Businesses are confronted with a never-ending stream of cyberattacks ranging from DDoS campaigns and malicious bots to ransomware and intellectual property theft.

By David Jack, director: EMEA product strategy at Citrix

Security leaders know about the urgent need to rebuild their defence and mitigation infrastructure from the ground up – but where to start? One little mental exercise can go a long way in helping to identify a future-proof security strategy.

Last year, the IT security market saw SASE (Secure Access Services Edge) emerge as the new must-have technology for the age of cloud-based distributed work. However, many IT organisations are struggling to put this new security paradigm into practice.

There are two main reasons for this. First, SASE encompasses a very broad set of technologies that need to be taken into consideration: on the network side, aspects include, among other things, Remote Access solutions, WAN connectivity and optimisation, content delivery networks (CDNs),and software-defined WANs (SD-WANs); on the security side, relevant technologies range from traditional network firewalls to cloud-based secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA), firewall as a service (FWaaS), DNS security, and more.

The SASE concept challenges decision makers to address several network topics and, more importantly, multiple security technologies at the same time – begging the question which aspects to prioritise, and which technology update to tackle first.

Answering this question is made even harder by the fact that enterprises already have a historically grown security infrastructure, mostly on-premises and sometimes in the cloud, that needs to be matched to the SASE roadmap and introduced without interfering with employees’ ability to continue their work.

The second challenge is rooted in the fact that SASE is widely viewed as a mechanism to consolidate the enterprise security landscape: the idea is to replace multiple point solutions by switching to a SASE provider with comprehensive feature coverage.

However, while numerous vendors position themselves as SASE providers, the scope and depth of their portfolios vary considerably. This makes it all the harder for security teams to replace the current best-of-breed approach by switching to a SASE provider: there is no “one size fits all” SASE solution – and no vendor can claim to tick all checkpoints with a fully comprehensive solution yet.

One useful compromise might be to take a best-of-suite approach, and to fill any gaps of the selected SASE offering with a few point products. This, however, once more leads to the same question: which security aspects need to be prioritised, and what should be the starting point for innovating the security infrastructure?

In this situation, it makes sense to mentally step away from the noise of competing SASE offerings and the deluge of security intelligence about the latest vulnerabilities, APTs, ransomware as a service, DDoS campaigns, API-level attacks, zero-days, etc. Instead, imagine for a moment what your company’s workforce will look like in three years.

Will future employees still be the traditional office workers that used to be so common in pre-Covid times? Probably not. Long before the pandemic, digital work had started to morph into flexible hybrid work, with some workdays (or hours) spent at the office and some remote, with increasing use of mobile, sometimes even privately-owned devices, and with fast-growing consumption of cloud services in addition to corporate resources. The pandemic has simply turbocharged this trend.

Future digital workers – especially the highly skilled professionals that are so much sought after in the global “war for talent” – will most likely insist on being able to work efficiently, conveniently, and securely wherever they are, be it at home, at the office, at a customer’s location, or on the go.

Some will prefer corporate equipment, some will want to bring their own devices, some a mix of both; use of the latest and greatest technology the industry can provide will become one of the tools to attract and retain the best talent.

On the software and services side, the move towards the cloud is likely to continue, creating an increasingly complex hybrid landscape of on-premises legacy technologies and a dynamic set of cloud services – including some unwanted ones that IT teams will need to keep out.

Using the future employee as a reference point, CISOs can work their way back from there and evaluate: what will be the most likely – and most critical – security risks for the 2024 workforce? For example, highly skilled professionals will sooner or later be hit by targeted attacks – while every worker, from a call centre agent to a CEO will also be targeted; ransomware only needs a single person to click on a malicious link.

Having established the risk environment for the future workforce, many considerations follow: what will be employees’ most pressing needs when it comes to working securely from anywhere, anytime, with any device of their choice, be it a managed corporate device or employee owned BYOD? How flexible will the security architecture need to be to absorb the ups and downs of an ever-changing cloud service landscape? How will it be possible to combine security with usability, given that complexity or low speed will only lead to employees looking for workarounds, weakening the company’s security? How can the security posture be monitored continuously without impeding employee productivity? Technological considerations will need to be based on the answers to questions like these. Will, for example, the good old VPN still have a future in this scenario, or should it rather be replaced with a more flexible, scalable, and application-oriented remote security technology that incorporates the zero trust approach?

In 2024, the current “new normal” of flexible remote work will not be “new” anymore – rather, the workforce will expect to be able to work flexibly, remotely, and securely wherever they are, without being anchored to specific locations for access to important data or applications, using the hardware, software, and cloud services best suited to their task and work style.

Extrapolating backwards from the needs and expectations of future employees, CISOs have a good starting point for their security roadmap. After all, the heart of enterprise security is not one individual technology, or a specific set of technologies, but empowering employees to utilise the company resources they need with high performance, high confidence, and a high level of protection.

This is why the best security strategy is the one that takes you back to the future workforce that you – after careful consideration – envision right now.