Kanye West ‘My beautiful dark twisted fantasy’ in its entirety. It's not something that's particularly useful, however that album is deeply ingrained in my brain and if you get probably more than 4 pints into me I probably will spew it out at some point to somebody.

Zac Abbott: Fair but without the pints, couple lyrics now?

Adam Louca: I'm definitely not doing it now I'm going to save the small amount of pride that I've got left for this recording.

Zac Abbott: Booo, booo! Based on that alone I've got to hand it to Nico for being a fake Bruce Willis, that's the win right there and that's enough of that, let's be honest. Right, let's get on with the show. Maybe starting with you Adam, can you just explain how the challenges of securing end-users and managing their behaviours have evolved in the move to widespread remote working?

Adam Louca: So I guess there's, for me, to sides so that, there's the physical migration of those users from on-premises networks, on being connected inside this safe and secure bubble of our corporate networks that we've spent time investing and preening and making good and secure places to these users that are now distributed across the globe, across the world in their home offices in... sitting on sofas, sitting in tiny rooms not designed to be used for long-term work and with that migration has come a couple of changes hasn't it? Fundamentally when I speak to a lot of customers there is an acceptance or there is that the security controls that are deployed on-premise potentially don't marry and don't always match up with the security controls that are there when we work remotely. So there's that one side, so the very much that technical, how good is my security controls? Am I offering, am I protecting my users adequately when they're working remotely? I think the second part of that is more behavioural. So how does the way people act change when they're no longer in a work environment? So actually when they are at home, when they are in their own personal environment, how does that change the way people act, the way they think and also subsequently how does that potentially make them more open to social engineering and other types of attacks that potentially they may be more aware of should they be in a more structured and formal environment? And I think both of those things are really important for businesses to understand and to start to address as they... people talk about adapting to the new normal but if I'm perfectly honest I think it's as they start to see the value also in being able to operate as a hybrid workforce, rather than potentially being very much focused on on-premises environments and I know Nico, Forcepoint as an organisation and yourself has done a lot of work into user behaviours as an area. Have you seen any evidence, anything that would back up that shift in people's attitudes when they work at home?

Nico Fischbach: I think you see that exactly what you saying. It's all about first of all the Follow-me policies. Security posture, the policies you put in place when it was work in the office, you already had people travel, you had the remote workforce, the road warriors, right? But the Follow-me policy is something that comes about all the time, and then user experience which drives user behaviour, to your point. How do you make security usable with the remote workforce and make sure that they actually then still think they're working in the office and still create that bridge, that wall that needs to exist between the private, the way you operate sometimes on your private devices and the way you operate on your company device because even then there's some blending that's happening in some organisations, maybe many listeners they were lucky enough that the company, over the course of a weekend or a few weeks could handle the laptops that were company property, they were secure, they were running the usual tools and policies, but there's also many organisations where people at home are sharing devices and people are like, “Let's use the family iPad,” put Office on it and this is shared by the kids doing sometimes school work on it, so it's like this blending has happened as well in terms of device usage where we kind of called it ‘the remote office’ has become a branch office of the Enterprise. So you have sometimes dozens, hundreds, thousands of branch offices with local networking, local Wi-Fi, a lot of IoT devices, home IoT devices, shared usage and how do you make sense of that and how do you still continue to protect the key assets? Both the user, from compromise, but also the company data that this user is using either at home or remotely, because this is also making local copies, we might all be lucky because we probably all have enough bandwidth into the home if it’s fibre or something else, but in many regions it means you have to download files locally, you work on it locally, on your Excel sheet, you push it back up, right? Local copy not tracked, where is it going next? So to me, I think you're right Adam it's a mix of policies, Follow-me stuff but also whole user experience drives user behaviour.

Zac Abbott: From someone who knows a lot less about the security environment and what it is right now, it seems like it's very easy to just say, “There's more remote connections going into your organisation so that's more of a security threat.” Is that the biggest way that the changes have evolved or is there other threats that maybe have snuck in and people aren’t so aware of because the biggest takeaway would be there's more remote connections so there's more weak points?

Nico Fischbach: I think, Zac, you're right, but that was really the first weeks and the first months where it was all about VPN scaling. People rearchitecting the remote access, forgetting that the security posture is changing because of that, not realising that the data shifted from a lot of on-prem or very early days cloud applications into SaaS applications, driven by other departments, so I think that wake up call happened towards the end of the year. At least if the numbers speak, that's what we saw in terms of uptick in data protection programs and also the uptick in, I want the IP, some people call a Legacy piece of technology, which is still super important, like shifting to the cloud. It's kind of whole follow-me approach data protection where you want to have the same policy for data protection independently of the channel. It's more than just ‘let’s secure the email channel’ which is still the channel where most of the crap comes in, if a search is secure, like you said, Adam, try to keep it out, where most of the data xfils happen, either by mistake or people are compromised, or because people are rogue, but then people have shifted channels from email to cloud, like, think of dropboxes to cloud-native services so what you really want to have is a holistic approach to data protection independently of the media or the means of transport and look at this post in transit or rest? But then the weak point, to your question Adam, is still the home user because endpoint fatigue, because you have to give sometimes the local user admin rights to be able to print locally, is that being abused? I think a lot of people struggle with no GPOs and other evolutions of the local assets to enable the remoters to work, and not just turn their workstation to a typical client model where you don't do anything locally and everything happens in the cloud, you need sometimes to do things locally.

Adam Louca: I think that's the piece, isn't it? As you say, there was that evolution, but there was also I think we’ve reached a point where there’s a fundamental acceptance that this is the new operating model and I guess when businesses are going to choose to make an investment, I think a lot of people were considering this pandemic, have activated DR, essentially, we are operating with a reduced security footprint, we’re acceptant of that additional risk because fundamentally, we need to keep the business on and the lights on and things working so we will accept that, but as this pandemic has continued and the requirement for hybrid and remote working has continued, it has become now a standard part or rat least an increasing part of people's normal operating models so they're starting to want to mature those controls and those protections. And Zac just to your point on threats, I guess my addition, I totally agree with Nico’s one that he put up there was, is probably thinking about actually how is the data being used? So Nico spoke about this idea of syncing a lot of files down and putting that data, well actually how are people getting that visibility back that previously they didn't have? And also how are they doing that without impacting performance? So a lot of these questions are quite simple to fix so, hey, you want visibility, tunnel all the traffic across a VPN, you get visibility. It's not a problem, but actually the hard bit is how do you get that benefit without having the downside which everyone is aware of is latency, overhead, especially on voice and video which is what everyone is doing 10 hours a day probably, minimum these days. That for me is the big one, is how do we give the users what they want but also keep the visibility level at least as good as we had it before if not actually let's try and make it better, let's try and evolve this a bit.

Zac Abbott: Cool, ok so we’ve talked quite a bit in-depth there about what the challenges companies have faced and how they've evolved over the past ten… years, months, whatever it's been since this whole came about. So Adam what are security teams doing to effectively manage those situations?

Adam Louca: I guess they're doing a number of different things. We are really starting to see organisations evolve their approach to securing these users outside of the office and that generally related to building a ecosystem of technologies that protects the users regardless of their location, so actually applies a uniform approach to security, regardless of where they are physically located. And this typically has involved a shift to cloud-based security platforms as we devolve those security layers away from being something that is physically located somewhere on your network to being something that is located actually where your users are, or it's located where your Cloud services that they're predominantly accessing are. I also think that the second side is we’re really seeing a shift towards identity-based approaches for networking security concepts specifically and there's a lot of talk in the industry around zero-trust and something that's been around for a long time it’s... I think it's a term that won't die, and I think for good reason there are some definite advantages to taking a zero-trust approach. My bugbear a little bit with zero-trust is, it's not that it's bad, it's not that it doesn't work, it's not that it isn't logical, it's just this idea of zero-trust. To me it's least privilege isn't it? It’s about understanding what do people need to access and what is the least amount of access I need them to effectively do their job? I’m always slightly challenged with this kind of zero-trust and the way it's dressed up a little bit, for me it's an adaptive security model that is based upon - who are you? Where are you going? Should you be allowed to do that? Really at the simplest of terms, what do you think Nico?

Nico Fischbach: Totally agree, that's why we call the concept internally, risk- adaptive protection, which is exactly that, because I have a problem zero-trust term as well because it's very negative. I think in some of the language we use is adaptive-trust, like you just did, or connected-trust because you want to connect users with the applications with the right privileges and you want to do it in a way that is not a one-off authentication depending on the behaviour from the end user changes and the risk he is posing at a certain point in time, to company data or company systems, you evolve it. If somebody in Sales is trying to access too much information and whatever is in SharePoint and trying to get into HR you find ways to start to restrict him, right? Because is it still Adam or Zac? You're in sales, right? So is Zac still Zac behind the keyboard or did someone compromise him or is Zac a leaver who is starting to stockpile data, like customer lists, trying to walk away? You'll never do that, right? Never ever?

Zac Abbott: I would hope not!

Nico Fischbach: Zero trust to me is this concept of risk adaptive and risk privilege, but also time but those people change depending on the data, depending on the level of marking on the documents and that's why you see the data protection programs having moved to  way beyond just doing basic policies, pii type data and so on you’re bringing in discovery, classification and labelling you want to use that, combine that with the risk you get from the user behaviour and that's how you evolve over time, but I think what's important is again, the user experience. You want the end user to understand why his access is blocked. You want to do it in computer time, machine time not in human time, ak automate and not use SOC analysts. Again, goes back to the user experience - you want to protect the data when you need to but the user needs to understand why he's blocked and you want to help the help desk, and you also want to make sure that every soc analyst doesn't have to look at every single event. You want a lot of context, and I think that takes us to how we make it happen as an industry by having machine learning, automation, user behaviour that goes beyond just single alerts and single events. And that's how you create that one user experience which is more fluid but still protect the company data. And that's really how I would call it, but that's to me the concept of that.

Zac Abbott: I think certainly from a user perspective, the name zero-trust, at a time where culture and staying connected with your users and having togetherness is a really big feature, I don't think zero trust is a term that really helps install that, so I think risk adaptive or such things that you've just mentioned definitely seems like the way forward, in terms of selling it as a concept to the users etc. So that risk adaptive security, how would that play a role in the way that organisations would respond to threats today, Nico?

Nico Fischbach: So I think it's twofold, right? Because you'd still be looking at infrastructure security side, security hygiene 101, you still need to do that but it needs to be hidden from the user. But it's becoming difficult, if you go back and look at all the data from x labs in early weeks of the pandemic all the covid themed campaigns, they were super targeted. People faking Office 365 credential losses, some of them were really impressive, and they're so targeted that they make it past a lot of the controls and even sometimes security teams have to dissect the same last bit to see what's going on, that's why when Adam said earlier, don't blame the user, he's not the weakest link, because sometimes it's hard for us to help him, so if he makes a mistake to click because it wasn't obvious to him, how do you catch it and that's where user behaviour comes in, you see this user connecting from somewhere in the UK at the same time is coming in from China trying to access Office 365 resources he shouldn't be touching, there's easy ways to catch it and that's how we need to help user because honestly what we've seen is of some of those things are pretty easy to catch and you want to integrate them with other IT management tools, to Adams point, people have shifted to using a lot of single sign-on platforms and making IT the source of truth, and what you want, you want the analytics engine to be able to drive through risk adaptive what you want to do, so is it still Zac behind the keyboard trying to access files from HR, I’m going to trigger an MFA request, prove me that it's still you, you still have the credentials and this type of thing something more interactive. I'm not going to say it's gamification of identity and security and access management, but to some extent it is. That's kind of the end user view. And the other side of the pane of glass is how do you make Socs effective by really doing the things in real-time and helping them indicate the user? If the user gets blocked they can come in, call the user and say, “We've seen you do this, do that it, was it really you?” or maybe you need access to that data for business purposes. So people in data protection programs using business coaching. Your user can override but you have to provide justification which would end up in the audit find. So I think there's ways to go from this very binary approach of your blocking a load, to something which is risk adaptive and emploring the end user to override the policy by just having to provide the justification for it.

Adam Louca: I think that's very important, isn't it? And there is really two users, isn’t there? When we think about users there is the users from a sense of those end users that we’re protecting, but also security analysts and the security teams are also the users of these technologies what you said about providing context really stuck with me. I think I’ve, for my sins, been involved in a number of data security and dlp projects over my career and I have to be honest, a few of them have been pretty hairy, a few of them have been really hard work and we've gone with quite a manual static classification model that’s maybe not as well understood as people think it is, when there's always a big difference on paper between here is the academic data classification and handling policy vs here is actually how it works in the real big bad world and before you know it, organisations who have legitimately hundreds of thousands if not millions of alerts kicking off in those situations and I think without the evolution into that more anomaly-based and kind of grey area where we can help people understand the context of an alert and also more broadly what happened before and after potentially a specific alert, it’s very difficult then to really understand what is important, what really truly needs investigating vs what maybe is a false positive or maybe is just a limitation of the classification system rather than the system itself.

Zac Abbott: So you guys have talked quite a bit there about data and the importance of data and protecting it, but something that you mentioned earlier was managing user behaviour and then also not blaming the user for being some of the increased threats and things like that, so is end user security training, is that an effective way to manage that user behaviour?

Nico Fischbach: End user security training, security analysis need to continue and again I think what's interesting about all these things we know about telemetry and having insights, you can make those trainings better and more spot on, right? You can have specific examples, not generic training that everybody has to take two times a year, but specific examples like ‘this is a phishing attack look how clever it was, that's how we stopped it, that's where maybe you as a user helped us stop it, where your behaviour helped us help make the company better’. I think it's this positive outcome of this approach, But the other thing which I think is still important is it's not just the Endpoint security itself, I think that was also part of your question, where there’s a lot of Endpoint fatigue comes up all the time, but what we’re seeing there, as much as we see convergence on the platform side with SASE, we also see convergence on the endpoint side where you see convergence of connectivity, so endpoint providing connectivity by coming into the organisation, being in private access or cloud security. Endpoint providing security hygiene, endpoint providing analytics to drive user behaviour, and you still need to do a lot on the endpoint because that's where you'll get the best data, where you have highfield data, when you don't have to push it all to the cloud so managing privacy is much better. But it's not everything, in some people's mind everything can and needs to be done at the endpoint, but the problem is when you have users on multiple devices, you need cloud connectivity to reconcile, you need to manage reputation over time for those users. There’s stuff you don't see on the Endpoint where there’s access to all the applications that are sitting somewhere else, so what we are seeing there is Endpoint security and fatigue is there but I think with the convergence of the Endpoint front, that's becoming better in my mind and the ability to have best of both worlds, combining data from on-prem, on device including device posturing to some extent, what's happening in the cloud and even sometimes ingesting third party data, that takes us back to the old school UVBA days, but there is still value into some of that, depending on where you operate. Let's not just look at the Enterprise, but you’re also talking governments, federal agencies, States and other places where third-party data can also make sense that you want to ingest to help your analytics outcome better.

Adam Louca: I think that ecosystem thing is really important. I think there's an increasing recognition that the only way we're going to create an environment that is feasible to operate for most customers is technology needs to integrate together and that can't just be vendors’ own technology, that has to be more broadly across the security ecosystem and one of the things that's made me really happy this year is just seeing the focus a lot of our vendor partners have had on ecosystems and offering out-of-the-box and off-the-shelf integration between different products that means that either they can share threat data or they can share automate responses or contain threat a little bit more easily for customers and that's really nice because specially in the more security-focused space, we are profiting off of the customers’ data because actually where does everyone get their IOCs from? Everyone’s threat feeds, everyone's clouds of data which protects all of their customers across the world, they come from our customers themselves and for better or for worse we monetise those things and I always think that's a bit of a quid-pro-quo, you get access to everyone else's IOCs, we take yours and share those with everyone else. But on the flip side, when we don't allow customers to then reuse that within their own environment, I think is where we start to maybe do our customers a disservice and not allow that data to be used more freely within their own environments. 

Zac Abbott: So with all that in mind then, what are we likely to see as remote working or hybrid working continues to be the main way organisations operate?

Adam Louca: So organisations are going to have the tools they need to adequately or to trust their users more and I think a lot of the reasons why people use that maybe slightly negative language language of zero trust is that they don't feel like they have the visibility, like they have the guardrails to trust users, to allow them to do the best they can do and to allow them to make decisions and have autonomy for themselves. And I think as organisations’ maturity starts to grow what we actually start to see is actually organisations who invest in these technology areas they don't end up more restrictive, they end up less restrictive because actually they can say yes to more things. Security fundamentally if done right and it is my honest view as I'm a very positive person and I would hate the idea of cybersecurity being seen as this, it isn't a blocker, it has to be an enabler, like the whole point is to be able to say yes to more things but be able to say yes because you can do it properly and you can do it securely as opposed to saying yes by de facto answer because you aren't able to see it or you aren't able to control it, so my personal belief is the future of this is really creating a point whereby security controls are applied across the whole environment, we understand them, we can measure them, we can understand when things go wrong, we can have the guide rails and really we can give the power back to the individual to say, “You know what? You are the best at doing your job actually within these parameters, here is the agency to do that, here is the agency to deliver and be the best, have the best outcome for the business”. I mean Nico, what do you think?

Nico Fischbach: I agree. I think it's not going to go away. I think we won’t be going back, the hybrid approach is going to be here to stay. I think people enjoy the flexibility of remote working, I know it also comes at a cost, quite often to families and private lives, but I think in general it’s the organisations completely rethinking their approach to it offices... The thing I would say though is what we've seen internally at Forcepoint and also talking to other CIOs in other organisations is there's still a challenge, it's maybe less security-related but it's how do you engage the users? Everything which was in flight, when the first logged on ctas, and we’re a global organisation, so it was a different point in time, but go back to Q1, Q2 2020, everything which was in flight people managed to keep it running, keep delivering and so on. The challenge is how do you start new things? And to start new things is difficult and I'm wondering if that applies also to security. If you want to do security differently, if you want to engage the users differently, can you do that over Zoom or a screen? And that's the challenging piece I've seen. I've seen that you need to repeat things, that you need more meetings to make sure it stays engraved. The decisions get really understood, it is multitasking making its comeback which for many is not good. And if you multitask too much, your security is going to become weaker. There's a lot of things, a lot of questions to me that we might be going into an area that is not any of us have been which is more the psychology, that's why I think in terms of things we’re doing in xlabs, with human behaviour research is how do you apply human psychology to computer security? And it's quite funny because some stuff, some of the research I've been working on was much more about user experience which we talked about a lot here and not really what's the best way to do machine learning and train that model and whatever it's how we interact with this user to make sure they've got the new thing? The video’s like, “hey guys your security research is in psychology so why are you doing this?” and then it’s like, “ok this whole user experience and how do you get the buy in, how do you engage, how do you make him proud of it?” is actually much more important than having the latest indicator of behaviour that's going to detect something that it shouldn't be doing. 

Zac Abbott: So Nico what's your take on culture vs control, do you think organisations should be giving more agency to users?

Nico Fischbach: Yeah I think so. The days of company controller over. I think that's old school management. I think trusting users is much more important, you need to coach them, you to help them, you need to educate them. It needs to happen when something triggers. So like this business coaching, for example when there's an event I want data protection, and explain that the data is of certain value, that if it needs to be sent, think about it. It's this stop and think and then provide what the purposes are to do it, so you don't block the user from getting his work done, so you should really empower and trust users because at the end of the day, if you look at data, you don't have a lot of rogue users in organisations. Everybody in general wants to do the right thing. Understand the spatial state or mindset, now they're a leaver, they've resigned, they are compromised, they are an asset, they are here for espionage, but that's usually a small subset. Depending on data, some people say it's less than a percent, some people say it's 8 or 9% for an organisation. Which if you having a large organisation, is quite a large number, so if you think, can you really have that many? But quite often people are making mistakes, they're being compromised, let's coach, but let's coach in real time so that they actually understand in the act, if that's proper English, what can be done or not done.

Zac Abbott: And for organisations that are struggling to move to more freedom, how can you or how can they bring the idea to the board or c level and get their buy in? 

Nico Fischbach: I think it's usually at the board level it's somewhat numbers. I think it likes to explain the business benefits of that change, what's going to drive in terms of getting better business outcomes, being faster to respond to FPs, being be able to support customers in a better way. I think they need to explain that, if they can, with metrics that really with the business outcomes we want to do this and give the users here’s the trust because it's going to drive this, and that's going to be a business benefit, that's how the customers are going to like us more. You’re going to increase your NPS score because the support team can react in a better way and first time to fix on first touch it's all those things. I think it's about the business outcomes and same thing, like I said in the intro, SASE, people looked at it as a reference architecture, something super technical. I think it is more like something you should also address at business-level and educate your board about. How this is going to help with business outcomes. 

Zac Abbott: Something we've mentioned already but SASE, can we get a quick definition of what does it actually mean?

Adam Louca: So I'll take the literal definition, as in what the letters mean and then maybe Nico can give his view of the framework itself. But SASE stands for Secure Access Service Edge and is a term created by Gartner for a framework of technologies that enable customers to protect users when they are accessing various different services. So that's my take on it, Nico what would you say, and I guess what is in the SASE framework, typically? 

Nico Fischbach: I think you're right and it's kind of SASE is... you’re delivering security for the cloud, all of the cloud to enable the use case, one of the use cases you mentioned which is the remote workforce. In terms of technology stack what it means is you move from a world where everything was rack and stack, on-prem, point solution equipment, shifting to the cloud and being consumed as platforms in the end. So moving away from point product on-prem, moving to a SaaS based, consumption-based security services, cloud security services, but also data protection, because again, for many users, SASE was just like cloud in the top security shifting to the cloud, that was one layer, but there was also data protection, the identity concept, being risk-adaptive across that stack, that's really where we're going and I think it's more than a technology framework as well, it's an architecture, but it's also I think, it could become some sort of a business reference model on how you do things like we mentioned already consciously discussed in this podcast.

Zac Abbott: Perfect that is about it for this week's episode. Guys, thank you so much, it's been really great hearing your thoughts today. Before we wrap up properly, Adam can you just give us a quick maybe like the key takeaways from today's episode?

Adam Louca: Yeah for sure. So really when we first started talking about how the shift towards remote and hybrid working has changed the way organisations deliver networking security and protection of those users. We spoke a little bit about some of the threats and additional considerations that organisations need to make when going through that shift. We then took a hard left into looking at the psychology and the way users interact with their systems and how some of the behaviours that they make are driven by the methods and the things that we make users do and the processes that we put them through and then before coming back round to this idea of actually how does business culture change due to remote working? And also what are the benefits of giving users freedom and the rights to do what they want versus having that control?

Nico Fischbach: You know, it’s quite funny right, we all technologists, we didn't talk tech, we spoke about everything else and how we use tech to enable this for users and the Enterprise which I think is fascinating!

Zac Abbott: Perfect, thanks very much guys. That is it for this first episode in the remote working deep dive mini series. Nico, Adam thank you so much for your time today, really appreciate it.

Nico Fischbach: Thank you.

Adam Louca: Thank you Zac, nice for having us.

Zac Abbott: And thank you guys for listening to today's episode. Keep an eye out for the next episode in the series coming out very soon. If you want to know more about anything that was covered in this episode or want to get in contact with us, feel free to email us at [email protected] Make sure you click subscribe wherever you get your podcasts and we’d also really appreciate you giving us a review or leaving a comment on whatever podcast platform you use, we’d really love to hear from you. Thanks for listening to Explain IT from Softcat.