It’s Official—Flexible and Remote Work are Here to Stay, Say Empowered Employees

Transcript of a discussion on new research into how innovations such as contingent labor exchanges and intelligent workspaces are changing the future of work forever.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Citrix.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Gardner

The world’s office workers now have more clout and influence than ever over where and how they do their jobs. Those who have worked from home and want to continue are spurring on their employers to do more than embrace hybrid work. They’re seeking to reinvent the very nature of employment.

Stay with us now as we explore new research into how innovations such as contingent labor exchanges and intelligent workspaces are changing the future of work forever. To learn more about how flexible work models are the new normal for workers and businesses alike, please join me now in welcoming our guests. We’re here with Andrew Bartolini, Founder and Chief Research Officer at Ardent Partners in Boston. Welcome Andrew. 

Andrew Bartolini: Hey, Dana, I’m glad to be here.

Gardner: Tim Minahan is also here, he’s the Executive Vice President of Business Strategy at Citrix, in Fort Lauderdale, Florida. Hey, Tim.

Tim Minahan: Hey, Dana. Glad to be back.

Gardner: Tim, COVID-19 or not, workers seem to have spoken adamantly when it comes to flexible work. What are they saying and why is flexible work here to stay?

Minahan: If you think about major historical moments throughout the ages that have kind of reset how we live and how we work, certainly the pandemic will go down in history as one of those. While no one would ever wish the pandemic to occur again, if there’s any iota of a silver lining, it’s this rapidly accelerated digital transformation which has caused employees and employers to dramatically rethink the way they work, where they work, how they work, and who does the work.

Minihan

We’ve been studying this dynamic for several years from an executive and IT perspective and the knowledge-worker perspective. The latest poll of 13,000 knowledge workers around the globe clearly indicated that folks are not going back to the office five days a week. They’ve proven that they can engage and be productive anywhere, and they’re not going back. In fact, nearly 90 percent of those who participated in the poll said they plan to work on flexible models in the year ahead, with the majority of them indicating that they plan to remain fully remote.

Gardner: Is there a back and forth in how companies have been responding to this? And, of course, it’s very hard to predict what’s going to happen in two weeks, never mind two months, but is this creating some confusion, some angst? Is that contributing to what some people are calling the Great Revelation of why workers are seeking something new?

Workers want out of the office

Minahan: Certainly, there’s a near-term part of it where companies haven’t even figured out how to get folks back safely in a condition that’s conducive to working. But more realistically, it’s been a major reset. We’ve talked about the Great Resignation but also, I have heard it defined differently as the Great Revelation.

In fact, a similar study of 1,500 knowledge workers across North America shows that as many as 50 percent of workers in the U.S. have left or plan to leave their jobs. There are several different reasons, but it really boils down to three things: burnout, opt-out, and time out.

Well over a third of knowledge workers surveyed said they left their jobs because they're burned out by the stress of working in this prolonged pandemic environment as well as over the demands in the workplace.

From a burnout perspective, well over a third said they left their jobs because they’re just burned out by the stress of working in this prolonged pandemic environment as well as over the demands in the workplace. From an opt-out part, a lot of folks either took time during the pandemic to retrain themselves, to get new skills, or they just wanted a new challenge. They’ve been working at their employer for a while and they’re looking for a promotion or they literally just want to take on a new challenge.

An interesting part of the study is a number of respondents said they ditched their jobs really to feel like they can get some control over their lives, which had somewhat gotten out of control. The last part of the study is time out, and you think about the dynamics of the workforce. We often forget, but if we can think back, unfortunately 48, 50 months ago we had a global talent shortage. McKinsey was estimating that we had a shortage of 95 million medium- to high-skilled workers, especially those with the most in-demand skills, such as cloud, artificial intelligence (AI), and security, skills needed to digitize and modernize your business. And guess what? That hasn’t gone away. So, these are the dynamics that are really causing a complete reset of the workplace.

Gardner: Andrew, it sounds as though workers have learned a few lessons through this whole experiment during the last couple of years. What’s working best for them when it comes to getting things done and how different is that from just two years ago?

Bartolini: Right. I mean this has been a dramatic, radical shift. Necessity is the mother of invention and at the core, people are resilient. They evolved when they had to. When we go back to March of 2020, there was no choice, but people found a way to keep working. Maybe they had a home office but more frequently, people were working from their kitchen tables and from their bedrooms.

Bartolini

How workers and teams were able to maintain productivity was amazing, but it wasn’t necessarily easy. Some part of our research focuses on the contingent workforce but also on the supply chain. I remember speaking to the number-two person for a Fortune 50 pharma company a couple of weeks after the shutdown. She was talking to me about how they were completely retooling several Asian factories to start manufacturing hand sanitizer because they clearly saw a huge demand or future demand coming.

We started to drill into the weeds, and I was talking about the challenges of the global supply chain. She paused and said, “The biggest challenge for us has been in dealing with the team working from home.” This was sort of at the height of uncertainty around the risks of COVID-19 and the impact there. And as someone who’s been generally working virtually for about 20 years now, I almost forgot that. I live in Boston where the rush-hour traffic is terrible because most people work in an office environment. Overnight, that changed.

It sounds odd, but the pandemic, because it helped minimize distractions -- you can’t go to a movie, you can’t go to a mall-- helped people focus on the work at hand. I think that the pandemic unified teams, I mean especially for those with family responsibilities. When you bring the office into your home, you erase the lines between work and home and things blend into each other, particularly for people with young children at home.

And so, I think the reaction to that was that team leaders and leaders of large organizations understood that they needed to instill greater levels of communication and collaboration. Really, as the leaders themselves, many chief procurement officers (CPOs) talked about having much better scheduling and interacting more with the people on their teams as well as their direct reports in a virtual environment than they had in the preceding years. So, I think it’s all part of having to learn on the fly. I think by and large, organizations were sort of able to get through the challenging time and are now settling into this period of greater uncertainty. 

Gardner: Well, it seems as though the workers get it. The workers have found how to be productive and gain balance in their whole lives quickly, but employers seem to be still thinking we’re going back to the nine-to-five and the cubicles thing. Are employers lagging in their perceptions? Why haven’t they learned the same lessons of how this can work so well?

Mind the management-employee gap

Bartolini: Yes, I do think there’s always been a gap between sort of the workers and their views and management if you will. I don’t think that the gap, at least in our research, is necessarily related to the pandemic itself. When we were looking at it sort of pre-pandemic, maybe around 21 percent of the workforce was remote. We’re doing a study right now and the early indications are that post-pandemic, fewer than 10 percent maybe even fewer than 5 percent of all businesses plan to revert to the way things were, doing that nine-to-five thing.

Workers Speak: Remote Work is Here to Stay.

Now You Can Enable it in a Secure, Reliable Way.

So, I think that the gap is a larger, more general one. I mean, Great Resignation, Great Revelation right there. When you look at the shift in power from employer to employee over the past couple of years -- the McKinsey study that Tim just quoted being one great example -- we’re really dealing with the market where there’s this Great Resignation plus a huge demand for talent. There’s extremely low rates of unemployment and we’re really experiencing what we would call a talent revolution. It’s a revolution that’s hitting workers of all types. It’s hitting white collar, blue collar, and the contingents as well. It impacts their voice and what they’re looking for from an employer, whether that’s flexibility or a sort of greater alignment between the companies that you work for and the purpose of those companies. 

There’s strong demand for engagement with corporate culture. This is really across the blended workforce. Look at the blue-collar workers seeking safer and better work conditions. Workers seek the intrinsic rewards, such as better pay, better benefits, but also the extrinsic benefits. There’s been that gap and employers have been slower to respond to that, but by necessity again, they’re going to need to start to craft engagement models and employment models that allow them to attract the best talent.

Gardner: Tim, what do these employees need to do to close this gap functionally even if they get it, even if they want to? What’s missing from a lot of employers in terms of making the accommodations to keep their employees happy, productive, and flexible?

Redefine where, who, and how talent works

Minahan: Now, the savvy employers recognize that this is an opportunity to drive greater innovation to recruit and retain the best skill set. They need to use a lot of the same tactics that they used out of necessity during the pandemic, such as allowing people to work more flexibly and remotely and arming them with more effective productivity and collaboration tools. They need to be able to rethink their workforce strategies. Whereas before they had to compete with folks down the street in major metropolitan areas such as San Francisco and New York, now they can hire the best talent by empowering the work wherever they want.

When they're doing thoughtful research, maybe it's time for them to be remote. When it comes to brainstorming and strategic planning, maybe its better for them to come together.

When you think about what this post-pandemic world of work is going to look like, there’s really three categories. One is what we’ve talked about and that you hear about in the press, which is where work gets done. It’s much more transcendent than just does Sam or Susie come back in the office three days a week, five days a week, or not at all? Really, it is about, “Gee, how do I create and maybe even rethink the role that the office plays? How do we create a work environment and a toolset that allows employees to perform the different types of work they do in the best way possible?” When they’re doing kind of thoughtful, meaningful research and other work, maybe it’s better for them to be remote. When it comes time for brainstorming, planning, strategic planning, that type of thing, maybe it’s better for them to come together.

Then you begin to look at your real-estate footprint. “Do we have a big office in a major metropolitan area, or do we downscale? Do we transform that office from one where everyone goes into the office, punches a virtual clock and closes the door into more of a collaboration space where they come together for very discrete moments and activities, or into a customer-experience space where we can invest more in those high-traffic metropolitan areas and create an engaging experience such as you might experience in an Apple store?” That’s the “where.”

Then, there’s the “who.” Smart companies recognize that they can use what they learn through the pandemic around remote work to go out and recruit new talent. In other areas, they’re not beholden to a commuting distance to one of their office hubs. Also, thinking about rebalancing the workforce where they might not be able to secure that developer or designer when competing with Amazon or Google on a full-time basis, there’s a whole host of very skilled and talented freelance workers and free agents who have that skill that are willing and interested in taking the projects that they want. So, you can get the top talent.

And then the last part is the “how they work.” Over the several past few decades, we’ve been amassed a massive amount of tech debt. We’ve deployed a whole host of individual devices and applications that on their own were designed to solve a particular business process whether that’s automating the procurement process or something else, right, Andrew?

Bartolini: Right.

Minahan: However, when you stack them all on top of each other, there’s a cacophony of technology now that disrupts an employee’s day. So, having a digital workspace allows an employee to have access to all the work resources they need in a very secure way, no matter where work gets done, and layers it with automation and productivity and collaboration tools that allow them to work at their best. It allows for more efficient work execution and collaboration across all of these systems so that they’re not being disrupted throughout the day, but they actually quickly can get work done, quickly find the information they need, and do their best most meaningful work.

Gardner: Andrew, Tim just laid out some interesting things around where and who and how but the “who” kind of jumps out at me. It seems to me that a full-time employee (FTE) isn’t the only option. You don’t always need to know where they are, but maybe you also don’t need an FTE for every type of process or productivity. So, what is the future of work exchange and how should we think about the types of labor categories differently while we’re re-examining everything else at the same time?

Flexible work here, there, and everywhere

Bartolini: Tim is exactly right, and I think your question is absolutely on point. So, the future of work exchange is a web site that our partners launched only last year. We’ve been tracking the growth and expansion of the contingent workforce since the start for the past 13 years. They’ve really focused on what we define as the future of work and we think about that as the strategic optimization of how work gets done through the evolution of talent engagement, the advent of new technology and innovative tools, and the transformation of business standards.

And the reason why we’ve invested greater resources in this area is because the growth and expansion of the contingent workforce, the extended workforce -- it’s called a lot of different things today-- has grown dramatically over the past decade. Our research shows that 47 percent of all workers working for a company today are not FTEs. So almost half of all workers are contingent workers. They’re the independent contractors and consultants.

A decade ago, that number was 25 percent, and we expect that number to climb above 50 percent. We expect there’s probably a natural ceiling that will be hit at some point in a world where talent continues to be a major differentiator. But as organizations start to be more focused on “how” work gets done, rather than “who” does it, there’s been a shift. We’ve erased many of the geographic constraints that companies have traditionally had when trying to staff projects and to find the best talent. That’s been removed by technology and the advent of digital marketplaces where people can find the talent and do matching.

Workers Are on the Move. Here Are Five Things

To Keep Your Business Moving With Them.

There’s been a shift in the way that organizations are thinking about what it is that they need to do to get their projects done, to get their work done, and it’s moved from the old view where the contingent worker was the temporary employee. Somebody’s going on vacation, somebody’s going out on maternity leave, we need to find somebody to fill a tactical position. Now, the expanded view of who we can bring in to do work and what that work is, much more strategic projects. It’s an evolving mindset that has been accelerated by the pandemic. It’s an interesting and exciting time for those working in procurement and HR to get their hands around what does their total workforce look like as they go forward.

Gardner: Tim, Ardent Partners reports that almost half of the workforce is no longer full-time. That means when they start working for a company, they’re not onboarded in the same way. They don’t get, “Here’s your 15 applications. Here’s your laptop. You have now 45 different sign-ons to deal with.” Now, you need to do all that on a more granular basis, maybe focused on a process or a project, not on an employee definition. How can technology support this interesting new mix of types of workers when it comes to getting things done?

Minahan: You’re absolutely right. That is something that companies had to grapple with throughout the pandemic. I’m thinking of some of our financial services customers that saw, as you might expect, a dramatic uptick in their remote financial advisory services.

One was telling me that they hired 3,000 new employees during the pandemic, and they needed to onboard them all remotely. They needed to get them technology very quickly, they needed to get them access to the applications and information they required and that was where they kind of really embraced a secure digital workspace strategy, leveraging in this case our desktop as a service offering to be able to quickly stand up a desktop that had a personalized workspace for that employee.

Thanks to virtual desktop-as-a-service, employees were able to get all the onboarding materials delivered in a reliable and secure manner so they could ensure the corporate information remained private and secure.

In some cases, they would send out a thin client device like a Chromebook to allow that employee to have access to a device. Or, in other cases, at least early on throughout the pandemic, they would allow them to use their home device. Because they had a virtual desktop-as-a-service offering, they were able to ensure that not only did their employee have reliable access to all the onboarding materials, all the applications, all the training, all the information needed, but also that it was delivered in a reliable and very secure way so they could ensure that their corporate information remained secure.

This is offering a whole new flexibility particularly as we look at who does the work. As we’ve transitioned virtual desktop delivery from on-premises to the cloud, it’s opened up and made desktop delivery much more turnkey and much more practical for a broader set of use cases. So, not just FTEs, but contingent workers, seasonal workers, temp labor, these freelancers that we’ve talked about, designers and the like, it’s allowed companies to stand up and empower and onboard these employees very quickly without putting their corporate resources at risk.

One great example of this is a customer and innovation partner of ours, Major League Baseball (MLB), which, throughout the pandemic in the full spotlight, had to grapple with how to put the season on, how to keep the players and employees safe, how to empower them. But at the same time, everyone was seeing rising incidents of cybersecurity threats. They were able to empower not just this employee base but also their supply chain with desktop services.

A lot of their supply chain partners are small partners and they needed to step up their security requirements and they just didn’t have a large IT department. So, MLB basically extended this desktop service to that supply chain so that they could be compliant, continue to deliver the high grade of innovative and quality services that MLB needed while meeting the stepped-up security requirements. And so, I think we’re going to see a massive shift if we believe that flexible work is here to stay. The only consistent place that an employee is going to work is going to be their digital workspace.

Gardner: Andrew, sometimes I think we get complacent about how important a role this technology is playing in allowing this all to happen. One of the ways for me to wrap my head around how essential and innovative and powerful the technology is, is to say, well, what if this pandemic hit 10 or even 15 years ago? If this had happened 10 or 15 years ago and we didn’t have cloud computing, we didn’t have desktop as a service, and virtualization was just starting out, where would we have been? It seems to me that we lucked out, right? We got just over the line on where this technology is capable enough to allow people to work remotely almost anywhere on the planet. This technology is, I think, underappreciated. 

Tech enables transition to digital workspace

Bartolini: Yeah, I would say, no doubt. I mean, there’s been a long steady march towards driving improved communication whether that’s among teams and the capability to chat or among trading partners as well. I mean, that’s another piece. If you think about the growth of the global supply chain, that’s been a technology-enabled phenomenon as much as anything else, when it comes to the workers and to the workforce, right?

If this was 10 or 15 years ago, I’d like to think that we would have seen many of today’s innovations come along much sooner. But from a workforce management standpoint, when you’re dealing with a workforce that is not full-time, that is much more transient in how it engages and how you engage, your approach to that workforce necessarily has to change. From a technology standpoint, if you have your old HR playbook of how you onboard a traditional employee, you need that same playbook now for the freelancers, for the temps, and you need to have those things codified and smooth because there’s a war for talent that’s going on right now.

And so, it’s not just the FTEs that are picking and choosing when and how they engage. It’s the independents as well. It is this extended workforce. And so, you as an organization have to be at the ready. You have to be the employer of choice whether that’s a short-term project or the long-term employer of still 50 percent of the workforce.

So, yes, technology has been absolutely critical, and it is only going to play a greater role. When I speak to procurement leaders, CPOs and directors of sourcing, there’s been a shift that has happened and it’s going to continue to happen. As you see company offices and the investment in corporate real estate shrink, that money is redeployed to productivity tools, to technology that can create the digital workspaces that Tim has just been talking about. So, there is this transition, and the technology has absolutely played a key role.

Gardner: And Tim, we talked a little earlier about employers needing to close the gap between recognizing a flexible workforce future. It seems to me that this has forced them to appreciate how impactful the technology can be, and in many ways, we’re only scratching the surface of what the technology is capable of. So, is the silver lining here that we’ve created a catalyst to technology adoption and therefore also a catalyst to further technology development?

Minahan: Yes, Dana. I think it’s the combination. Certainly, the pandemic has expedited everything as folks are looking at accelerating their digital transformation and the shift to more flexible work models. That is causing companies to think not just about how to deliver all the work resources, all the applications, all the content, all the collaboration tools that employees need to be productive and do it securely so they can work anywhere, but also looking at, “Gee, how do I help them work better?”

At the top of the list for prioritized investments for IT are collaboration tools that foster more efficient work execution across all these distributed work environments.

If you look at any of the analyst studies out there, at the top of the list of prioritized investments for IT this year are collaboration tools. Tools that foster more efficient work execution and collaboration across these distributed work environments. Some of them are actual tools such as whiteboarding tools, project management tools. And some of them are actually, this role in robotic process automation (RPA) or automation providing a way for frontline business analysts and business users to knit together all of the source systems to complete a single business process so that employees can actually not be burdened by technology but can drive differentiated business processes. That’s a key opportunity as companies are looking at, “Gee, a lot of the stuff I invested in out of necessity during the pandemic is now allowing me to drive new business processes and innovation in my business that I couldn’t think through before.”

But all of this needs to be accompanied by changes in policy and ultimately culture. So, if you think about our experience during the pandemic including on this podcast here whether we’re using Zoom or Teams or whatever, it was really the great equalizer. We all have the same size box, we all have the same access to the same tools, the same information but as we rotate back to what a lot of folks are trying to work out as hybrid work, it opens up the opportunity to create a high level of inequity in the workplace where you have these battles between the office-first culture and the remote culture and how you run meetings.

Gardner: We used to call them road warriors, remember?

Equality essential for hybrid workmates

Minahan: Exactly. And it’s a big shift that we need to talk about. How do you create equity in the workplace? You just assume that you’re going to have a planning meeting, a work environment where you’re going to have remote workers and in the office workers and how do you create that equality? So, as we talk about this hybrid work model, companies really have an opportunity now to figure it out.

Here at Citrix, for example, we are retrofitting all of our conference rooms to be hybrid oriented. We’ve got cameras now in the middle of the table. We’re operating on Teams whenever we have a meeting. We’ve got cameras on the whiteboard and we’re trying to develop protocols or policies that include remote people participating in a meeting. For example, they get to respond or ask the first questions. Those types of things which we haven’t really thought through need to be thought through, in addition to the technology infrastructure that enables such work.

What is the Future of Digital Workspaces?

Tune in to The Future of Work Podcast.

Gardner: Andrew, companies right now are sort of dealing with some tough, thorny problems around flexible work models and also the talent shortage. What does your research tell you about what they should do sooner rather than later in terms of how to best adjust to this? What is the research telling you are sort of the fast-track things that people should be doing to be best prepared for our strategic approach to these problems?

Bartolini: The new flexible work model, the extended or contingent workforce and its growth in size and in strategic impact really has changed the way that organizations need to engage talent. So, if you are a hiring manager, if you lead a large organization, hiring is now a 24/7, 365-day activity because workers’ duration and the amount of time that they’re staying with a single employee also has shortened dramatically.

And so, you need to be developing and building a talent pipeline and maintaining that pipeline in an ongoing fashion. You need to be working to become the employer of choice. The research that we’ve seen and the strategies that organizations should be employing, if they haven’t already, include that there needs to be a more empathetic approach to how you manage your people. I think that the workforce today, because of the labor shortage or the low unemployment and the high demand for talent really has allowed employees to spend more time seeking out the jobs with employers that match their own sensibilities.

Is there a purpose that the company can communicate to their candidates and to their current workers? What is the culture of the organization and how is that culture manifested when you’re dealing with people that are in a distributed environment and not meeting face to face? How are you thinking about the benefits and how are you trying to better understand what it is that your workers need from a flexibility standpoint?

I think all of those things sort of go back to how do you engage your talent? And that’s the talent that you’re trying to recruit to bring into your organization and the talent that you have now that you’re trying to retain.

Gardner: Similar question for you, Tim. As companies are grappling with flexible work and talent shortage issues that are critical, what does Citrix’s research and its product development efforts tell you that they should be doing now tactically in order to be set up strategically for this cultural shift as we’ve termed it?

Minahan: The number one thing, if you look at it, is that 90 percent of employees plan to use a flexible work model this year. And 80 percent prefer to continue on in that fashion. Companies really need to think about their workforce strategies in different ways. They need to be open to flexible work arrangements to secure the top talent and the modern skills that they need, but also to retain their existing talent who are increasingly looking for new opportunities in this hot job market.

Secondly, they need to create an environment from a technology standpoint that is conducive to allowing employees to do their best work. Before, if everyone was coming into the office, your technology investment was pretty systematic. Now, you have to look at what it is going to take to empower an employee to work from their own device while protecting corporate resources, while ensuring that they have the collaboration, communication, and productivity tools that they need to foster more efficient work execution and collaboration across this distributed environment.

Those are the types of things folks need to think about. But they need to be coupled with a change in policy and culture. One that is forward thinking about, “Okay, if I have a new workforce strategy that is a balance between FTEs and contractors to make sure we have the right skills on the right project and people who are managing things in much greater pools of talent. What are the policies that we need to put in place to make that most effective?

If I know my employees and assume that we’re always going to be in a work environment where we’ve got to have in-person and distributed folks participating in the same meeting, what am I doing to foster an environment that makes it a meaningful experience for everyone involved, not just those who are sitting in the room? And then finally, what am I doing culturally to ensure that development opportunities and career advancement opportunities are not hindered by the choice of where an employee works?

There’s a major reset that companies need to think through. In order to be competitive, to be able to secure the top talent, tame the top talent, and drive and modernize your business with this talent, you need to adjust on those three vectors.

Gardner: Tim, I really respect the amount of research that you’re doing there at Citrix. You’re being empirical and not just using gut instinct on this and that’s great. And you’re also sharing this research, so where can people go to learn more? Where can I find some of the resources that Citrix is providing?

Minahan: I appreciate the feedback, Dana. You can go to Fieldwork by Citrix where we incorporate and make our research available. We also have our own kind of remote-work podcast there. Go to www.citrix.com/fieldwork to check it out.

Gardner: Andrew, where can people learn more about Ardent Partners, their research, and the future of work exchange?

Bartolini: Go to futureofworkexchange.com, that’s our site that’s got all of our current research and innovative ideas and tools. Tim even has a few articles up on the site there, too, which we appreciate.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on ways workers and businesses alike are adopting flexible work models as the new normal.

And we’ve learned how innovations such as contingent labor exchanges and intelligent workspaces are empowering workers to control their destiny and reward their employers with higher productivity.

So, a big thank you to our guests, Andrew Bartolini, Founder and Chief Research Officer at Ardent Partners. Thanks, Andrew.

Bartolini: It’s been great, Dana. Thank you.

Gardner: And with Tim Minahan, Executive Vice President of Business Strategies at Citrix. Thanks so much, Tim.

Minahan: Thank you, Dana. I appreciate the dialogue.

Gardner: And a big thank you to our audiences as well for joining this BriefingsDirect future of work innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout these series of Citrix-sponsored interviews.

Thanks again for listening. Please pass this along to your community and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Citrix.

Transcript of a discussion on new research into how innovations such as contingent labor exchanges and intelligent workspaces are changing the future of work forever. Copyright Interarbor Solutions, LLC, 2005-2022. All rights reserved.

You may also be interested in:

• 2022: The year technology and new work models come together to enable continuous innovation
• Working the great resignation: How employers can transform to a mutual advantage
• Citrix research shows those ‘Born Digital’ can deliver superlative results — if leaders know what makes them tick
• Creating business advantage with technology-enabled flexible work
• Rethinking employee well-being means innovative new support for the digital work-life balance
• Work from anywhere unlocks once-hidden productivity and creativity talent gems
• Here to stay, remote work promises to deliver new levels of engagement, productivity, and innovation
• COVID-19 teaches higher education institutes to embrace latest IT to advance remote learning
• Work in a COVID-19 world: Back to the office won’t mean back to normal
• Business readiness provides an agile key to surviving and thriving in these uncertain times
• Busy work is a dumpster fire and it’s time for something completely different

When it Comes to API Security, Expect the Whole World to Be Testing Your Mettle, Says Twitter CISO

Transcript of a discussion on how Twitter’s chief information security officer makes the most of APIs by better knowing and managing them across their full lifecycles.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable AI.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Gardner

For developers and business architects alike, they often don’t know how a technology has adversely impacted a company -- until it has run amok. Just as cloud computing initially seeped into organizations under the cloak of shadow IT, an application programming interface’s (API) use in adoption has often followed an organic, inexact, and unaudited path. 

IT leaders know they’re benefiting from APIs -- internal, via third parties, and often outwardly exposed -- they just don’t know where they are, how much they support key services, and how they’re being used … or abused.

Stay with us now as we explore how API-intensive and API-experienced businesses are bringing maturity to their APIs’ methods and protections.

To learn how Twitter, a poster child for business-critical API use, makes the most of APIs by better knowing and managing them across their full lifecycles, we’re joined by several guests to discuss API maturity.

Please welcome Alissa Knight, recovering hacker and partner at Knight Ink. Welcome, Alissa.

Alissa Knight: Thank you, Dana. I appreciate it.

Gardner: We’re also here with Rinki Sethi, Vice President and Chief Information Security Officer (CISO) at Twitter. Welcome, Rinki.

Rinki Sethi: Thanks, Dana. It’s nice to be here.

Gardner: Security researchers at Akamai in their latest state of the internet report detail how cyber criminals have noticed APIs and are turning them into an attack vector. This in itself isn’t a surprise, but the degree to which people are not prepared for such vulnerabilities as the Log4j issue is.

Rinki, how do CISOs such as you at Twitter get the most out of APIs while limiting the risk?

Sethi

Sethi: Securing APIs is a multi-layered approach. My philosophy is that APIs are meant to be exposed. We expose APIs to enable developers to do amazing things on our platform.

So, you need a multi-pronged approach to security. There are basic tools that help you prevent risk around APIs, whether it’s volumetric attacks or the basic vulnerabilities and supporting the infrastructure. But really, each API introduces its own risk, and there is a multi-layered approach in how you go and secure that.

Gardner: Rinki, what’s your history as a CISO? And please tell us about your tenure at Twitter.

Sethi: I’ve been in the cybersecurity industry for almost two decades now. I’ve been around the block at some really great brands in the Bay Area, from working at eBay to Palo Alto Networks to IBM.

I took my first CISO role almost three years ago at a start-up company called Rubrik, a unicorn, and helped them after a security breach and to scale up their security program. That was my first role as CISO. Before that, I held various roles leading product security, security operations, and governance, risk, and compliance (GRC).

While at Rubrik, during early COVID, we had to scale back and focus on how to thrive as a business. At that time, Twitter reached out. I joined Twitter after the security breach and before the U.S. election to help build out a scalable security program. And so, here we are. I’m a little over a year into this role.

Gardner: The good news about APIs is they’re widely exposed and can be used productively. The bad news is they’re greatly exposed. Knowing that and living with that, what keeps you up at night? What’s a lingering concern when it comes to the use of APIs?

Decrease API vulnerability ASAP 

Sethi: The explosion of APIs in use in just the last few years has been at an exponential rate. Our traditional security products don’t protect us against business logic flaws -- and that’s what keeps me up at night.

How to Protect Against 

The Log4j Vulnerabilities

Business logic flaws can result in security or privacy violations for the consumer. And other than unit testing -- and really looking at your APIs and testing them out for those business logic flaws -- there’s not great innovation yet. There are [API security] companies starting up, and there are going to be a lot of good things that come out, but we’re still early. That’s what keeps me up at night. You still have to go back to the manual way of looking at APIs.

Those kinds of vulnerabilities are the biggest challenge we have in front of us. And thankfully we have people like Alissa who come after us and find those issues.

Gardner: Alissa, you wrote an e-book recently, The Price of Hubris: The Perils of Overestimating the Security of Your APIs. Other than the business logic flaws that Rinki described, what are the biggest risks in the nearly unmitigated use of APIs these days?

Knight: There’s a library of papers I’ve done on these issues. I feel like every morning, Rinki wakes up and lies in her room and says, “Oh, my God, another paper from Alissa!” So, yes, there’s a real struggle around API security.

Knight

What was interesting and what I loved about the Hubris paper was it allowed me for the first time to take all my vulnerability research across industries -- automotive, healthcare, financial services, fintech, and crypto currency exchanges – and put them into a single paper. It’s a compendium of all my API exploits that shows this is a ubiquitous problem across many industries.

It’s not just a Twitter problem or a whatever-bank problem. It’s an everyone problem. Much to Rinki’s point, APIs have pretty much become the plumbing system for everything in our world today. They affect life and safety. That’s what attracts me as a vulnerability researcher. It’s like George Clooney’s movie, The Peacemaker, where the lead character didn’t care about the terrorist who wants 1,000 nuclear weapons. He cared about the terrorist who just wants one.

For me, I don’t care about the hacker who wants to deface websites or steal my data. I care about the hacker who wants to go after my APIs -- because that could mean taking remote control of the car that my family is in or hacking healthcare APIs and stealing my patient records. If your debit card was compromised, Wells Fargo can send you a new one. They can’t send you a new patient history.

APIs are the foundational plumbing for everything in our lives today. So, rightfully so, they are attracting a lot of attention -- by both black hats and white hats.

Gardner: Why are APIs such a different beast when it comes to these damaging security risks?

Knight: Humans tend to gravitate toward what we know. With APIs, they speak HTTP. So, the security engineers immediately say, “Oh, well, it speaks the HTTP protocol so let’s secure it like a web server.”

APIs are the foundational plumbing for everything in our lives today. So, rightfully so, they are attracting a lot of attention -- by both black hats and white hats.

And you can’t do that because when you do that, and Rinki addressed this, you’re securing it with legacy security, with web application firewalls (WAFs). These use rules-based languages, which is why we have gotten rid of the old Snort signature base, if you remember that, if you’re old enough to remember Snort.

Those days of intrusion detection system signatures, and updating for antivirus and every new variant of the Code Red worm that came out, is why we’ve moved on to using machine learning (ML). We’ve evolved in these other security areas, and we need to evolve in API security, too.

As I said, we tend to gravitate toward the things we know and secure APIs like a web server because, we think, it’s using the same protocol as a web server. But it’s so much more. The types of attacks that hackers are using -- that I use -- are the most prevalent, as Rinki said, logic-based attacks.

I’m logged in as Alissa, but I’m requesting Rinki’s patient records. A WAF isn’t going to understand that. A WAF is going to look for things like SQL injection or cross-site scripting, for patterns in the payloads. It’s not going to know the difference between who Rinki is and who I am. There’s no context in WAF security -- and that’s what we need. We need to focus more on context in security.

Gardner: Rinki, looking for just patterns, using older generations of tools, doesn’t cut it. Is there something intrinsic about APIs whereby we need to deploy more than brute labor and manual interceding into what’s going on?

Humans need to evolve API culture

Sethi: Yes, there are a lot of things to do from an automation perspective. Things like input/output content validation, looking at patterns and schema, and developing rules around that, as well as making sure you have threat detection tooling. There’s a lot you can do, but a lot of times you’re also dealing with partner APIs and how your APIs interface with them. A good human check still needs to happen.

Now, there are new products coming out to help with these scenarios. But, again, it’s very early. There are a lot of false positives with them. There’s a lot of tooling that will help you capture some 80 percent, but you still need a human take a look and see if things are working.

What’s more, you have the issue of shadow APIs, or APIs that are old and that you forgot about because you no longer use them. Those can create security risks as well. So, it goes beyond just the tooling. There are other components needed for a full-blown API security program.

Gardner: It seems to me there needs to be a cultural adaptation to understand the API threat. Do organizations need to think or behave differently when it comes to the lifecycle of APIs?

Knight: Yes. The interesting thing -- because I’m so bored and I’m always trying to find something to do -- I’m also the CISO for a bank. And one of the things I ran into was what you mentioned with culture, and a culture shift needed within DevOps.

Get the Free Tool to 

Combat the Log4j Vulnerabilities

I ran into developers spawning, developing, and deploying new APIs -- and then determining the cloud environment they should use to secure that. That’s a DevOps concern and an IT concern. And because they’re looking at it through a DevOps lens, I needed to educate them from a culture perspective. “Yes, you have the capability with your administrative access to deploy new APIs, but it is not your decision on how to secure them.”

Instead, we need to move toward a mindset of a DevSecOps culture where, yes, you want to get the APIs up and running quickly, but security needs to be a part of that once it’s deployed into development -- not production -- but development. Then my team can go in there and hack it, penetration test it, and secure it properly -- before it’s deployed into production. 

What’s still happening is these DevOps teams are saying, “Look, look, we need to go, we need to rush, we need to deploy.” And they’re in there with administrative access to the cloud services provider. They have privileges to pick Microsoft Azure or Amazon clouds and just launch an API gateway with security features, and yet not understand that it’s the wrong tool for the job.

If all you have is a hammer, everything looks like a nail. So, it requires a culture change. It is certainly that. Historically, there’s always been an adversarial relationship between security and developers. And it’s part of my job -- taking off my hacker hat and putting on my executive hat as the CISO – to change that mindset. It’s not an us versus them equation. We’re all on the same team. It’s just that security needs to be woven into the software development lifecycle. It needs to shift left and shield right.

Gardner: Rinki, any thoughts about making the culture of security more amenable to developers?

Sethi: I couldn’t agree more with what Alissa said. It’s where I found my passion early in my security journey. I’m a developer by trade, and I’m able to relate to developers. You can’t just sit there and train them on security, do one-day training, and expect things to change.

I'm a developer by trade, and I'm able to relate to developers. You have to make their lives easier to some degree, so they don't worry and the tooling is training them in the process. You have to show them the impact of a security breach or bugs.

It has to be about making their lives easier to some degree, so they don’t need to worry about things, and the tooling is training them in the process. And then a shared sense of responsibility has to be there. And that's not going to come because security just says it’s important. You have got to show them the impact of a security breach or of bugs being written in their code -- and what that can then end with. 

And that happens by showing them how you hack an application or hack an API and what happens when you’re not developing these things in a secure manner. And so, bringing that kind of data when it’s relevant to them, those are some bits you can use to change the culture and drive a cohesive culture with security in the development team. They can start to become champions of security as well.

Knight: I agree, and I’ll add one more thought to that. I don’t think developers want to write insecure code. And I’m not a developer, so I couldn’t speak directly to that. But I’m sure nobody wants to do a bad job or wants to be the reason you end up on the nightly news for a security breach.

I think developers generally want to be better and do better, and not do things like hard-code usernames and passwords in a mobile app. But at the end of the day, the onus is on the organization to speak to developers, and said, “Hey, look. We have the annual security awareness training that all companies need to take about phishing and stuff like that,” but then no one sends them to secure code training.

How is that not happening? If an organization is writing code, the organization should be sending its developers to a separate secure code training. And that needs to happen in addition to the annual security awareness training.

Gardner: And Rinki, do you feel that the risk and the compliance folks should be more concerned about APIs or is this going to fall on the shoulders of the CISO?

Banking on secure APIs

Sethi: A lot of times, risk and compliance falls under the CISO and I think Alissa said they don’t get into it. The regulators are not necessarily going to get into the minutia and the details of each and every API, but they may mandate that you need some kind of security program around that.

As we all know, that’s only one aspect of security. But I think it’s starting to come up in discussions -- especially in the banking world. They’re leading the way as to what others should expect around this. What I’m hearing from vendors that are supporting API security is that it’s easier to go to a bank and drive these programs because they already have a culture of security. With other companies, it’s starting to come now. It’s a little bit more chaotic around how to bring these teams involved with APIs together so that they can build good security.

Knight: If you think about it, 20 years ago, back when both Rinki and I got into security, it was a different story. The motives for hackers were website defacement and getting your name on all those defacements. That was the point of hacking.

Now, it’s all about monetizing the data you can steal. You don’t go digging for gold in just any random hole. You try and find a gold mine, right? Data is the same. Data is worth more than … Bitcoin. Maybe more than oil. You go to a gold mine to find gold, right? That means you go to APIs to find data. Hackers know that if they are going to steal and ransom a company, and double dip, and then lock and leak -- so leak the data and encrypt it -- you go where the gold is, and that’s the APIs.

I think there’s going to be an exodus where hackers start shifting their focus to APIs. Knowing that more hackers are moving in this direction, I need to learn JSON, I need to know what the hell that is and not be scared off by it anymore, because that’s where the data is. I need to understand how to hack APIs. 

Just because someone’s a hacker doesn’t mean they know how to hack APIs. I know a lot of hackers that freak out when they see JSON. So, it’s a certain type of hacker. Hackers need to take their craft -- either a white hat or black hat -- and develop that craft to focus on how to hack APIs.

The winds are changing and it’s going toward APIs because Twitter isn’t a monolithic application just like Amazon.com isn’t. It’s not one big app running on one big web server. It’s a bunch of distributed containers, microservices, and APIs. And hackers are going to learn how to hack those APIs because that’s where the data is.

Gardner: What do organizations then need to do to find out whether they’re behind that 8-ball? Is this still a case where people don’t know how vulnerable they are?

Identification, please

Sethi: Yes, I think identification is essential. If you’re kicking this off, at least make the case for a top priority to identify what your API environment looks like. What do you have that’s currently being used? What older versions that are not used but are still around and may be creating risks? Are there shadow APIs?

Finding out what the environment looks like is the first step. Then go through those APIs to see how they work. What do they do for you? What are the high-risk ones that you want to take a look at and say, “We need a program around this.” Identification is the first step, and then building a program around that.

Learn More 

About Traceable.ai

You may also want to identify what teams you need on board because as you’re identifying what’s already existing, if there’s things you need to do to change around to how developers are working with APIs, that’s another step you want to look at. So, it’s about building a cohesive program around building a culture. How do you identify what’s out there? How do you change how work is being done so that it’s more secure?

Knight: As a CISO, I’m quick to buy the coolest new things, the shiny new toys. My recommendation is that we as security leaders and decision-makers need to take a step back and go back to the old, fine art of defining our requirements first. 

Creating a functional requirements document on what it is we need from that API threat management solution before we go out there shopping, right? Know what we need versus buying something and looking at a vendor and saying, “Oh you’ve got that. Yeah, that could be good. I could use that. Oh, you’ve got that feature? Oh, I could use that.”

You can't protect what you don't know you have. Do your tools have the capability to catalog APIs and find out what the attack surface really is? What kind of data are those APIs serving? I sure as hell want to know which APIs are serving PII or PCI data.

Understand what your requirements are. Then, most importantly, you can’t protect what you don’t know you have. So, does your tool have the capability to catalog APIs and find out what your attack surface really is versus what you think it is? What kind of data are those APIs serving? Maybe we don’t need to start by focusing on protecting every single API, but I sure as hell want to know which APIs use or serve personally identifiable information (PII), or payment card industry (PCI) data, and all of those that are serving regulated data.

So where do I need to focus my attention out of the 6,000 APIs I may have? What are the ones I need to care about the most because I know I can’t protect my entire operating area -- but maybe I can focus on the ones I need to care about the most. And then the other stuff will come in there.

The number one vulnerability, if you look at the Hubris whitepaper, that’s systemic across all APIs is authorization vulnerabilities. Developers are authenticating a request but not authorizing them. Yes, the API threat management solution should be able to detect that and prevent it, but what about going back to the developers and saying, “Fix this.”

Let’s not just put all the onus and responsibility on the security control. Let’s go to the developers and say, “Here, our API threat management solution is blocking this stuff because it’s exploitable. You need to write better code, and this is how.” And so, yeah, I think it’s an all-hands-on-deck, it’s an-everyone issue.

Gardner: Because the use of APIs has exploded, because we have the API economy, it seems to me that this ability to know your API posture is the gift that keeps giving. Not only can you start to mitigate your security and risk, but you’re going to get a better sense of how you’re operating digitally and how your digital services can improve.

Rinki, even though better security is the low-lying fruit from gaining a better understanding of your APIs, can you also then do many other very important and beneficial things?

CISOs need strong relationships

Sethi: Absolutely. If you think about security upfront in any aspect, not just APIs, but any aspect of a product, you’re going to think about innovative ways to solve for the consumer around security and privacy features. That gives you a competitive advantage.

You see this time and time again when products are released. If they have issues from security or privacy, they may have been able to threat model that in advance and say, “Hey, you might want to think about these things as an outcome of the consumer experience. They may feel like this is violating their security or privacy. These are things that they may have in mind and expect from the product.”

And, so, the earlier you have security and privacy involved, the better you’re going to deliver the best outcomes for the consumer.

Knight: Yes, and Dana, I consider it fundamental to our role as a CISO to be a human LinkedIn. You should form a partnership and relationship with your chief technology officer (CTO), and have that partnership with infrastructure and operations, too.

APIs are like this weird middle ground between the CISO’s office and the CTO’s office because it’s infrastructure, operations, and security. And that’s probably not too different from other assets in the environment. APIs need a shared responsibility model. One of the first things I learned from being a CISO was, “Wow, I’m in the business of relationships. I’m in the business of forming a relationship with my chief fraud officer, my CTO, and the human resources officer.

All of these things are relationship-building in order to weave security into the culture of the enterprise, and, I think, in 2021 we all know that by now.

Gardner: APIs have become the glue, the currency, and a common thread across digital services. What I just heard was that the CISO is the common denominator and thread among the different silos and cultures that will ultimately be able to impact how well you do and how well you protect your APIs. Are CISOs ready, Rinki?

Sethi: I wouldn’t say that they aren’t. Any CISO today is exposed to this. The proof is around, look at how many vendors are out there solving for API security now, right? There’s hundreds and they’re all doing well.

There's so much innovation happening. All CISOs are talking about this, thinking abut this, and it's a challenge. CISOs are the common denominator in how we bring these different teams together to prioritize these weaknesses.

It’s because CISOs have defined that there’s a problem that we need to go and solve it. It’s a multilayered issue, and that’s why there’s so much innovation happening right now. And we’re not just solving for typical issues in your infrastructure, but also how you look at content validation? How are you looking at those business logic flaws? How are you looking at monitoring? Even how are you looking at identifying APIs?

You don’t know what you don’t know, but how do you start finding out what’s in your environment? There’s so much innovation happening. All CISOs are talking about this, thinking about this, and it’s a challenge. I do think CISOs are the common denominator in how we bring these different teams together to prioritize this.

Knight: I think you hit the nail on the head, Dana. CISOs are the connective tissue in an organization. We even have a seat on the boards of directors. We have a seat at the big kids’ table now, along with the CEO, and the heads of the different departments in the company.

And I don’t think the API security solutions were all created equal. I just recently had the pleasure of being invited by Gartner to present to all their analysts on the state of the API security market. And all these API security vendors have a different approach to API security, and none of them are wrong. They’re all great approaches. Some are passive, some are in-line, some import the swagger file and compare the back-end API to your Open API specification. Some are proxies.

How to Protect Against 

The Log4j Vulnerabilities

There are all these different approaches because the attack surface for APIs is so big and there are so many things you need to think about. So, there are many ways to do it. But I don’t think they are created equal. There’s a lot of vendors out there. There’s lot of options, which is why you need to first figure out what you require.

What is the back-end language? What are you programming in? Does your solution shim into the application? If so, you need to make sure the API security solution supports that language, that sort of thing. All these things you need to think about as a security decision-maker. We as CISOs sometimes go out there and look at product options and take the features of the product as our requirements. We need to first look at our requirements -- and then go shopping.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on making the most of APIs by better knowing and managing them across their full lifecycles.

And we’ve learned how business-critical API users like Twitter are bringing greater maturity to their API’s methods and protections, as well as looking to the CISO as the connective tissue across many different parts of the organization, all of whom need to start getting much more aware of these risks.

So, a big thank you to our guests, Alissa Knight, recovering hacker and partner at Knight Ink. Thank you so much, Alissa.

Knight: Thank you.

Gardner: And we’ve also been joined by Rinki Sethi, Vice President and CISO at Twitter. Thank you, Rinki.

Sethi: It was great being here. Thank you.

Gardner: And lastly, a big thank you to our audience for joining this BriefingsDirect API resiliency discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout the series of Traceable AI-sponsored BriefingsDirect interviews.

Thanks again for listening. Please pass this along to your business community, and do come back for our next chapter. 

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable AI.

Transcript of a discussion on how Twitter’s CISO makes the most of APIs by better knowing and managing them across their full lifecycles. Copyright Interarbor Solutions, LLC, 2005-2022. All rights reserved.

You may also be interested in:

• How Houwzer Speeds Growth and Innovation by Gaining Insights Into APIs Use and Behavior
• How FinTech innovator Razorpay uses open-source tracing to manage fast-changing APIs
• Traceable AI platform builds usage knowledge that detects and thwarts API vulnerabilities
• How to migrate your organization to a more security-minded culture
• How API security provides a killer use case for ML and AI
• Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks
• Rise of APIs brings new security threat vector -- and need for novel defenses
• Learn More About the Technologies and Solutions Behind Traceable.ai.
• Three Threat Vectors Addressed by Zero Trust App Sec