A modern workplace solution will often disrupt your existing security strategy

Share some lessons learned to make your modern workplace transformation a success

In the previous two articles of this series on lessons learned when introducing a modern workplace, I discussed the importance of starting with the end in mind, and the fact that it’s essential to start with a team that includes your CIO, your CISO and your colleagues from legal and compliance.

This article dives a little deeper into the new security questions and challenges that arise from introducing a modern workplace, and why it’s so important your CISO is part of the team from the beginning.

The introduction of a modern workplace solution like Microsoft’s M365 or Google Workspace will often completely disrupt your existing security and governance strategy.

There are basically two key reasons behind this.

  1. The use of Software as a service (SaaS) and Platform as a service (PaaS)
  2. The expectations of employees and clients

Let's start with the latter.

The expectations of employees and clients

Both our employees and our clients had high expectations when we started talking about a modern workplace solution. And these expectations triggered some interesting questions about how to meet these expectations in a secure way. I’m pretty sure that it won’t be any different in your company. For example, our employees had a number of expectations:

  • Ability to work from any location as if they were in the office.
    Collectively, they have thousands of video calls a day. This immediately raises the question of whether we should route all this traffic through our VPN? Or can we make this dependent on what application is used?
  • Very performant applications and data transfers.
    Does this mean we should go for a software-defined wide area network (SD-WAN)? Or that we should even do without WAN, and go internet only?
  • Carrying only one mobile phone.
    Should we allow private use of company devices? Or should we enable company use on private devices (‘bring your own device’ approach)? How could we do this safely?
  • Seamless collaboration with all their 250,000 colleagues worldwide.
    Our clients expect the same. Can we do this with a SaaS solution? How do we allow and manage external access to our environment? Whitelisting? Blacklisting? Federation? User management?

Our key priority is to secure our own and our clients’ confidential information and data. But we also want to use SaaS capabilities. How does this work with encryption? How does key management work in this context? Should we continue with container-based security or is object-based security the way to go? Maybe both?

The use of SaaS and PaaS

Your responsibilities, choices and tasks when it comes to securing the use of cloud services are very dependent on the cloud service model you choose. Where IaaS is still close to traditional on-premise, the moment you start using SaaS or PaaS services everything changes.

Ordering a virtual machine at a cloud provider and installing your favourite CRM application on it is completely different from using Salesforce as your CRM. Using Microsoft’s M365 or Google Workspace can’t be compared with using desktop applications and an on-prem SharePoint server.

Your cloud computing environment experiences at a high level the same threats as your traditional data centre environment. Both environments run software, software has vulnerabilities, and adversaries try to exploit those vulnerabilities. But unlike your systems in a traditional data centre, in cloud computing responsibility for mitigating the risks that result from these software vulnerabilities is shared between the provider and you, the customer.

For that reason, you need to analyse the division of responsibilities and have trust that the provider will hold up their end of the bargain. You better shape your security and governance strategies to rely less on internal security, monitoring and control, and more on your cloud provider’s offerings.

So you have to understand exactly what these offerings are, where there are gaps, and how you integrate these offerings in your own process and application landscape. For each service you use, you will need to gain a thorough understanding of how things work in the case of

  • A service being unavailable for an hour/a day/a week
  • A data breach event
  • A data loss event
  • A successful ransomware attack
  • A virus on the loose that is corrupting your data.

How do you or your supplier detect such events? How do you get notified? When? How can you notify your supplier if you detect it first? Who does what? How do you recover from such an event? Who is liable for what? Does your insurance cover such events?

All these questions need to be answered, documented and validated before you go live with any SaaS or PaaS service. It goes without saying that appropriate internal procedures need to be defined to address the above-mentioned incidents prior to the event.

Your CISO’s involvement

Introducing a modern workplace has a big impact on how you do security. It therefore comes with a lot of questions that need to be answered and new services that need to be understood in detail.

That’s why it’s so important for your CISO to be involved from day one. In fact it’s best to start the discussion already today.

Henrico Dolfing

About the author

Henrico Dolfing, CIO at PwC Switzerland, is leading the cloud transformation at PwC Switzerland and enabling the new way of working our clients and employees expect. In a series of blogs, he reflects on our own workplace transformation journey and shares four lessons learned. For the last fifteen years he has helped C-level executives in the financial services industry with interim management and recovering troubled technology projects. Henrico has a strong technical background as a software developer and solution architect, including an MSc degree in computer science and a BEc in Economics.

Trust in Transformation

Our journey towards a modern workplace

If you’d like to find out more about PwC Switzerland’s experience with its own modern workplace transformation, register now for the webinar on 14 October.

Register now


How we realise your modern workplace

Depending on the challenges you encounter on your modern workplace journey, our service map is designed to support you with specific issues assuring a smooth and compliant transition.

Explore our offering

Contact us

Urs Küderli

Urs Küderli

Partner and Leader Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 42 21

David Gehring

David Gehring

Cloud Security Lead, PwC Switzerland

Tel: +41 58 792 77 47