As part of Microsoft’s “Zero Trust: Going Beyond the Why” series of digital events, Mobile Mentor Founder, Denis O’Shea, sits down with Microsoft’s Security Product Manager, Daniel Gottfried, to discuss the importance of providing a great employee experience for companies adopting Zero Trust.
The two discuss the remote transformation of the workplace since the start of the COVID-19 pandemic and how these changes have affected the Endpoint Ecosystem of companies far and wide.
Key Principles discussed during this session:
Adopting a Zero Trust cyber-security posture
Deploying Zero Touch device provisioning like Windows Autopilot
Read below for a synopsis of Daniel Gottfried and Denis O’Shea’s conversation on Zero Trust and the Endpoint Ecosystem.
What is the Endpoint Ecosystem and what was the inspiration for the 2022 Endpoint Ecosystems Study?
The Endpoint Ecosystem System is a concept that includes all the devices, operating systems, applications, sign-in experience, and support that employees use in their professional working environment.
The inspiration for the 2022 Endpoint Ecosystem study stemmed from the massive shift in the workforce over the past two years. In that time, millions of people started working from their home offices. These employees all have a cluster of devices on their desk, maybe a desktop or laptop tablet in a smartphone.
On these devices there’s operating systems running that need to stay current. People are signing into all their applications and devices all day, and they need support putting all it all together and getting it all working. That cluster of devices, operating systems, applications, and authentication along with the employee experience is the Endpoint Ecosystem.
When the Endpoint Ecosystem is working well, companies have happy and productive employees. It’s extremely important now to have everything working well for remote workers. As we come out of the pandemic and we kind of fall into these new patterns of hybrid work, we need ensure that the Endpoint Ecosystem is working well in the home office, during travel, and at the office. It is critical that our teams are secure regardless of the device they are working on, and that they can be productive working from anywhere.
We wanted to bring that data back to IT leaders to help them gain an understanding of what is really happening in their businesses inside and outside of their offices. So, we conducted a nationwide research study in Australia and in the United States to understand the frontline realities of what’s happening as we come out of this pandemic.
What were some of the interesting things that you found within that study when you were reviewing the data?
Firstly, I think it’s very important to look to see how much has changed in two short years. If we consider what work was like pre-pandemic, you think about people coming to work in a specific office location. They sat down and logged in to a machine that was owned by their employer, and they were likely on a domain or corporate network. From there they worked for 8 hours and then logged off.
When the pandemic happened five massive changes take place in two short years.
First, we were all told to go home and figure out how to work remotely.
Around that same time, there was a 500% increase in cybercrime.
We then had a global chip shortage, forcing businesses to embrace “bring your own laptop” policies.
Then in 2021, the great resignation occurred. Employees began considering that they could simply swap one laptop for another – and that’s a career change.
Gen Z has entered the workforce bringing new values along with them. Many Gen Z employees have entered the workforce on a remote capacity only.
These five factors were like nothing we’ve ever seen before, and what we realized is there are two tremendous weights on the shoulders of IT leadership. One is security, the fear of being breached or ransomed. The other is retaining and attracting talent. Every organization we talk to is struggling with both of these in tandem. The battle for talent is intensifying and security concerns are escalating.
Why does the Endpoint Ecosystem matter now?
The way that our employees perceive our companies and do work today, is all through their endpoints.
Picture the Home Office. Again, people are sitting there looking at their screens and engaging with their company by way of those endpoints. They view their company by how those endpoints perform and work. This is determined by ease of use in terms of authenticating and getting access to company information that influence the employee experience each day.
When we think of the Endpoint Ecosystem, we consider the authentication experience from the day employees join and are onboarded right through the day they leave. The combination of devices, operating systems, applications, authentication, and support defines the employee experiences as of today.
How does Gen Z relate to Zero Trust security and employee experience?
Well, there’s a lot going there with this very interesting generation. First off, the only generation alive that has no recollection of 911. For those of us that did experience the event, it had a profound impact. We saw security drastically tighten up and impact every aspect of our lives. For the 20 years after that, security was a huge part of our lives. Gen Z didn’t experience that shift and their lives weren’t disrupted by security in the same capacity as previous generations.
Another thing to consider is that many Gen Z individuals got their first job during the pandemic. This means they likely joined their company remotely and then worked remotely as their norm. So, they’ve had a totally different experience from the rest of us. Security does not mean the same to them as what it means to us.
Earlier generations talk about security all day, every day, but Gen Z doesn’t think about it. They think about privacy and they think about other things. It’s on us to make sure that we find the right balance between security for our organizations and empowerment for the incoming Gen Z because we need them.
How do you communicate with employees about security?
One of the questions we asked in our research is: what’s more important to you, your personal privacy or your organization’s security? And the results were 80:20. People put their personal privacy way ahead of their organization’s security, and that’s across all industries with only a slight variance across industries and ages. By and large, people care deeply about their personal privacy far more than corporate security.
One variance we should consider is that Gen Z sees things differently. In our study, when we asked Gen Z how often they see a security policy at work, a significant portion answered “never.” Now, we know that this isn’t true because most companies have security policies that they’ve deployed consistently. The problem is that this generation is not paying a lot of attention to security messaging coming from the employer. The really interesting paradox is Gen Z sees privacy policies more than any other generation. From that, we can derive that they are far more concerned with personal privacy than company security.
When we talk to employees about security, we should reframe our positioning to focus on privacy and security as two sides of the same coin. Our security conversations should start with a slant on securing employees’ identities as the foremost concern, we’ll have their attention when we begin drawing parallels to company security.
What other fascinating insights did you see across all generations?
The trend of shadow IT is very interesting. We found that 46% of people told us they find their corporate security policies to be too restrictive. Forty-Two percent (42%) of them admit that they work around their company security policies. And then 57% of people told us they prefer working on Gmail and Dropbox. And that’s a tragic realization.
The rampant pattern of shadow IT is worse for remote workers. We found that because they’re out of sight, remote workers are the ones who probably need to collaborate the most. They’re pushing the boundaries of the way companies work. And if anyone is going to find ways to work around policies and start spitting up other tools that are not sanctioned by IT, it’s going to be remote workers.
The lesson is that any time we’re deploying a new tool, a new way of collaborating, or a new way of working, we need to bring remote workers into the process and make sure they’re part of the decision. Because if we get it right for them, we get it right for everybody else. It is up to IT leadership to make sure that employees have the tools they need so they’re not tempted to go and use tools that are unsanctioned.
When it comes to technical support in enabling hybrid work, were there actionable key trends in the Endpoint Ecosystem study?
To begin, the data yielded some slightly depressing statistics around how frontline employees perceive their companies it’s IT support. They believe support is poor in general and not meeting their expectations.
Because the world has shifted, people who are working remotely can’t just walk up to somebody in the IT department and ask for help. It’s more formal than that. Employees need to log tickets to chase IT help down. The younger generations perceived logging a ticket as a bit of a stigma, they’d rather just have a quick chat session with somebody and get it over with.
There is a bit of friction between remote workers and traditional IT support. The onboarding process is clunky. and there’s a lot to be improved in this area. Removing passwords removing traditional imaging and making all the updates and patches automated and over the air will eliminate some of the friction between IT and end-users.
What are some of the strategies that help security teams get to that stage of balancing deployment of a Zero Trust posture, while also maintaining that employee experience?
Going passwordless is a great place to start because it is a journey. A passwordless experience is likely one of the most immediate ways to improve your employee’s overall experience and improve security in one fell swoop.
Hopefully, every organization is by now looking to leverage biometrics across all devices.
But the journey also includes getting multifactor authentication working where it’s needed, getting single sign-on working, and choosing applications that have single sign-on compatibility with Azure AD. Those must be mandatory criteria when choosing any application.
There’s a linear path on most companies’ passwordless journey. However, large businesses will have obstacles because they have legacy infrastructure and it’s complex. So, if you think it’s going to take you more than two years to get to passwordless ready for deployment, get a password management tool in the meantime.
What are some of the things that your team can do to help businesses get to a passwordless state or adopting a Zero Trust posture?
We’re really champions for getting businesses to a modern configuration and getting clients set up with a Zero Trust architecture. Mobile Mentor is a service company, so, we’re helping our clients to deploy Microsoft 365 licensing in the most intelligent possible way – so that they can get started with Zero Trust.
We help these groups get all the framework deployed to secure their identities, secure endpoints, and get their conditional access policies designed and rolled out. We also get their data estates properly added to OneDrive and all their applications managed, and all the patching automated.
So, that gives you the Zero Trust framework, and then upgrading to Microsoft E5 will automate, streamline and make that framework more elegant and functional. Most of the work we’re doing is helping businesses plan then execute and manage the environment for them to keep them in a safe place.
With all this technology, it is not ‘set and forget.’ Everything is changing all the time. Our devices, operating systems, applications, and security posture is changing every day. It’s different for every employee because each individual has a unique combination of applications to use. Keeping on top of this is a full-time job and we help businesses manage that, to get them to Zero Trust and keep them there in a safe place.
Want to learn more about Zero Trust and the Endpoint Ecosystem?
Click here for additional information on the Endpoint Ecosystem study referenced in the interview.
Click here for additional resources on Zero Trust
Click here to access additional sessions from the “Zero Trust: Going Beyond the Why” series