Work from home flourished during the pandemic. Many workers love it and don’t want to go back. Some organizations are pushing for a return to the office. Is in-office work necessary to improve productivity and cybersecurity posture?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us for the episode is our guest, Shawn Bowen, CISO, World Kinect Corporation.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Nudge Security
[David Spark] Work from home flourished during the pandemic. Many workers love it and don’t want to go back. Some organizations are pushing for a return to the office. Is in-office work necessary to improve productivity for the security team and the cybersecurity posture of the entire company?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me for this very episode, you know him, you love him, you can’t do without him, it’s Geoff Belknap. He’s the CISO of LinkedIn. Say hello to the audience, Geoff.
[Geoff Belknap] Hello. I am the one you cannot possibly live without, and that’s news to me as much as it is to you.
[David Spark] He just found out right now.
[Geoff Belknap] Yeah. This is surprising.
[David Spark] By the way, for those of you don’t know, there is this website called CISOseries.com that has lots and lots of great information on it. In fact, the day this episode drops will be right after our fifth anniversary, which is pretty spectacular, I think, so please wish us a happy anniversary.
Our sponsor for today’s episode is Nudge Security, SaaS security for modern work. Heck, modern work is using SaaS so it kind of goes hand in hand. So, we’re going to be talking more about that later in the show. But first, our conversation today.
The pushback against work from home initiatives has recently been getting a lot of attention in the media. Howard Holton who’s the CTO over at GigaOm noticed an uptick in the reporting of the return to office. Howard argued that when your employees are happy, you’re a better leader. It’s almost always good for employees, or at least the flexibility to have it, and it’s up to the employers to make it good for the business.
Geoff, what do you think here? Is this push for the return to the office just an effort for managers to return to the “good old days” with no other rationale? What do you think?
[Geoff Belknap] It’s hard to pin down exactly what’s happening here, and frankly, even harder to point to a clear justification. There was a huge shift in how we worked during the pandemic, not everyone was in a position to collect good data about whether that was good or bad. And absent any of that hard data, the rush back to the office seems more about comfort and intuition from leaders than more like a data-driven decision.
[David Spark] Good point, and we’re going to get into this. Let me stress, I want to take this conversation in two angles. One is your actual cybersecurity team in the office, what’s the value, not value of that, and then overall the entire company, whether their work from home or not being in the office is a better value or not value, whatever the situation may be.
And the person to help us with this very discussion we’ve had on many times before. Thrilled to have him back again. It is the CISO for the World Kinect Corporation, Shawn Bowen. Shawn, thank you so much for joining us.
[Shawn Bowen] Thanks for having me.
Who are the winners and losers?
[David Spark] Jeff Reckseidler of Charles Schwab said, “I used to arrive at 7:00 AM to get two hours of productive time, and it never failed, someone would come with a drive-by chat about a non-work thought at least two to three times in that window.” Amy Hyatt of QuickNode said, “I have managed global remote teams for 20 years.
The location is not the problem. If you have disengaged or poor producers, you are the problem.” And Paul Stringfellow of Gardner Systems says, “Less productive in work from home often translates to, ‘I want to be able to keep an eye on you.’ There are benefits from flexibility and a grown-up attitude to all employees.” So, there’s sort of this mixed attitude of like, “Hey, I like to come into work, but then I become less productive and really everyone should be able to make work from home work for them.” Again, obviously we’re speaking of businesses that can physically handle that.
Sometimes you literally need to be there. If you’re a service industry, for example.
[Geoff Belknap] Yeah, I think that’s a great point. There’s absolutely benefit to being in the office. There are absolutely jobs that can’t be done anywhere else but from the office. And I think an example of that for me is I invest really heavily in apprenticeship programs. These are for up-and-coming security engineers that may have come from a different discipline or track before they came to security.
It’s pretty hard to learn in an apprenticeship model from like a master craftsperson to somebody that’s learning the trade if you’re not kind of in close proximity to them, there’s a lot to be had there. But certainly more established security engineers don’t really need five days a week in the office.
Some of them certainly want it, there’s a lot of value to that. But from a security perspective, I think about I’m all about security at the point of compute. We’re kind of long past the days where the only place you can safely do work is in an office behind a firewall with corporate Wi-Fi. There’s a lot of benefit here to leaning into being a more hybrid workplace.
[David Spark] That is true. And Shawn, I’m assuming everyone had to embrace work from home during the pandemic but now that we’re being relieved of it, what is your attitude, what is your company’s attitude, what have you seen others in your industry’s attitude toward this?
[Shawn Bowen] Yeah, I actually have an interesting timeline on this. I was with a different company when we went to COVID, worked from home, and I did that, and then I switched to World Kinect during COVID. So, I was a new hire during work from home or work remote. And then on the day that this airs will be the first week that we have returned.
Our headquarters is mandating a two-day-a-week return the week that this is airing. So, I’ve gone through that whole cycle and been the new person. But I agree with Geoff. There’s a couple times that you need to be in. We called it here at World Kinect presence with a purpose. We want to be together when there’s something intentional.
But the just showing up to show up kind of loses it’s luster because people, not everyone’s there, and there’s a lot of lost interactions.
But our new grads, we have a very strong new grad program, they haven’t learned how to manage their career and manage their workdays as well as they probably could have if they were surrounded by examples or influential leaders. And then at the leadership level, I’ve been going in regularly, and we meet with the CEO or the CIO and we have regular scheduled sessions because I do believe those in-person sessions, in-person meetings, and strategy days are very valuable because you can feed off each person’s energy and the conversations are much more fluid than any of the online video options.
And there’s value to being there in person, but when I’m trying to work and just get stuff done before a deadline, I don’t want anyone doing drive-bys or having to transfer between meetings, the five minutes it takes to move between meeting rooms. It’s just it’s a lost day. So, there’s got to be this hybrid mix of work remotely but meet in person and figure out what that frequency is.
[David Spark] Yeah. And for everyone it’s different. I’m thinking years ago, I remember saying to a boss, I go, “I can’t get any work done in the office anymore because, A, the number of meetings I have to go to, and the number of interruptions.” And I remember the boss telling me, “Don’t come into work tomorrow.
Just stay at home and do the work at home.” And that was my most productive day. And so there is a precedent for all of this behavior. Have you kind of run into this too, Geoff, where you say, “Prior to the pandemic, you [Inaudible 00:07:59] don’t come into work, like stay at home and work”?
[Geoff Belknap] Absolutely. Look. For individual engineers, especially if they’re doing software development, go lock yourself into a dark closet, stay up late, whatever you need to do to get that work done, by all means. That’s probably best done somewhere else. For me, a lot of times I’m going to come to the office.
I might spend six of my eight hours in a conference room and never see everybody else that’s in the room. So, it’s really dependent on your role and what you’re doing from day to day.
[Shawn Bowen] I’ll add something on that. When I worked in the intelligence agencies, we didn’t have cellphones on us so you couldn’t call us, and you just had to go by your office and try to catch you while you’re in your office and those drive-bys would happen. And there were times where we would, our leadership people would sneak away and book a conference room with a cover name so no one knew where we were just so we can get work done, so we can avoid those interactions.
So, there’s absolutely times where you just need to check out and get hyperfocused on something.
[Geoff Belknap] Certainly no one ever hid slacking off in the government.
[Shawn Bowen] I’m talking about the productive times that we hid.
[Geoff Belknap] Oh, right, right, right. Of course.
What is everyone complaining about?
[David Spark] Chad Henderson of Security Consulting said, “Workplace location decision makers miss the irony when they’re adamant that work from anywhere is not an option. So technology can be great from anywhere, but people cannot?” Gill Reindl of GigaOm said, “Successful work from home requires a mature approach to leadership and won’t succeed with the over reliance on outdated managerialism.
Trust and nurture your best talent, and they in turn will be productive and add value for the business.” Now I’m going to reiterate that most of these comments here are very pro flexibility, pro allowing people to work from home. I don’t know actually if anyone was flat out, “Yes! They have to come into the office!” Everyone was kind of behind Howard Holton’s post which was give people the flexibility here.
But it seems, Shawn, that a lot of this complaint is like what I said at the beginning. Is this just old-style managerialism trying to get back to the way things used to be?
[Shawn Bowen] Yeah. I think there’s definitely a comfort in it. I know my CEO is a people person and he thrives off about being and interacting with people and so you’re going to see it from that sense. And I think people that just want to focus on doing work might not want to see the people interaction.
They’re happy with what social pieces they have at home, and so they’re not looking at it from that aspect. I think there’s the control factor. I think a lot of employees in the workforce in general thought that we took control from the business, like, “We’re going to work from home and we’re not going to come back.” And that was the case when the employment status was what it was.
But ultimately, the companies pay our paychecks, and they can make up whatever rules they want and they’ll either pay the price by a mass exodus or they’ll be productive with the people that show up to work.
To Geoff’s point, we don’t have a data-driven decision either way. We don’t have data-driven on why we went to remote, and we don’t have data-driven why we’re going back into the office. I think that there’s going to be a flex. I think we’re going to swing one way and then we’re going to come back into the middle.
You hear about companies that are mandating five days a week. I think you’re going to find that happy medium of what works for each company and it’s not going to be the same for the industry like it used to be in 2019.
[David Spark] It’s also extraordinarily limiting when you start putting mandates in. But my wife, she really loves to work in an office and was bummed that she moved to a work-from-home situation. There are people who thrive on it, but at the same time the people who thrive on it, who want to go to the office, if they go and no one’s there then, eh, it’s kind of a lost cause.
I’ll be honest. In the city of San Francisco, I go into offices, they’re almost all empty, I don’t know why they’re paying for all this space. Do you see this, Geoff?
[Shawn Bowen] I was going to say, there’s the opposite of this. My wife’s company, she thrives working from home. They’ve downsized some of their real estate to a point, but they’re still mandating certain squads and teams come in. They’re coming in and there’s people sitting in the lobby on a couch with a laptop on their lap because they had to be in but there’s not enough space to hold them anymore because they’ve made smart business decisions of divesting on real estate, but now they’re mandating the same amount of workforce to come in.
[David Spark] Well, obviously they didn’t do the math.
[Geoff Belknap] I feel like this entire thing just highlights the fact that we’ve invested way less into advancing management science than we have computer science and building technology. We will eventually take some of these lessons from remote work and integrate them into how we lead organizations and how we decide what roles need that flexibility and what roles don’t need it.
I think the important thing is all the early shifts in established practices all struggle, like change is hard. In this case, we’ve learned you can go back to the office now. I was going to point out there was a really clear reason, Shawn, why we stopped going to the office originally. There’s not as much clear data about how we go back and whether we should go back.
And I think there are very few people that are saying you got to be back five days a week, everybody, no exceptions because most people recognize you just don’t need to do that for everybody and you’re losing some of the benefit of like you can slim down your office space, you can…
[David Spark] Hire people from anywhere too.
[Geoff Belknap] You can hire people from anywhere, you can access talent that you didn’t have access to before. And I think in places like security where it’s really competitive, you can add this as an advantage for people competitively. Like if Shawn doesn’t offer people flexibility in location and I do and we both pay the same, I’m going to have access to talent that wants more flexibility than Shawn is.
And that’s not to say Shawn doesn’t offer that, but talent competition is a real thing.
[David Spark] And money is not. By the way, as someone who’s interviewed a lot of people about hiring, I was stunned. I did one of these, my Man on the Street videos, asking people like, “What is your top need in terms of when you’re looking for a job?” And a lot of people said meaningful work, that was probably the biggest answer.
I was shocked. Out of 30, 40 people I interviewed, I think 2 said money. Which I know money is important, you need it, you don’t take a job without money, but I was shocked at how low that was. I do want to put a plug out though for Dan Lyons’ books. He has two books, one called Lab Rats, another one called Disrupted, that speaks about these sort of new managerial techniques out there.
Very entertaining, especially Disrupted. That was his first book and that did very successfully and then he wrote Lab Rats after it, so I recommend both.
[Shawn Bowen] To Geoff’s hiring strategy, one of the things is how the companies are doing enforcing their remote return to work. Zoom’s is return to office if you’re within 50 miles. Well, if I hire someone at 45 miles away and I hire someone at 60 miles away, there’s this unfairness about how we’re doing this employment, and so we got to figure that balance out across the board.
Sponsor – Nudge Security
[David Spark] Before I go on any further, I do want to mention our awesome sponsor for this episode and that is Nudge Security. Now, let me ask you a question. Are your employees practicing safe SaaS? You can actually find out with Nudge Security. Their patented approach to SaaS discoveries gives you a full inventory of all apps ever introduced by anyone in your organization in minutes.
No agents, browser plug-ins, or network proxies are required. The best part – you don’t even have to know what apps you’re looking for. After a quick one-time setup with your email provider, Nudge Security discovers and categorizes every SaaS and cloud account ever created by anyone in your organization.
Again, no agents, browser plug-ins, or network proxies required.
So, for each SaaS provider discovered, Nudge Security provides insights on their security posture including breach history, compliance certifications, and the vendors in their digital supply chain. You’ll also see which accounts have MFA enabled, which accounts are enrolled in SSO, and an inventory of OAuth grants to help you identify risky scopes and revoke grants if needed.
Nudge Security includes playbooks to automate tedious time-consuming tasks like conducting user access reviews, offboarding employees, orchestrating SSO, onboarding, and more. And built-in workflows can be used to nudge employees to take simple yet impactful security steps like enabling MFA. So, take control of your SaaS security posture with Nudge Security.
You can actually start a 14-day trial today at nudgesecurity.com/safesaas.
What’s the best way to grow your staff?
[David Spark] Adam Balderrama of RVO Health said, “By ignoring the benefits of remote work for employees, like flexibility, decreased stress from commuting, and increased job satisfaction, these businesses will start to hemorrhage their top talent.” Just what we were talking about. Raymond Krehn of Homewatch CareGivers said, “I follow the servant leadership style.
My job is to remove obstacles that impede your job, and commuting can be an obstacle for many people. Just because I like being in person doesn’t mean my employees have to.” Good point. And John Norman of CDW said, “Employers’ access to talent might not be available without a flex schedule and remote work.
This includes workers with families, military commitments, or those working on an advanced degree.” This is just reasserting with even more examples what you were just saying in the last segment, Geoff. I mean, this work from home has really sort of exploded what we kind of knew before the pandemic, didn’t it?
[Geoff Belknap] Yeah, absolutely. And I think the really important thing here is nobody’s trying to hire robots, right? Everybody needs something a little bit different. And I think what’s really important is everybody needs a little bit of community, I think that can go a long way, but not everybody gets it the same way as everyone else.
And I think if you look at security engineers, which sometimes are wild, strange animals, some of your best talent don’t do their best work in prescribed hours in a prescribed location. And most of us have a couple of people or a couple of teams that are working for us that want to work odd hours or want to work in a different location.
[David Spark] Our video editor loves to work crazy late hours. I don’t at all. Yeah.
[Geoff Belknap] But that’s a job where that’s fine. Like if they’re an amazing editor, great. I have amazing, very talented detection and response people or productivity engineers or people that are doing AppSec, they work all hours. And frankly, we have global teams already, so I’ve got people that are working off-hours anyway.
We have to learn to adapt and provide that flexibility or we’re really just hurting ourselves and stifling innovation and growth.
[David Spark] You know what this reminds me of, Shawn? You ever talk to somebody who’s homeschooling their kids and the first question they always get is, “How are your kids socializing? How are they doing that?” Because they all get that question. To those of us who put their kids in regular socialized schools, public or private schools, it’s always astonishing to us, and they always find a method.
So, like what you said, Geoff. Everyone has their own method to do this. Shawn, I’m assuming you found it too during the pandemic, yes?
[Shawn Bowen] Yeah. And that’s a perfect analogy with an almost two- and almost four-year-old and my wife being homeschooled and me not, we’re having this very conversation. I think to Geoff’s point, you got to find what works for the individual and what works for the team and find that flexibility, like push and pull relationship.
Because you don’t want a strain on it and you got to find that balance because even though the person wants to work midnight shift, there has to be a handoff or a meeting or something. So, you got to find… “We’ll give you some of those hours, but we need some of these hours,” and there’s a give/take naturally about it.
I love being in person. I think one thing we talk about in the military is you don’t really get to know someone until you go on a temporary duty, like you go away from your assignment and you spend a week with someone so that you’re with them, you’re in the hotel, you’re having dinners with them, you’re working the next day.
That whole time you spend away, you have just a much tighter bond than you did before. Or anytime you do a deep project or whatever it might be where you’re interacting intensely for a period of time, you just have a better relationship.
And I think one of the best interviews I had is where I’m at now, my current CIO. During my interview process, he called it a barbecue test. He didn’t care about my resume. He just wanted to know if I would be cool to hang out with a barbecue. And he said because when something bad happens, I need to know that we’re going to get along, our personalities are going to click.
And I’m like, ah, that’s such an interesting approach because it really put the precedent on the person that they were hiring and the relationships that we had. So, it wasn’t so much about the work, you just had to find that balance because he knew I could do the job, now it was just do we click.
[David Spark] And that gets to the issue of culture which a lot of people feel that you need to do in person often.
Would this work?
[David Spark] Paul Beavers of ManageAmerica said, “What people want is flexibility and to be trusted. The remote versus in-office debate dumbs down the real issue which is trust.” Raymond Krehn, again, of Homewatch CareGivers said, “I love being in person, but I strongly support remote work. I find a lot of creativity from those random interactions, and I also gain a lot of context of the business through those interactions.” So, this, I’m going to throw this…
I think the whole socialization and the creativity and the bonding and the culture that come from in person, there is a lot of that is being missed when you’re virtual. Do you feel that to be true or are you still getting that? Because for example, with my team, we still with Slack or we use actually Skype communications, we still engage in sort of minor social things too, but nothing beats in person.
[Geoff Belknap] I think that’s completely the way I internalize that. But I think the important thing here is there’s no solution to this discussion that’s extremely one way or the other. I don’t see a path forward where completely 100% remote work where nobody has an office is going to be the reasonable solution, and I also don’t think everyone five days a week the way it used to be in the ’50s is going to be the solution.
But the important thing is trust is essential to a well-functioning organization and a high-functioning team. We have to figure out ways to build that. And frankly, if you’re in an organization where you don’t trust the people, you have to evaluate whether you have the wrong people or whether you’re the wrong kind of leader for that kind of organization.
Again, no one’s a robot. Not everybody thrives or functions the same way as everybody else. And leadership isn’t just about telling people what to do and walk away, we’ve got to build that community, build those relationships. The relationships really matter and it’s just we have to find ways to chart a path through our organization, the constraints that we have, to build trust but also enable flexibility.
[David Spark] Shawn, do you struggle building culture when it’s purely virtual with your team?
[Shawn Bowen] Interestingly, before COVID, I remember being offered a remote job and I didn’t even entertain it because I knew one of my strongest attributes was influence and being able to control the room and impact people in person. And I felt that if I was remote and the rest of the team wasn’t, I would be at a disadvantage.
When we went fully remote, it kind of leveled that playing field for me and I think that my personality comes through, we have a lot of fun. There’s people I still have not met on my team. I’ve not met them in person. I think they know exactly who I am and when we meet in person, they might just go, “Oh, you’re taller than I thought,” or “Shorter than I thought,” whatever it might be.
But I think that how you interact and make sure you plan time for fun.
My wife’s boss has these… I remember listening, there was like start the meeting with five minutes of randomness of like where’s somewhere you’d like to travel or whatever it might be. And we have planned whiteboard sessions where we meet for an hour, and we have no agenda. What do you want to talk through?
What ideas do you want to bounce off of? And so we kind of force that natural collaboration space and if we don’t fill up the time, we don’t use it, we just move on. It’s just you’ve got to be a little bit more deliberate where it was accidental in person. But I think you can still build that culture in both.
I think the biggest downfall will be when you split it, where you have five people in a room and five people on a video call. That’s my biggest concern.
[David Spark] That is my fear, Geoff. I always have this fear because I’ve been on teams where everybody’s in the room and I’m not. And that out of sight, out of mind is very scary for an employee. How do you reassure those not in the room that they’re not out of sight, out of mind?
[Geoff Belknap] I think this is where we need to advance management science and our cultural practices because it is very hard. I sometimes do my staff meeting remote, I sometimes join meetings remote just to get the feel of what that experience is like, and it’s different. When everybody is on a remote, like everybody’s on Teams, everyone’s on equal footing.
When there’s half and half, it’s very different. And what we need to do as leaders, whether you just be a generic leader or a security leader, is find ways to make people included in that conversation. And what I find really works is you have to be ruthless about making sure if somebody’s got their hand up on the call, that they get called on, that you’re not having extra conversation for 15 minutes before you turn the video on or after you turn the video off.
That everything is in the room so that as much as possible people can participate. And I think we’re seeing a lot of signs that technology is adapting to that. We’re having a lot of conversations in the chat or we’re addressing all those things, and it’s just we have to adapt.
[David Spark] Very good point.
[David Spark] Well, that brings us to the point of our conversation where I ask my guest which quote was your favorite and why, and I’m going to start with our guest, Mr. Shawn Bowen. Shawn, which quote was your favorite and why?
[Shawn Bowen] I’m going to take Amy Hyatt’s quote but not the literal quote of, “If you have disengaged or poor producers, you are the problem,” but more the intent of we need a lot more introspective of everyone. Look at what you are bringing, what you can do different, how you can change. Just play out a scenario where the environment you’re in, there’s no ability to change it and what would you do to adapt.
Because I think too often, we try to take the easy road out and just make changes or blame other things rather than taking some ownership and trying to be a better person.
[David Spark] Very good point. And again, not easy. Geoff, your favorite quote and why?
[Geoff Belknap] I’m going to go with Paul Beavers here from ManageAmerica, “What people want is flexibility and to be trusted. The remote versus in-office debate dumbs down the real issue which is trust.” And I think this is exactly what we’ve been talking about. I think some people are leaning on bring people back to the office because that, “If I can look them in the eyes, I can build that trust.” And the reality is, there’s lots of ways of ways to establish trust with people and it doesn’t require being able to visibly see them with your own two eyeballs in person five days a week.
I think there are lots of other alternatives here and people are going to figure that out.
[David Spark] And I would love it if all my employees lived on a college campus right next to the office and that everybody could easily walk in and walk out and it’d be wonderful for everybody, but that’s not the reality of the world, is it?
[Geoff Belknap] No. The reality is pre-pandemic, in the time when we all were in the office five days a week, we still had problems with trust and community and building people. It’s not like that was a magical solution and we’ve all slid off the face of the Earth. Things have changed. We now have this new variable.
It’s time to grow and adapt.
[David Spark] Excellent point. Well, that comes to the end of the show. I want to thank our sponsor for today’s episode who is Nudge Security. Remember, that’s nudgesecurity.com/safesaas. Go there for a 14-day trial and find out what SaaS apps are being used in your environment. Thank you, Geoff, as always.
And Shawn, I’ll let you have the very last word. Any last thoughts? Are you hiring? Anything like that we should know for our audience?
[Shawn Bowen] I might actually have a position open when this airs, we’ll see.
[David Spark] So, harass Shawn. Shawn, by the way, has hired people through the CISO Series community, so it does actually happen with Shawn.
[Shawn Bowen] Yeah. I got contacted late at night one night by someone at midnight and we chatted back and forth, and I got a resume about midnight-thirty saying, “All right, yes, I would like to apply.” And that person, we didn’t hire him… He wasn’t the only person then, it’s Dustin Sachs, but he ended up going through the whole interview process and he was the one selected.
[David Spark] An excellent midnight message. Thank you, everybody, and thank you to our audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.