Wednesday, January 25, 2023

How A-Core Concrete Sets a Solid Foundation for Preemptive Security

Transcript of a discussion on how to best balance resilient security requirements with efficient use of human capital and resources in a highly dispersed organization.

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.

 

Dana Gardner: Welcome to the next edition of the BriefingsDirect podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator.

 

Gardner

A special breed of company -- even though it has a relatively small number of employees -- does very big jobs with those lean and often distributed workforces. A perfect example of such a concentrated and efficient business is A-Core Concrete Specialists, which builds large and complex structures across the Western United States.


When it comes to managing IT, the lean-and-mean mantra also holds true. The jack-of-all-trades requirements means that the IT leadership of it is often the head of security. As a prime example, that’s another way that A-Core Concrete shines.

 

Today’s BriefingsDirect security innovations discussion examines how A-Core Concrete has created a security culture that relies on centralized administration, proactive insights, and rapid remediation to successfully assure that the whole company operates at peak performance.


Here to share the story of how to best balance resilient security with the efficient use of human capital and resources is Andy Black, Chief Information Officer (CIO) at A-Core Concrete Specialists Inc., in Salt Lake City. Welcome, Andy.

 

Andy Black: Hello. Thank you.

 

Gardner: How does your management and IT approach allow A-Core Concrete to best meet its security objectives?

 

Black: A-Core Concrete operates in seven different states within the Western United States. We have 13 offices throughout the Western U.S., and our main corporate headquarters is in Salt Lake City, Utah.

Black
From there, we run the majority of the businesses. Each division operates independently. There are some that operate branch sites in various states and others where we don’t actually have offices. So, we need to provide a lot of remote capabilities and access to IT at all of these various locations. 

When I came aboard several years ago, I determined the best answer was not to have a central data center where all of our servers and applications were housed. That just made it more complex for every one of those locations to gain access to the main facility. Because we also were growing rapidly, I needed the ability to expand the business quickly and plug in a new location really fast.

 

If I had to establish a direct virtual private network (VPN) connection back to our main data center at the main corporate headquarters, it probably wasn’t going to work well. So, instead we decided to migrate all of our servers and the environment to the Microsoft Azure cloud and set up each office location with VPN connections up to that Azure cloud environment.

 

That’s enabled us to operate lean and more securely. Each office has a secure connection to our primary applications via remote access. And all of our people operating remotely on mobile devices and laptops are also able to gain access to our cloud-based environment.

 

That’s basically how we’ve configured our IT environment so every physical location -- as well as all of our remote workers – can have secure access into all of our cloud-based resources.

 

Gardner: Andy, we hear so much these days about remote work and whether that’s the right fit for the long-term. Seems to me what’s most important is gaining the flexibility and the agility to be location-independent. You can always get the work done regardless of where the people are.

 

What were some of the challenges you faced to maintain your security requirements, even with 13 offices – and more remote locations -- spread around the country?

 

Keep clients safe across the Western U.S.

 

Black: Well, a great example that comes to mind is we are currently working on one of the largest renovation projects in the country, the Church of Jesus Christ of Latter-day Saints temple renovation project in downtown Salt Lake City. That project involves a lot of very intense and technical work. We’re lifting the entire temple off of the ground to install earthquake prevention materials. Within the facility, we’re drilling holes down the sides of the temple. Of course, this is an historic landmark, so we have to retain and protect the facility.

 

But we’re working on that job site in conjunction with other companies. We are a subcontractor in partnership with the main host organization that is doing a lot of the construction. And so, we have our managers and our administrators working in the other companies’ offices and trailers. And so, we rely on those other companies’ internet connections for the majority of their work and yet our people still need to have access to our main company IT resources.

 

For them, for example, we have set up a VPN client that they load onto their individual computers, so they can simply rely on that internet connection and still tap into our Microsoft Azure cloud.

We're aware that there are a number of hacks and other issues out there where they take advantage of VPN and RDS-types of connections into remote access servers and cloud environs. We need to protect and secure those, too.

Now, for all of our other main office locations, we have firewalls in place, and each firewall is configured with that VPN client. But the way we’ve configured and built this out -- so that everything is cloud-based, while we can secure it with a VPN connection -- puts this in a tight spot because people are located all over the place. They might be using a cellphone as a mobile hotspot or an airport Wi-Fi network. And so, while they have that VPN connection to me, that still does not protect them 100 percent.

 

We’re aware that there are a number of hacks and other issues out there where they take advantage of VPN and even Remote Desktop Services (RDS)-types of connections into those remote access servers and cloud environments. And so, we have to be able to protect and secure those as well.

 

As a result, I rely on a lot of the services and support I get from Bitdefender for securing our computers and connections. They can be remote, in these other offices and shared with other companies, and we can still have secure access to all of our resources.

 

Gardner: The days of creating a fortress and moat perimeter that you can protect and beef up from time to time -- those days are gone. There is no perimeter. The perimeter is everywhere.

 

Given that, what are the top requirements for the endpoints to take advantage of your cloud use and remain secure and under control?

 

Protect all platforms, everywhere

 

Black: One of the main reasons I moved to Bitdefender in the first place was its high quality and reputation when it comes to ransomware protection. That was one of my primary goals as a result of an instance where we had an attack several years ago. The security solution we had at the time helped prevent the vast majority of attacks, yet we still had a couple of machines that were hit. I needed to find a good, solid solution.

 

At the time I did my research, Bitdefender came out on top of the list. By installing Bitdefender, we not only gained an endpoint protection solution that provided ransomware protection, it also gave us antivirus, anti-malware, and other resources to securely protect those local devices. Then, at the same time, because we still see so many attacks through email, we tapped into the Bitdefender email filtering solution as well.

 


We rely very heavily on that solution to handle the local desktops, the laptops, and all those devices -- as well as all of our communication through email -- to make sure that we protect ourselves as much as we possibly can.
 

We still have to train the users. The weakest point in any security system is still the users. They still click on things, and they can still open things. But by having the endpoint protection solution and the email filtering solution in place, we feel that gives us a really good perimeter, if you will, to try to protect us and keep us much more secure when it comes to managing all of these devices that are all over the place.

 

Gardner: As your security and other IT partners have also adopted cloud architectures, how has that impacted your ability to manage and secure all of those far-flung endpoints?

 

See, secure, and share the cloud

 

Black: That’s a really great question. Not only do we have our own primary servers in the cloud that we use for specific systems in our environment, but we also outsource many other vendor-related hosted services, including software as a service (SaaS), for many other applications. Most of those are also hosted on Amazon Web Services (AWS) or Azure, so they’re all cloud-hosted. We may have one type of connection on one location, but on that same computer we’re doing 10 other things and 10 other resources are going to other cloud-hosted services.

 

I have, through Bitdefender, a great console that we use for two purposes. The first purpose is so that on my main view I can see all of the connected devices, and I can see which devices have had things blocked -- whether it’s been blocked, quarantined, or deleted. In a snapshot, I can open it up and determine if I have any devices out there that are jumping out and saying, “Hey, something just happened. We need to look at this right now.”

I also receive notifications if somebody's machine has clicked on a wrong link. That primary console has been great. I can pull up each computer, and it makes recommendations for how to better secure that specific device. It will automatically make the adjustments for me and make that fix. 

I also receive notifications if somebody’s machine has clicked on a wrong link. It gives me a notification, saying, “Hey, you need to go look at this particular computer.” That primary console has been great. Through that console, there are also links whereby I can pull up each individual computer, and it makes the recommendations for how to better secure that specific device. I can then click on some of those and it will automatically make the adjustment for me and make that fix. Then in others, it actually relates more to group policy kinds of changes that we can make on our network so each device within the entire company can be adjusted based on those particular recommendations. That’s all in the primary endpoint protection console that I use.

 

Then secondary to that is the email filtering console. And I dive into that on a regular basis, and I’m learning, “Okay, what’s getting blocked? What’s getting filtered? Should this really be going through? Should this not be going through? Is it virus-related? Is it malware? Is it simply a phishing scam? Is it marketing?”

 

I look at that on a regular basis to make sure that if something does get blocked, it really should. I can still, if needed, release it and get it right to our end users very quickly. These particular tools have been very, very helpful for me in trying to manage the endpoint protection and manage our communications through our email service.

 

Gardner: Andy, you’re the CIO, not the chief information security officer (CISO), so you’re juggling a lot of different priorities. One of the things that is hard for people to balance is getting too much – or too little – email information. Can you, through the management console and interface, tune it so that you don’t get overwhelmed, but can find the right balance?

 

Fine-tune filtering your email

 

Black: When we first implemented the Bitdefender email filtering solution a while ago, we weren’t really entirely certain how best to make it work. And so, we put specific settings in place, and it seemed like we were still blocking more than we really wanted to block. But we had the capability to very easily open the console and shift something here, do changes there, make an adjustment -- and then see how that all worked.

 

Ultimately, I got to a point where I reached out for help. I needed to get more assistance from Bitdefender specifically and I was assigned to an individual who then put me in contact with the more technical backend resources so that they could help me more specifically adjust and configure and change our parameters for the email filtering solution so that we could better get the things that needed to come through and block the things that didn’t need to come through.

 

One specific piece to that was the marketing component. People get all of the spam emails, all the time. There is in the email filter solution, three specific selections. You have a marketing low reputation, a medium reputation, and a high reputation.

 

Because we were getting so much spam, I decided that I wanted to block that medium reputation email as well and have that filtered out. And so, while it greatly reduced the amount of spam email that everybody got, we discovered about a month later that it was also blocking bid requests.

 

We have a number of our managers throughout the company in every state where we are who are subscribed to various resources that would automatically send these managers’ current job bid requests. They have a job that’s going on in such-and-such location. We need to know about this so we can provide a bid on that particular job.

 

Well, we discovered that many of those were also getting blocked because they were being treated as a marketing medium -- and that wasn’t the right answer. I made more adjustments and I talked to the managers and said, “Okay, well, if I adjust this so that we don’t miss these bids, you will continue to get all of these other marketing emails.” And they replied, “No, that’s fine. We’d rather get the marketing emails together with these bid requests than miss the bid requests and then miss out on a potential job that that we could get into.”

 

So, this is very customizable. There are a lot of adjustments we can make. Sometimes it’s just a tweak here and a tweak there. But what I found was very, very helpful was that I had the capability to tap into Bitdefender’s backend, and to talk to the right people, have them sit down, see my screen, and we could work through it together -- and they could teach me.

 

As you said, I’m not necessarily the security expert. I need to manage all of these environments and all the data and information that’s coming through. Having Bitdefender as a resource was also very helpful to configure and tune our system to make it work best for our needs.

 

Gardner: Sure, you want proactivity, you want the machine to do the work for you, anticipate some of the things, and offer analytics. When it comes to that proactive approach, is there something about the way that the interface and the data and the analytics come together that gives you a heightened sense of the security behind your security?

 

Get the whole picture to manage threats

 

Black: The display in the interface for the endpoint protection is very, very useful. In fact, in working with the same Bitdefender consultants, they helped me put the right quadrants in the right spots, to select which reporting features would be the most useful and would show me all the correct data.

 

We’re all visual people. A picture’s worth a thousand words. And so, rather than just looking at tables or lists of things that appear, it’s much easier to see it visually. One interesting thing about the dashboard is that I can click on a specific link or a specific dashboard icon and then it will take me to more information in greater depth and greater detail.

We're all visual people. A picture's worth a thousand words. Rather than looking at tables or lists, it's much easier to see it all visually. I can then click on a dashboard icon and it will take me to more information in greater depth and detail. 

At a glance, that executive dashboard is very helpful first to see exactly where we are and what number of threats are coming through. I can quickly determine, “Are we seeing an uptick in an attack perimeter at the moment or not? What’s being hit?” If I want greater detail, I click on it, I pull it up and I can get more information that way.

 

That particular resource has been very helpful. Again, once it’s set up and I know it’s there, and I trust it, it is no longer something I have to go into every single day. I’m not tapping into this every day. That’s not really my role overall, but when I need to, or if there’s something that’s happening, I can tap into it very quickly, pull it right up, see what’s happening, talk to my team and say, “Let’s go attack these particular systems. This one’s questionable. We’re not sure what’s going on here, so jump on that one.” It’s just a great management tool from that perspective.

 

Gardner: It sure sounds as though it’s a fit-for-purpose management approach, which is so important when you’re in a lean-and-mean environment.

 

You mentioned earlier, Andy, that your end users and their behavior are such an important part of security. Is there something about the way that you’re getting information about what’s going on at your endpoints and in your network that you can take back to the users and reinforce the right kinds of behaviors? Is there a way that you can instill a security culture based on the information you have for your consoles and analytics and take that back to train, in a sense, your workers to be more diligent about their best practices?

 

Train your teams to spot spam

 

Black: A couple of years ago, we determined as the leadership team it will be very beneficial and helpful for us to meet on a weekly basis across the company and do training. I’ve trained on all sorts of different things within the organization, but one of the key things that I continue to bring up regularly is security. I will say, “Here are the most recent things that we’re dealing with. Here are the most recent attacks.”

 

Then every once in a while, something may come through our e-mail, because no solution is 100 percent perfect, and so I still have to rely on my users to know and be aware and look at what’s coming through to make sure that it’s still good or bad. And so, we have a phishing report link option. If something comes through and it looks fishy, they click the link, and it automatically sends it to my team. We see this e-mail and we can double check and verify whether or not it’s good or bad.

 

If it’s bad, we can obviously let the user know and thank them and congratulate them for being proactive and determining, “Yep, sure enough, that’s not the right thing.” And then depending on what’s coming through, sometimes I will take screenshots of that, and I will send out a communication across the company, saying, “Hey, everybody. These are certain things that are happening right now. This is bad, this is bad, this is bad,” so you don’t want to open these. Then, during these trainings that I have with the company, I can discuss with people, “What are you seeing? How do we look at and break down one of these messages in these e-mails to determine, is this really a valid e-mail, and if not, how do we recognize that? How do we determine it?”

 

By helping and working with all of the people throughout the company on a regular basis, having these conversations, showing them the examples, taking these screenshots and so on, it’s helped to create a greater security culture within the organization. A lot of the smarter user base can be more proactive on their own end and say, “Yeah, yeah. This is bad or I’m not really sure about this particular one, Andy. Let me send this to you and have you double check it for me just to be sure.”

The vast majority of the time, it’s worked very well. Now, people can still make a mistake. I had a user literally a week ago click on a link that said they needed to redo their e-mail password. I can’t remember what it was and sure enough, it took them to a spoofed site. They didn’t think fast enough. They entered their credentials and immediately thought, “Okay, that was probably bad. So, Andy help me.” The next thing you know, we helped them reset the password right away so that whatever just got compromised is no longer there.

 

But at least people are more aware. They’re thinking. Even if they clicked the button and afterward, they’re like, “Yeah, that probably was not the right answer. Let’s jump on. Let’s talk to Andy’s team and let’s see if we can get it fixed.”

 

Helping to create that security-aware culture makes a big difference. Because the people in IT can put all of the infrastructure in place. We can have the firewalls and the VPNs and the endpoint protection, the antivirus, and the anti-malware, all of that -- but at the end of the day, it still is up to the end user. They are the last point of protection, so they need to be aware. They need to be cognizant of what they’re dealing with. The more we can work with them, the better.

 

Gardner: That root-cause analysis and learning what’s been behind problems is one part of the solution, as you point out, and relating that to behavioral adjustments is another. But what about the ability to react as a security professional when something does go wrong?

 

Is there something about the way your security apparatus is designed that helps you so that when things do go wrong, to nip it in the bud?

 

Plan ahead for best problem-solving

 

Black: Using the console within Bitdefender, I can see the machines that have recently blocked something, or had a virus come through and then quarantined it, or whatever. I can then have my team go out and look at that specific computer and see if something got through.

 

But I will tell you that if Bitdefender says they blocked it, they blocked it, and it hasn’t really been an issue. But it also tells me who those users are, so I know if there’s a specific individual that we need to work with. We can say, “Okay, now it looks like six times in the last week you clicked on things. Let’s talk about this. What is going on? Let’s make sure you have figured that out.”

 

Now, again, looking at it from the leadership perspective, I can put all of the infrastructure in place, but I need to have the capability to recover should somebody do something that they shouldn’t have. I can focus on having all of my backups in place, my replications in place, whether it’s cloud-based or otherwise; having my resources, my applications, my files stored in different locations so it’s not all in one bucket, so that if something does happen to get through, it’s that one piece that might be affected, not the entire organization.

I can put all the infrastructure in place, but I need to have the capability to recover should somebody do something they shouldn't have. I can focus on having my backups in place in different places so it's not all in one bucket. Then if something happens, it's affecting that one piece, and not the entire organization. 

It becomes more of a mindset of how I built out the infrastructure to support my company, specifically to meet our needs so that if one particular site has an issue or one particular application has an issue, it can be isolated to that specific component. We have the backups, the replications, all of the disaster recovery in place so that if the worst happens, we’re not going to be completely out of business.

 

Now, one last piece to that, it’s very important to have the communication ahead of time with the business leadership, the ownership, so that should something such as ransomware come through, it’s not just locking the computer. We can restore a computer, we can restore from backup, that’s fine. You might lose a day. It’s not going to kill us.

 

But, one of the biggest things with ransomware that’s happening today is not just an encryption of a computer but where the bad people will get in, pull data out first and hang onto your information and then they want to charge you a ransom because they’re going to threaten to release your information. They want you to pay the ransom to not release the data and then pay the ransom to also decrypt your devices and your systems.

 

And so, the issue is more with the information that they gather. If you can have a conversation and have that decision made ahead of time with the organization, you can let your leadership know, how you created your backups. Here’s how you got your encryption. Here’s how your data is being protected. And if somebody comes in and says, “We have your data, we will release it unless you pay a ransom.” Well, then you at least have a game plan and a decision process made ahead of time so that it’s not a response or knee-jerk reaction to just immediately pay the ransom.

 

Have those conversations in advance, have that plan in place already, so you’re ready to go if and when that occurs.

 

Gardner: Now you’re talking about operational resiliency -- to have those plans in place with the right steps to take when you need it. When you have the data at your disposal, you can act. That’s a huge part of a good, solid security culture. I commend you for that.

 

Before we sign off, let’s talk a little bit about the future. Where do things go next? Are you concerned about the number of different endpoints that you might be involved with? Do you feel as though you’re going to have to expand your horizon across more endpoints?

 

Meet and manage mobile-device risks

 

Black: The two fronts that don’t really keep me up at night per se, but they are in the back of my mind, are the mobile devices because we do have a lot of our applications accessible on cell phones, on tablets; iPads, for example. It’s more than just the desktop computer anymore, it’s not just a Windows or an Apple-based machine. It’s definitely those mobile devices.

 

More than two-thirds of our company, of our workforce, are field operators. They are the guys out in the field actually cutting the concrete, doing the freeway work, and so on. They rely entirely on a mobile device -- their cell phone, their tablet. I have to build and secure those devices as well. And the number of those devices is only going to grow. As our business continues to grow and as we expand, and we go to other locations, I’m going to have more people who are going to have those mobile devices. And so, that’s a huge front for me that I really need to make sure that I have protection services in place.

 

Now secondary to that is the impact of artificial intelligence (AI) and machine learning (ML). People can create millions of bots, and with those bots they can find new ways to hack in. The more intelligent AI and ML becomes, the stronger your own defenses need to be. And so the more we can incorporate our own AI and ML into our defense environments -- on the computers, on the mobile devices and in our endpoint protection -- the better we can prevent the bad guys who are also using those same tools to come at us. Right now, to me, those are my two biggest fronts going forward that I’m the most concerned about.

 

Gardner: Andy, any advice to organizations that like you are distributed, are lean, and have big jobs but a relatively small workforce -- and perhaps also a fairly lean-and-mean IT department? Any thoughts that you would impart to them as they try to improve their security posture?

 


Black:
 A lot of the smaller and mid-sized businesses, they all realize that computers and technology are required to keep them in business and to press forward. But they’re still not really willing to spend the money that it might take to bring in that level of protection. They try to play the risk game, saying, “How long can we go until we get hit? We’re not going to get hit. We are too small of a company. We’re not a target.”

 

Well, what we’re finding is that the biggest target is the small- to medium-sized businesses (SMBs) because they tend to not have invested into their security to protect themselves. And so, that’s where those weaknesses come in.

 

Again, those same organizations -- while they do the bare minimum, they might have an end-point protection solution on their computers -- they’re not necessarily securing their mobile devices. They’re not necessarily creating and working with their people to create that culture of security.

 

And so, it doesn’t take a lot. It’s not a huge investment in most cases. But if you will make that more of a priority it does make a world of difference to protect your business because it’s going to cost a lot more to recover than it would be to prevent in many of those issues.

 

Gardner: That’s great advice. I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how concentrated and efficient businesses like A-Core Concrete build security cultures that rely on centralized administration, proactive insights, and rapid remediation to move safely at the preferred and optimized speed of business. A big thank you to our guest, Andy Black, CIO at A-Core Concrete Specialists. Thank you so much.

 

Black: Thank you.

 

Gardner: I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing series of BriefingsDirect discussions. And a big thank you to our sponsor Bitdefender, as well, for supporting these presentations.

 

Our last big thank you goes out to our audience, that’s you, for joining us. Please pass this along to your community and do come back next time.

 

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Bitdefender.

 

Transcript of a discussion on how to best balance resilient security requirements with efficient use of human capital and resources in a highly dispersed organization. Copyright Interarbor Solutions, LLC, 2005-2023. All rights reserved.

 

You may also be interested in:

Wednesday, September 28, 2022

Hybrid Work is the Future, and Innovative Technology Will Define It


Transcript of a discussion on the drivers and opportunities to get the future of hybrid work right as soon as possible.

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Citrix.

 

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

 

Gardner

We’re all now part of a massive worldwide experiment about the very definition of work. Remote, in-office — or tightrope walking along some sliding scale between the two? How each business and each worker finds the next new work-life balance remains an ongoing "work in progress."

 

In the post-rapid adoption of remote work world -- a full two and half years after the onset of COVID -- there’s no definitive answer on which approach to hybrid work works best. And the technology tools and solutions — many designed for an earlier in-office era — are not necessarily up to the task.

 

The perceptions and preferences of bosses and workers alike are in a seemingly unending transition. Nothing quite seems fit for the new, still-to-be-defined purpose. 

 

So, what is the eventual end-state of hybrid work? Will the process of finding it provoke new forms of innovation, opportunity, and technological success? Or will productivity and work-life balance suffer amid a period of tension, power plays, and years of seesawing trial and error approaches to hybrid work? 

Stay with us now as we explore the drivers and opportunities to get the future of hybrid work right -- perhaps sooner rather than later.

To learn more about what makes hybrid work move to an arc of opportunity, and not wallow in a trough of complexity and confusion, please join me now in welcoming Amy Haworth, Founder and CEO of Nobody Makes it Alone. Welcome back, Amy.

 

Amy Haworth: Thanks, Dana.

 

Gardner: We’re also here with Tim Minahan, Executive Vice President of Strategy at Citrix. Good to have you with us.

 

Tim Minahan: Thanks, Dana. I’m excited to be part of the dialogue.

 

Gardner: Amy, there seems to be an interminable debate nowadays about the future of work. The previous models don’t give us a lot to easily fall back on as precedent for hybrid models. Companies are struggling to find the best fit for them and their employees.

 

So, are most workers going to be fully remote? Mostly in the office in the nine-to-five, five-days-a-week model of yesteryear? Or will there be some yet-to-be-defined golden mean, or equilibrium, between the two sides of the equation?

 

Employees opt for hybrid-work

 

Haworth: I’m so glad we’re having this conversation because you’re right. Companies are struggling. We’re seeing that in headlines every day about which employees are being called back into the office full time as a reaction that’s becoming a top-down mandate.

 

Haworth
That’s been the trend. Companies are trying to figure this out. Do they work fully remote? If they do go hybrid, are they mandating a certain number of days in the office versus allowing employees the flexibility to choose?

 

And I love what you said about the “arc of opportunity” in comparison to a “trough of complexity.” It feels like that’s becoming the choice. Are companies going to hang on the arc of opportunity versus those that are returning to what they perceive as more certain, which really is the model of yesteryear.

 

Citrix recently did a global survey and the results to me are fascinating. They started by asking employees what they preferred. The data shows that 57 percent of employees prefer hybrid models that allow them to work remote or in the office. And 69 percent, that’s a big number, 69 percent said they’re going to leave their job if they aren’t given that option.

 

This tells us, from an employee point of view, that demand for flexibility is clearly there. And I hope companies realize, if they haven’t already, that to truly attract and retain talent for the long term, they’re going to have to figure out how to make this choice an option and make it a permanent part of their workforce strategy.

 

Gardner: Looking at some of the other findings, it seems that the hybrid work model – even as it was foisted on us -- does work well for many people. I see that 69 percent of the hybrid workers surveyed said they feel “productive,” compared to 64 percent of remote workers, and 59 percent of office employees.

 

So that flexibility is paying off from their perception. Also, nearly 70 percent of hybrid workers say they feel “engaged” compared to a much lesser degree, 55 percent of remote workers, and 51 percent of in-office employees.

 

So why is there ongoing tension? Why do we have this demand to return to the past when the current new hybrid state seems to be working for so many people?

 

Haworth: There’s an interesting dynamic I’m starting to sense. Typical human behavior is that in times of great uncertainty, the human brain tends to latch on to that which feels certain. And so even if we think about the macro environment outside of work, there’s still a lot of uncertainty.

The results from the Citrix survey show 70 percent of hybrid workers have a strong emotional connection to their organization and leadership, as compared to 60 percent of remote workers and 58 percent of in-office workers.

For example, we thought we had hit our uncertainty high during 2020 when COVID peaked. But what’s come at us is more and more uncertainty. One hypothesis is that this is an organizational reaction to try to control what feels uncontrollable.

 

But there’s a real risk because the impact on outcomes, results, and costs is driving outcomes and accountability within the ethos of an organizational culture. Going backwards -- to dictate how we work, almost like a parental order – is perceived as a top-down ruling. But the cost to workers is going to come in the form of a detriment to well-being, both physical and mental.

 

When we look at the results from the Citrix survey, 70 percent of hybrid workers say they have a strong emotional connection to their organization and leadership team. That’s compared to 60 percent of fully remote workers, and 58 percent of in-office employees. Similar numbers show up when it comes to well-being, with 70 percent of hybrid workers report good well-being, compared to 61 percent of fully remote workers, and 60 percent who are only in the office.

 

What struck me about all these numbers is in-office employees scored lower across all of these categories: productivity, engagement, emotional connection, and well-being. We really need to pay attention to both what’s not working and to also dive into what is working. Clearly something is working across all these domains for the hybrid worker. And that’s really important, because being inspired by our work, as we know, drives performance. It drives commitment, it drives loyalty. It drives innovation.

 

Organizations need to be asking the big question -- not necessarily which model is right, but which drives the best outcome for organizations and people. And from there, we can figure out how to make this work.

 

Gardner: Tim, given these findings, why are so many companies still resisting flexible and hybrid-work models? It seems as if what we saw over the past year and a half is backtracking. Why do you think that’s the case?

 

Trust is a must

 

Minahan: People like to label of a lot of things. It’s not a remote-work issue. It’s not a return-to-office issue. It’s not a quiet quitting issue. What we have here is a trust issue.

 

Minahan
Despite clear findings from countless studies -- from Citrix, from PwCJournal of Economic Perspectives, and countless others -- showing that remote work yields measurable improvements in productivity and retention, leaders -- including those that tend to pride themselves on being “data driven” -- are just ignoring the facts by pushing employees to return to the office.

 

In fact, our latest research at Citrix finds that nearly half of managers, despite all the evidence and experience they had in their own companies during the pandemic, just don’t trust employees to get work done when they’re outside the office.

 

In a recent study we did, 48 percent of managers reported using tracking software on their employees’ machines to measure their keyboard time when working remotely. I know, Dana, we’ve had conversations before on best practices for hybrid work, and during those, I warned that the biggest risk to getting all the benefits that Amy talked about by embracing more of a hybrid-work model was creating policies and culture and a technology stack that gave employees all equitable access to the applications, the information, as well as career advancement opportunities -- regardless of where they work, in the office or remotely.

 

Unfortunately, some leaders are now valuing face time over business outcomes. And you know, researchers have labeled this dynamic as proximity bias, and at its core is really a lack of trust and outdated ways to measure employee contributions and engagement.

 

Gardner: Of course, Tim, trust is hard to measure in a data-driven world. Do you have any sense of how trust can be measured as a business success indicator?

 

Minahan: The orientation is all about productivity. For example, The Journal of Economic Perspectives researchers ran an experiment in which they selected an unnamed NASDAQ-listed company and they randomly assigned call center employees to work from home and had a control group working in the office.

 

They found that working from home not only resulted in a 13 percent increase in productivity -- those workers working remotely actually were more productive than those in the office -- but they had a 50 percent lower attrition rate. When you think about dynamics like that, especially in the tight labor market that we have right now, there are real business benefits and real ways to measure the benefit of embracing a much more flexible work environment.

 

Gardner: Amy, you’ve been coaching a lot of companies that are working to find the right work balance. What is top of mind for you when it comes to the keys to hybrid work success?

 

Connected work creates better outcomes

 

Haworth: Piggybacking on this idea of trust that Tim brought up, what I’m hearing is a needed emphasis on trust and connection. Sometimes what we’re going for and what we’re trying to explain -- and what my clients are trying to explain – revolves around connection or trust.

 

What is that secret sauce to attain that? If we step back, and think about our lives outside of work, what creates trust and connection between people? It far exceeds anything we’re doing organizationally, but it can absolutely be put into our organizational structures.

 

Think about that. Why do you decide to trust someone? Most likely, it’s because you found a place where you shared something, perhaps a vulnerability, and it’s been reciprocated and held in a safe and shared space. Or you connected because you found some sort of similarity.

 

I’m seeing organizations having a knee-jerk reaction because they’re sensing that this idea of connection, which is fuel for trust, is missing. And so, they’re putting the workplace as the proxy for building that. The challenge is that in the last couple of years, we’ve distributed our workforce. If we’re using workplace as the proxy for connection making, we are leaving out, in so many cases, people who are not in the office anymore. That is one of the challenges with hybrid.

If companies are mandating that employees who have the option to be in an office, come into the office a certain number of days, they’re actually going to start to find that unless they teach organizations how to create connections, that they’re fueling disparity. And they need to be focused across-the-board on new ways of creating connection. How do we make it okay to not have our meetings be all about getting things done? We know that this style of working drives productivity, but we also need to be thinking about how it can drive connection -- and not just for one group who has access to an office, but for everyone.

 

The key is to help organizations be successful by naming what is missing in their culture, and then to set up focused efforts to build that capability so that there is fairness, safety, belonging, and connection for everybody.

 

Minahan: Amy and I have had this discussion before. It really boils down to those companies that are most successfully leveraging this moment to create entirely new work models that benefit both their organizations and their employees. It means delivering meaningful work, giving employees the tools, information, and assignments needed to drive innovation and creativity and the business outcomes for the company.

 

Certainly, there is a value in bringing employees together, that connectivity that Amy mentions. The ability to do strategic planning, the ability to collaborate in certain ways, and the ability to meet with customers. It’s about creating social networks with your fellow employees, so you see them as humans rather than, you know, a bodyless face on a video call. All of that has value.

But for those companies that are figuring out the secret sauce, it boils down to providing meaningful work and purposeful office time.

 

Gardner: As we talk about meaning and trust, that strikes me as closer to a relationship than a transaction. Much of the technology has been developed around transactions. Technology is inherently transactional. It seems to me that we need to look differently at technology as a way to increase the richness and value of the relationship between the employee and the employer.

 

Amy, is that the case? Are we not using technology appropriately? Do we need to think differently about the use of technology to foster better relationships that lead to more trust that then can deliver higher productivity?

 

Technology enhances work interactions

 

Haworth: Technology has a huge opportunity to be a catalyst to help create better connections in the way we see and experience each other. At its core, it’s about human experience. People need to be seen and heard.

 

There are some exciting innovations when it comes to the tools, even in my world of the human resources (HR) stack. We’re starting to see an amplification of recognition tools, of coaching platforms, of new and exciting ways to learn that are leveraging mobility and looking at how people want to work and to meet them where they are, rather than saying, “Here’s the technology, learn how to use it.” It’s more about, “Hey, we’re learning how you want to work and we’re learning how you want to grow, and we’ll meet you there.” We’re really seeing an uptake in the HR tech space of tools that acknowledge the humaneness underneath the technology itself.

 

Minahan: During the pandemic, we introduced new tools to allow employees to execute work in the most efficient way possible and collaborate in a more virtual sense. I believe we’re now getting to the point where the metaverse is blending with the workplace.

 

When you think about tools that companies embraced during the pandemic out of necessity -- communication and collaboration platforms such as SlackTeams, and Zoom – they were emulating the physical world and physical collaboration environments. That includes things like digital whiteboard tools, and content collaboration tools, for redlining and sharing, and all of that.

A top priority for IT executives everywhere is creating the optimal hybrid work stack. ... We're emulating the physical world and physical collaboration. 

But right now, one of the top priorities for IT executives everywhere is creating the optimal hybrid work stack. And that stack has multiple layers. One certainly is the collaboration layer, as we talked about. How do I bring together all the collaboration tools necessary to allow employees to work effectively, execute work effectively, and collaborate effectively when working remotely or in a distributed way?

 

The second layer consists of the business applications we’ve come to know and love. Those include HR apps, business applications, supply chain applications, and financial applications, et cetera. Certainly, there is a major role in this distributed work environment for virtual application delivery and better security. We need to access those mission-critical apps remotely and have them perform the same way whether they’re virtual, local, or software as a service (SaaS) apps -- all through a trusted access security layer. And then finally we need a suitable device layer, ensuring that employees can work across any device and location.

 

In our experience at Citrix, in working to bring some of those virtual environments into the physical workspace, for example, we’re retrofitting all of our conference rooms to be team-centric. No matter where anyone is working, they are part of a teams-based collaboration activity because we recognize that in most cases our meetings are going to involve a hybrid model.

 

Some employees and stakeholders are remote, and some are physically in the office. We’ve therefore also retrofitted our environment with circular cameras so that everyone has an equal box on Teams, we put cameras on the whiteboard so that everyone can be included in every part of the conversation, and they all have equal access to the shared information. We’re not alone in that. A whole host of our customers are examining those environments too, including bringing that metaverse approach into the workplace.

 

Gardner: Amy, even with all things equal in getting the right technology in place, it seems to me that there’s another part to the equation. Some organizations just foist the technology on their people, and it remains the workers’ job to be the integrator, to find the right process mix among all the different applications.

 

I wonder if that’s the best way because this isn’t just about accommodating all remote or all in-office work tech; it’s also about the process innovation. Are there some lessons in your experience about how to better deliver technology as part of a business solution?

 

Are your clients recognizing that workers are not systems integrators and that just logging into umpteen disjointed SaaS apps isn’t going to work if you don’t provide some other ways to help people work with the technology -- rather than be overwhelmed by it?

 

Keep it simple, secure, accessible

 

Haworth: Yes, Dana, I see a new hybrid work stack emerging. It’s about unifying, simplifying, and securing the work without an employee needing to figure out how to make that happen. The last thing we want is for the employee to feel like they are part of the IT department.

 

Instead, we want to rely on our IT counterparts to do what they do best. And then the employees across the organization can focus on what they do best, which is to fulfill their roles using the skills they were hired for.

 

I believe employees are going to continue looking for what unifies the technology, so there aren’t 60 SaaS logins. How can they work securely without carrying that burden? We need to make sure the work is simplified, and -- where possible – employ machine learning (ML) or virtual assistance to augment what they’re capable of. It amounts to guiding and automating the work so that the employee is free from that tech friction or noise and can perform at their best.

 

Gardner: Tim, we’ve been talking about how this impacts employers and employees, but how does this impact the IT people? It seems to me, based on what Amy said, that there might need to be a rethinking of IT. It might be along the lines of instead of them being systems support, they’re actually work support, in that they’re in the business of helping people work.

 

Minahan: You summed it up, Dana. IT’s number-one priority should be creating an equitable, consistent, and secure work environment for their employees so that employers and employees have the luxury of testing out different and flexible work models. That includes allowing employees to have the flexibility to work remotely using new collaboration tools, new work execution tools, and new tools in the workplace, ones that provide a seamless experience and involve everyone across these distributed teams so they can collaborate and execute work efficiently.

 


And then the last part is a mission-critical need today, and that’s who does the work. Prior to the pandemic, we had a global shortage of medium- to highly skilled talent. In fact, McKinsey estimated that we had a shortage of 95 million such workers. And that was most acute in those most-in-demand-skills necessary to digitize, advance, and modernize your business.

 

Well, that hasn’t gone away. It’s only gotten worse. But smart companies, having proven the model of hybrid and remote work, are now using that as a platform to reconsider their workforce acquisition strategies. This includes being able to tap into distributed pools of talent, blending contractors who might have a unique expertise around things like multi-cloud, security or artificial intelligence (AI) and bringing them together with full-time employees in work groups that are connected by a hybrid work stack that IT is creating to optimize employee productivity, experience, and engagement.

 

Gardner: Amy, when we redefine the objective or the mission of IT and the business around getting work done in the best way -- fostering the best relationships and trust between the players -- it seems that where they’re doing this all becomes far less relevant. And yet we’re hung up on location or proximity bias, as Tim pointed out. Do we need to further shake the bush and ask people why they’re hung up on location instead of why they’re not focusing on the quality and a new definition of the most effective work?

 

Change is hard but necessary

 

Haworth: Absolutely. Dana, I think you’re getting at the big challenge we’re facing right now. And that is, are we asking the right questions? Are we solving for the right problems? Going back to your “arc of opportunity” statement, we need to be very realistic that massive disruption is going to continue across the world.

 

Companies are going to need to figure out how to strategize, plan, and implement ways to build agility and create new organizational and workforce structures -- as well as IT structures -- that not only allow them to respond quickly to change, but actually allow them to thrive when they do. At the heart of this is massive risk mitigation. Unless organizations are thinking about disruption as a potential risk, they’re going to miss the mark. Putting more structure around where people work is the opposite of agility.

 

We need to be thinking about how we leverage everything that we have learned in the last two to three years and make it a foundation to build upon -- versus taking everything that we have learned and then going back to 1992. We need to be planning, to be strategic, and to expect disruption.

 

Then we can build both the technology capability as well as the human capability to thrive during disruption -- and that means overall agility. As Tim said about who’s doing the work, that will continue to ebb and flow. How can we react in a way that makes how we work ongoing more dynamic? And we need to get away from trying to answer the wrong questions, quite honestly.

 

Gardner: Before we go to our crystal ball and predict how things are going to unfold, even in a very disruptive period over the next year or two, I’d like to look at this through a different lens. We’ve been talking about the softer metrics of productivity and trust, but there are also hard metrics around the underlying economics of hybrid work.

 

As organizations look at their total cost of employee ownership, if you will, that has to include big office buildings in very expensive cities. It involves hour-long commutes in each direction on public transportation that’s probably aging and inefficient, or sitting in a car in traffic.

 

Tim, are there some purely economic reasons why companies should be more open-minded when it comes to location of workers? It seems to me that there’s more than just productivity, that there’s actually a bottom-line indicator here that flexibility and hybrid work pays.

 

Minahan: Yes, absolutely, Dana. In fact, there were countless studies done during the pandemic indicating that there are real business benefits to remote work. You mentioned key ones around real estate reduction, despite companies looking to get employees back into the office in some cases.

 

Almost every employer is looking at right sizing their real estate needs in new ways, particularly in major metropolitan areas.

If you are working remotely, commuting costs savings certainly put benefits back into both the employers' and employees' pockets.And there are major sustainability benefits as companies look to reduce their carbon emissions.

Secondly, you mentioned commuting. Commuting costs certainly put benefits back into both employers and employee’s pockets, if they’re working remotely, even part of the time, especially in light of the current prices of energy. There are major sustainability benefits as companies look to reduce their CO2 emissions by adopting cloud, reducing their real estate footprint, and reducing the necessity for employees to do two-hour commutes every day.

 

But I don’t see the benefits around improved productivity and business outcomes that our employers are trying to achieve as soft at all. They should be accelerated and enhanced by embracing a much more flexible work model, including hiring those hard-to-find skills because you can reach them in a remote fashion.

 

A good example is a hospital network right here in the Boston area, Dana, that during the pandemic saw their telemedicine visits go up to over 200,000 per month from 9,000 per month or a 27-times increase.

 

Well, guess what? Coming out of the pandemic, they’re not rotating all the way back. They’re increasing their telemedicine experience. They recognize that they can use that same platform to find in-demand talent around things such as oncology and can staff them not in the Boston area where it’s highly competitive and highly costly to hire them, but remotely in the Midwest or elsewhere. These are the types of real business benefits that have come from people embracing much more flexible work models.

 

Gardner: Tim, how do you see things playing out in the year ahead? Are we going to continue to have this back-and-forth debate over remote work’s value, or is there a new end state or settlement of this discussion?

 

Expect demands for meaningful work

 

Minahan: I think natural market factors will balance it out. Employees, including those very top employees who want to do meaningful, creative, and innovative work -- but in a more self-serving flexible work model -- will vote with their feet. We’re already seeing it from the great resignation and the like. And despite the blustering at the top level around getting folks back into office, the reality is that companies are recognizing the critical importance of employee experience.

 

In fact, the study we just did of 10,000 IT leaders, 60 percent said they’re investing more in internal innovation projects to improve the employee experience. They said they are investing in digital workspace technology to support consistent and reliable access to the applications and information employee’s need across any device and location to ensure security.

 


And so, in short, after years of investing to digitize and enhance customer experience, companies are now giving some much needed and long overdue attention to enhancing the employee experience. Those are the people, after all, who are responsible for innovating, creating, and improving the customer satisfaction levels.

 

I think the market is going to balance itself out, with companies making these investments in order to appear more attractive to needed workers. And as part of that, it’s not just about the hybrid stack for technology for hybrid work, it’s also about the policies and cultural changes you’re going to need to make to support that hybrid work model to make you an attractive employer of choice.

 

Gardner: How does this new stack shape up, Tim? What are some of the major components that people should be looking for?

 

Minahan: We covered a good portion of that before, Dana. We see a number of layers to the stack. Certainly, the newest one that’s getting the most attention is the collaboration layer. The need to invest in new tools to foster greater work execution and collaboration in a distributed model. Those would be things like the communication collaboration tools that we use, like Teams and Slack and others.

 

There’ll be some of the new kind of turning physical work methods into digital work methods like a digital whiteboard such as Miro, etc. And bringing those into your stack where a few years ago they probably didn’t really exist or weren’t used at scale as they are now.

 

The second layer refines and modernizes your traditional business applications stack. All those tools you can use to run your business, your enterprise resource planning (ERP), your business applications, et cetera. So, employees in functional layers can execute the work they need to get done, can execute those transactions.

 

There is also the rising importance of ensuring that you have a virtual desktop and security layer in there, one that leverages those mission-critical applications and virtualizes them at scale to your employee base, whether they’re full-time employees or contractors in a very quick and efficient way, and then wrapping that in a zero trust security layer.

 

Finally, the last layer is around the devices, ensuring that employees can have equitable access to applications and information regardless of what device they’re using and regardless of what location they’re accessing from.

 

Gardner: Amy, what does your crystal ball tell you about how things are going to shape up in the coming year or two?

 

Haworth: There’s going to be a realization that we need to continue to learn and experiment. I would love to see organizations and employees both set that as the expectation. So rather than swing all one way at an enterprise level, that there are parcels, pieces, incubators for innovation when it comes to both technology and ways of working. These incubators are generating insights, and those insights are fueling future decision making.

 

So, a really important aspect of this is that we don’t give up too soon. We have come so far, and what is taking place is a continuation of transformation. Transformation inherently means ambiguity. Humans don’t love ambiguity, but rather than abandon and go back to where we felt “certain” back in 2019, we need to push forward and lean into these spaces of uncertainty. That way we can continue to experiment, learn, try new things, innovate, solve real problems, and mostly not give up.

 

Gardner: And you know, Amy, I always like to ask about examples and real-life results. When you look at the new hybrid work stack, as Tim described it, and from the number of organizations you’ve been working with, any early adopters? Has anyone understood the need for this new approach and put in place some of these improvements to foster trust and relationships? What’s working? And when you do this right, what do you get?

 

Learn, innovate, motivate

 

Haworth: I am seeing some new best practices, and I love that idea of leaning into the bright spots. So rather than target what’s not working, let’s talk about what is working. One organization in particular is investing in their manager layer.

 

Throughout the last two or three years, we’ve heard how much middle managers have taken the brunt off of supporting teams and people. And one organization in particular is investing in their managers at unprecedented levels because they understand that employee experience is dependent upon manager experience. And they’re seeing some really good results so far. They’re early in the game.

Organizations like startups are making choices both in technology and in workplace best practices. They're looking at how people are motivated today -- not only within the team but to their work and solutions overall. 

Another place is in the startup community. Organizations that are building fresh right now are making choices both in the technology and in workplace best practices. There’s a lot of good learning to be had there because they’re looking at how are people motivated today. You know, it’s not, “We have to bring everyone into the office for a learning event.” What this organization is doing is thinking more about how much being in a work community and serving the community leads to feeling a sense of motivation and commitment -- not only to the team, but to their work and the solution overall.

 

So, they’re coming together in person with organizations in their community to do service together, versus coming together just for strategic planning. That is not to undermine strategic planning. It’s more about getting out and about seeing an impact in big ways is feeling a sense of loyalty and commitment as a result.

 

These are some non-traditional ways of stepping back and saying, “What do people need today? Where are we today?” It includes being willing to let go of the things that worked in the past in favor of something new and fresh.

 

Gardner: Tim, any examples of what the new hybrid work stack is capable of, particularly when companies recognize that it’s work that’s their mission and not about location?

 

Minahan: Yes, but I think it’s important to say that this stack isn’t just about enabling traditional work models. It’s about embracing new ones. And a very good example is Teleperformance SE. As one of the largest business-process outsourcers in the world, they are optimizing and focused on providing contact-center services for some of the world’s largest enterprises.

 

They recognized that this is a moment for them to be able to scale their business and to embrace new work models that simultaneously allow them to attract more talent and lower their costs. They’re using the hybrid work stack -- not just the collaboration tools we mentioned, but specialized tools related to call centers. They have been able to virtualize that as well as using their voice over Internet protocol (VOIP) services to enable a hybrid call-center model through which they can equally as well recruit remote workers, stay-at-home workers, to support contact center efforts as well as in their physical call centers. And that allows them flexibility.

 

Some of our customers are fully embracing the home-based force. They are able to, in this case, staff the call centers with the best talent possible anywhere and at the lowest cost. We have other customers who are saying, “Hey, no, I still want to have a physical call center in one of our major locations.” And they have the flexibility now to use hybrid models to deliver a higher level of service at a lower cost with a much more engaged and retained workforce than they could pre-pandemic.

 

Gardner: Tim, there’s so much new research and information. And people are thirsty for new insights dealing with these unprecedented issues. Where can they go to find out more to best continue their journey?

 

Minahan: I recommend they go to Citrix Fieldwork, our thought leadership platform where they can find much of the research that both Amy and I referenced today.

 

Gardner: Amy, how can Nobody Makes It Alone help? Where are your resources located? How can people learn more about finding the right path to a successful hybrid work?

 

Haworth: I’d love to connect with anyone on LinkedIn. I also author a newsletter on LinkedIn as well as the website, nobodymakesitalone.com and look forward to being a thought partner and helping to understand what’s going to make organizations successful no matter what happens in the world outside.

 

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on finding the most productive approach to hybrid work. And we’ve learned how new forms of innovation, opportunity, and technology stack solutions can both empower workers and reward their employers with higher productivity, satisfaction, and innovation.

 

And so, a big thank you to our guests, Amy Haworth, Founder and CEO of Nobody Makes It Alone. Thank you so much, Amy.

 

Haworth: Thanks, Dana.

Gardner: And a big thank you as well to Tim Minahan, Executive Vice President of Strategy at Citrix. Thank you so much, Tim.

 

Minahan: Thanks, Dana. Looking forward to speaking again soon.

 

Gardner: And a big thank you to our audience as well for joining this BriefingsDirect future of hybrid work discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Citrix-sponsored discussions.

 

Thanks again for listening. Please pass this along to your community and do come back next time.

 

Listen to the podcast. Find it on iTunesDownload the transcript. Sponsor: Citrix.

 

Transcript of a discussion on the drivers and opportunities to get the future of hybrid work right as soon as possible. Copyright Interarbor Solutions, LLC, 2005-2022. All rights reserved.

 

You may also be interested in: