Until early 2020, much of the ongoing debate about the shifting landscape of human work focused on whether technology or globalization was having a greater impact on our work. Were robots and software digesting jobs? Or did offshore production and distributed supply chains have a greater effect? Economists and pundits throughout the world weighed in.
Then along came a virus. We know now that neither globalization nor automation compares to the sudden appearance of a global health crisis, and the dramatic shift in where, when and how we work.
Yet that great shift masked two even more powerful forces: the pace of change and the spread of change. It’s the speed and the distance of change that are causing the greatest ripple effects on human work.
They have also contributed to an exponential increase in the potential complexity of enterprise security. As a result, these are the two forces that are fueling some of the greatest challenges—opportunities—for cybersecurity.
The Pace and Spread of Change
As the pandemic gripped the world, we entered into what I called The Great Reset, a tectonic shift in how, when and where we worked. That reset has ended up being one of the most profound lessons on the pace and spread of change for virtually every industry, business, leader and worker.
In the rapid shift to distributed work, many leaders are gaining the growing realization that they have broken the seal on the traditional organization. The result: Their workforces are becoming fluid right before their eyes.
Many workers who rarely or never used video calls suddenly found themselves completely dependent on a daily stream of back-to-back-to back webcam meetings. Yet this process masked what was already happening to workers and teams, fueling a new workforce framework for the enterprise.
In many industries and organizations, work and jobs were already becoming atomized by technology. Work tasks were being split up among workers in dynamic ways, as teams continually faced new problems. Work responsibilities and roles were being adjusted accordingly.
Some organizations responded by committing to programs that could help workers become adaptive learners. But many companies continued to follow less-agile processes that kept workers from being able to effectively adapt.
That less-flexible mindset of the past can be thought of as somewhat binary. Workers are either employees, or they’re not. While there might be a range of work roles within the organization, a binary approach reduced the number of use cases for work, making it comparatively easier to hire, develop and promote workers.
But the Great Reset has forced organizations to embrace a far more fluid mindset about workers and work roles. While market leaders in the past could simply reinforce existing processes and work roles, even traditional incumbents are now realizing they must embrace more agile processes. This will inevitably mean a far more fluid mindset about the range of roles that workers will perform.
Think of it as a “soft-walled organization,” with people in a range of contexts easily and rapidly traversing the former edges of the company. But how can business and IT leaders get their minds around this kind of shift? Rather than a binary mindset, a more useful perspective may be fuzzy thinking.
In mathematics, a binary set is straightforward. Membership in the set is either 0 or 1. But an element in a fuzzy set is defined by its degree of membership in the set.
Look at the range of roles in an organization. At any point, your organization may have traditional full-time employees. But it may also leverage the energies of part-time workers, temporary workers, contractors, sub-contractors, consultants, work consortia, industry consortia, online gig workers, apprentices, students, cloud workers, crowdsourced workers, partners and even former employees. And all of these might be performing their work in an unlimited number of physical locations, and collaborating with each other in an N-dimensional number of relationships.
Full-time employees with benefits might be thought of as having 100% membership in the work of the organization. But a gig worker who drops off a pizza to the office (assuming you have an office) would have only the slightest percentage of membership in an organization’s work. Every other role would be something in between 0 and 100%.
Fuzzy set thinking also needs to be subjective and multi-directional. For example, let’s say that I think you and I are friends and co-workers. You, however, think we are just co-workers. So when the arrow points from me to you, there’s an additional “friend” set. But it only works one way, since you don’t feel the same.
The same can be true for work relationships. I may have tremendous loyalty and affinity to the organization. But if I’m a contractor, the organization may think of me as a disposable worker. That kind of subjectivity and ambiguity is hard enough in simple interpersonal interactions; it is especially problematic in a constantly changing workforce.
Some leaders may find this breathtaking complexity such an overwhelming problem to solve, even from a pure HR management standpoint, they may believe that existing business processes are simply not up to the task.
Yet the response by many organizations to the Great Reset actually shows that this kind of fluid mentality is indeed possible. What is critical is that IT leaders have the same approach to the organization’s cybersecurity model.
Fuzzy Ways of Thinking About Cyber Risk
Users in the old enterprise security model were essentially managed by standard set theory. A worker could be thought of as occupying a position in a set, such as “employee.” That “employee set” had a limited number of use cases associated with it. Cyber-risk models related to work would typically be based on the layering of tasks, resources, interactions, and geography.
Any worker’s responsibilities results in a set of tasks they regularly perform. Each worker needs access to certain resources, such as information, hardware and software. Invariably there are some kinds of interactions with other workers, both inside and outside the organization. And workers perform those tasks in one or more physical locations.
In the past, these factors could be relied upon to be relatively static for many work roles. Sure, some people changed work roles and tasks regularly, requiring new resources and interactions. But in many organizations this was a small subset of the workforce. Some workers operated from home, or performed as nomads, but in most organizations these were limited to sales and business development functions.
However, the Great Reset has shown that virtually all of these—tasks, resources, interactions, and geographies—can change dramatically. And they can, and will, continue to morph, both in terms of the pace and spread of change.
How, then, should leaders think about cyber risk in the era of the fluid organization?
In the early ‘90’s, the risk model for the organization focused on the perimeter. If an organization could simply manage the edges of its technology and physical infrastructure, anything within those virtual and physical walls could be considered part of the trust domain.
But the advent of public networks erased the perimeter, and with it went perimeter security strategies. To incorporate a range of use cases that included remote and mobile workers, the new model focused on endpoints. Secure every endpoint, and the connections between them, and trusted communications could ensue. But because organizations of any scale still had large offices, a substantial percentage of workers could be assumed to operate within the trust bubble much of the time.
Today, however, the organization is perpetually distributed, and likely perpetually fluid. Suddenly, someone who was a contributor to a cloud-based crowdsourcing competition becomes a contractor working on a sensitive project. How does the organization recognize that transition? How can it flexibly and easily adapt its security model, practices, and tools to ensure that the appropriate levels of security are maintained?
In addition to these challenges, the Great Reset has introduced at least one new security factor to consider. Health risk. An enterprise information security strategist might have cared about worker health in the abstract. But suppose now that a worker comes into the office, and a week later her co-workers fall ill.
Is it the organization’s responsibility to track those interactions, and trace back to find out who was in contact with whom? Does that have an impact on how the organization will manage resource access and co-worker interactions? Would a worker who has tested positive for a disease be flagged on building entry in the same way as someone who had breached information security?
The new enterprise cybersecurity model needs to be built on fuzzy thinking. The constantly changing landscape of workers, tasks, roles, resources, and geographical location itself will remain fuzzy for some time.
Even when many organizations ultimately shift into the Thrive phase of the Great Reset, hopefully with the capacity to build their businesses even better than before, leaders will find their organizations have become inevitably and perpetually fluid.
Those organizations that embrace this new model in their businesses—as well as in their approach to cybersecurity—are the ones that will truly thrive from the insights gained in and around the Great Reset.
Gary A. Bolles is the Chair for the Future of Work, Singularity University. This article is excerpted from the book “Navigating the Digital Age, The Definitive Cybersecurity Guide for Directors and Officers, Third Edition.”