3 Security Considerations for the Age of Connected Work
At OpenView, we recently shared our vision on the next era of product-led growth. We’re calling it the Age of Connected Work—where software becomes the connective tissue that powers our working lives.
We’re living in a time when software is open. Employees—not centralized IT teams—adopt and access the tools they need whenever and wherever they like. And ordinary people can customize software, with no specialized knowledge required.
While this era is being celebrated by end users, security leaders find themselves with more headaches than ever before. Employees are downloading new tools left and right, aggravating the risk of shadow IT. They want to integrate their various tools for better workflow automation, which opens up more attack vectors to sensitive systems. And people want to work on their own devices, from anywhere in the world, making remote access and zero trust a must-have strategy.
Here are three of the security implications of the Age of Connected Work, and emerging startups that are helping security leaders get ahead of them.
1. End users will download the software they want to use, without asking for IT’s permission.
Product-led growth means that software is no longer procured and implemented centrally by an IT team—it’s downloaded by end users whenever and wherever they need it. Historically, security leaders’ response to this has existed on two ends of a spectrum: lock everything down, or turn a blind eye.
“[Neither approach] is ideal,” said Drew Daniels, a five-time chief information security officer with over two decades of experience spanning large enterprises and hypergrowth startups. “I don’t want to be Draconian or restrictive. You need to be able to try new things to see if they work. That’s how you innovate. The question I have to ask myself [as a security leader] is how to make that behavior safe.”
Alex David, former director at Simon-Kucher & Partners and current founder of a stealth startup solving this issue for the enterprise, believes that this decentralization will push IT teams towards enabling self-service experiences rather than single-threading with individual employees—similar to how the growth of DevOps spurred the Platform Engineering function.
“The ideal setup is a small group that can set the entire organization for success,” said David. “You need a centralized authority that allows for decentralized decision-making.”
Startups like Lumos are solving this with an “internal app store,” where employees can request access to centrally-procured software automatically through Slack, mimicking the self-service onboarding experience we’ve all come to expect from the age of product-led growth. Lumos also offers AppManager, which gives security teams the ability to discover all of the applications their employees are using—even the ones downloaded without the company’s permission.
Security leaders should also encourage the use of platforms that allow end users to use their tools of choice, while still offering centralized visibility and governance. Cider Security is a great example of this in the developer tools domain. Rather than dictate that all developers use a particular scanner for code analysis, Cider’s marketplace allows you to easily integrate multiple scanners into their aggregation engine, allowing developers to use the scanner that’s best for them while giving security teams a comprehensive overview of code issues and centralized policy authority. As more products start to become built for openness, we expect more of the centralized platform opportunities to appear, in developer tools and beyond.
2. SaaS applications will become platforms, and integrating other tools into them will be the norm.
In the Age of Connected Work, software is no longer a walled garden. It’s open by default, and tools like Zapier or Workato make it easy for nontechnical users to build powerful automation between systems. This is not behavior that current security tools are well-equipped to handle.
“The age of monolith enterprise software is over, giving way to a hyper-connected web of applications and tools, each specializing in a specific task while providing innovative value as a whole,” said Alon Jackson, the co-founder and CEO of Astrix Security. “It will become an n-squared (n²) problem for enterprises as everything is becoming more connected.”
While this creates efficiencies for end users, it is not behavior that current security tools are well-equipped to handle.
“Many existing security controls like IdPs and CASBs are focused on securing the human-to-SaaS layer,” said Yoni Shohet, the co-founder and CEO of Valence Security. “With the increasing adoption of marketplace third-party apps, API integrations and no/low-code automation, security leaders need to shift their focus to securing their SaaS mesh of third-party integrations.”
In this era, security leaders cannot secure applications in isolation, and should assume that sensitive data will be accessed through third-party integrations as much as natively in the application. Companies like Valence and Astrix Security give security teams a way to discover the fast-growing web of SaaS integrations in their environment and continuously monitor inter-app activity, making it easier to discover things like data leakage or anomalous activities.
Alon said that while adoption of tools like these will be critical in the Age of Connected Work, it’s equally important to educate employees on integration best practices.
“Managing the expanding risk of third-party app integrations starts with good hygiene: conducting regular cloud security audits, and mitigating suspicious, redundant, over privileged access continuously. However, it’s not just a security issue, it’s a cultural one. Awareness is important so that employees know how to connect apps correctly and responsibly while running at the speed of the modern workforce.”
3. Personal devices will be used as frequently as work-issued devices.
End users have high expectations for how seamlessly our software should flow from location to location and device to device. The best product-led growth companies in the Age of Connected Work won’t force people to log onto their work laptop to use their software. If a user wants to check daily sales from the smartwatch while on their morning dog walk, they’re going to do it.
For security leaders, this means their crown jewels are being accessed on a device that’s of unknown quality.
“That always makes me nervous,” said Daniels. “Do they have antivirus installed? Can they support my EDR platform? It can be hard to get answers to that because most employees will say ‘This is my personal property, I don’t want you seeing what I do on it.’”
“The best products know how to tailor their experiences and security story to be fully compatible with this reality,” said Jason Meller, co-founder and CEO of Kolide, an endpoint security company pioneering the Honest Security movement. Meller recommends adopting security practices that assume employees will be working from unmanaged devices by default, and keeps company information safe without violating their expectation for privacy. For example, Kolide’s mobile device management solution is installed by the end user, rather than IT, giving employees full visibility into what their employer is monitoring and why.
In general, employees want company information to be secure. When given the resources to do the right thing, they can become security assets rather than security threats. Selecting security tools that involve the end user, be that endpoint security like Kolide or browser security like Guardio, can be an effective way to make sure every device that an employee uses is secure— even their personal devices.
Founders: prioritize security from day one
Finally, for the PLG founders in the room: All of these implications highlight the importance of prioritizing product security from day one. As security leaders start to accept the reality of decentralized IT, comprehensive vendor assessment practices will become the norm. It will be critical to earn your buyer’s trust proactively to ensure your product isn’t on security’s chopping block, through initiatives like getting SOC2 compliant or sharing your security posture publicly. Products like TrustShare from Kintent allow companies to expose their compliance programs and controls in a public-facing interactive website to demonstrate their commitment to security and avoid lengthy follow-ups with security questionnaires.
97% of security executives plan to expand or continue existing spend on identity and access management tools in 2021.