For the past year or so there have been a good number of news articles covering how remote work is dead, or that companies are pushing return to office policies that at times are pretty draconian. It’s understandable in part since many companies either started to build, or built huge new headquarters across the United States, which were sitting empty. Add in long term leases for other offices that they could not break. So you got the perfect storm of happy employees working from home, often proving to be just as productive, if not more so than in the office. And companies bleeding money on real estate that was sitting vacant. How about with Cybersecurity teams?

With cybersecurity, the same situation was mirrored with our teams. Covid kind of proved that fully remote work was possible and often just as productive if not more so than in office work. But I’ve seen people taking this logic for granted, and not actually examining how cybersecurity work, at different levels and specializations handle remote work compared to the other types.

When I was working with my team during Covid, we were extremely productive, and managed to improve upon our SLAs and KPIs tremendously. New tasks would come in and we could finish a project that would normally take a month, in a week (installing & configuring temperature monitoring cameras for example at a hospital). But the key factor in this, was that we personally knew everyone involved. We knew who the team leads we needed to contact or work with to get a job done, and also vice versa. Whenever we had an issue with a platform, we just remembered who was its owner and just asked them. But later on, this started to degrade. Because people were finding jobs in other companies and leaving. While good for them, other teams usually found out about that when there was an issue with the platform the person who left managed. As a result, the web of connections we formed when we worked in the office frayed. We started searching out who was actually responsible for what at that moment. When before we would know of someone leaving due to inter-office chatter, and could adapt.

The nature of Cybersecurity is somewhat unique, in that it often requires us to work across teams frequently. And even though many of us are introverts, the office setting and being able to walk up to someone’s cubicle helped create a more interpersonal relationship that I find is missing when dealing with people only online. It’s the age old dilemma, when we’ve said that someone we know is a friend, but we just know them from the chat window of what ever app we use to talk to them. Some meaningful connections can develop, but it’s often superficial communication.

However, there is room for fully remote work in the field that would still provide value to organizations. And that’s the SOC. The entrance level of the field, where we’re learning the tools, learning what’s malicious or not, and often working off of playbooks, runbooks, or intuition. I would say that both Remote, Hybrid, and On Site would work for these jobs. But Remote would be the most cost effective and easy to find employees to do the job. Building a physical SOC is expensive, and finding it a good location can be even harder. Not every new grad has a car, not everyone can pickup and move to a new area of the city or a different suburb just to be able to get to work. In these cases, running a fully remote SOC is probably the best solution. And notwithstanding “AI Replacing the SOC” or “AI Replacing the Security Analyst”, these positions will still be needed. AI can’t fully replace humans and work accurately enough when it’s trained on a very specific environment, then thrown into an environment that’s completely and utterly different (different procedures, different tech stack, different maturity level of the program). These SOC analysts will be needed to first generate the data that the AI needs to be trained on. And then they’ll be needed to audit the performance of the AI model used, making sure it’s not reporting too many false positives, or worse, false negatives.

But in what ever case, a major problem that I see is communication. Many of us are Nerds and Geeks, where introversion is a key aspect of our personalities. Initiating communication can be hard for us. And the idea that if you need to get something done, you need to go through an (often messy) org chart to find the person, is off putting. What if they’re out of office? What if the org chart hasn’t been updated? New hires can struggle in such an environment, especially if there’s a lack of communication among teams (such as the rest of the team being hybrid, with one or two employees being remote). Always on voice chat can help, but that often creates more of a distraction, even though it’s supposed to replicated the idea of prairie dogging over cubicle walls to ask a coworker a question. Then there’s the need for more meetings, which can drag away from actual work being done and lower productivity in itself. Management needs to also identify employees who are introverts and try to actively include them in in meetings and get them out of their shells. For higher level cybersecurity positions, these can be underlying issues in degrading team performance, or individual performance. It’s easy to be forgotten when you’re quiet, and it’s easy to ignore chats and emails if you’re working on something else.

So for Cybersecurity in itself, Hybrid work environments bring the best of both worlds. They help force communication within the team, and between teams. We get to know each other on a more direct level. With the flexibility of being able to work a day or two from home. If staff are able to choose their work from home days freely, there should be a requirement of at least one day where the entire team should be in the office. Ideally, working with other teams in which there are projects going on with them, to have these obligatory in office days to coincide between teams.

Fully on-site work? That would depend on the organization. The higher the security level needed, the more of full time on-site work would be required. This doesn’t necessarily mean security levels like in the military, but work on new products that can’t be exposed to the public due to the “Osborne Effect”, or due to regulatory issues such as designing and securing medical devices. There are situations where such an environment requires it. But let’s not kid ourselves, NOT EVERY ORGANIZATION NEEDS FULL TIME ON-SITE WORK FROM EVERYONE.

I do believe that companies have to look at issues at team performance, cross-team interaction and how much of it is required, how to enable meaningful dialogue with a team, and across teams. This doesn’t mean quarterly one day trips to the office for remote workers and some “team building” exercise after work hours. But have the remote team members spend a week in the office, actually interacting with people naturally and not just in half day meetings and then, maybe an hour or two at a desk with the rest of the team. Not everyone remembers faces well, not everyone remembers names well. Don’t expect “team building speed dating” days to actually produce much of value.

So enough rambling. the deliberation of Remote, Hybrid, and On-Site work should taking into consideration issues with communication and the difficulty to form meaningful relationships with other people online. Covid didn’t prove that Remote only works, the results were masked due to teams with experience working together and across other teams were able to leverage those connections they developed to be productive at work. With less management oversight, these social connections helped move projects and work along faster. But as staff turnover happens, the benefits that were initially seen in fully remote work are diminishing and are creating other problems that some managers are unable to identify or remediate.