What Lumentum Learned About Security in the WFH Age
CIO Ralph Loura reflects on how the telco equipment maker has become a more secure — and agile — company.
It was early December 2019, months before the COVID-19 crisis would flat-line economies and challenge U.S. business operations. But pandemics were already on Ralph Loura’s mind.
As CIO of Lumentum, a maker of optical networking and laser products, Loura was a few weeks from flying to China for a go-live systems “cutover” for a newly acquired subsidiary there.
Having navigated business disruption a decade earlier during the 2009 SARS crisis, Loura told his team to put contingency plans in place in case of a public health problem. Then, early data on a mystery illness began to leak from Wuhan. Loura scrapped the trip. They would do the work remotely.
Soon, the rest of the world would do the same. Within three months, the COVID pandemic forced tens of millions of workers, including 7,000 Lumentum employees, to adapt to a new normal: work from home, or WFH. For CIOs like Loura, WFH is not just a logistical challenge; it poses huge security risks. But it also offers Loura a rare opportunity: the chance to help make Lumentum a more agile, and ultimately more secure, organization.
It’s difficult to get people used to new tools and new ways of working, but necessity is the mother of invention.
“It’s difficult to get people used to new tools and new ways of working,” says Loura. “But necessity is the mother of invention.”
Hackers get savvy to WFH
Many businesses were caught flat-footed by the sudden shift to WFH. The vast majority of businesses (96%) admit that they were unprepared for the security challenges posed by WFH during the first two months of the pandemic, according to a Tanium survey of 1,000 C-level leaders in the U.S. and Europe. The biggest challenge, according to the CXOs surveyed? Identifying and securing personal endpoint devices logging onto the corporate network.
[Read also: Hackers went to town when the world stayed home]
Lumentum, however, had at least one early advantage. Prior to the pandemic, the company had set up employee access to RingCentral, a cloud-based communication and collaboration platform, for every one of its workers worldwide. That decision mitigated the need to suddenly deploy and train thousands of workers on a new software tool. It also spared Lumentum’s security teams from having to weather Zoom’s privacy and security vulnerabilities.
The company shipped computers to workers who didn’t have corporate laptops. That was easy compared to what came next. The bigger challenge was securing those endpoint devices in a home environment.
Loura explains it in personal terms: “The other day I pulled up my Wi-Fi control panel and found I have 58 devices connected in my home,” he says. “Smart doorbell, smart thermostat, smart TV and on and on. If you’re not securing your corporate asset from the rest of the environment, then it’s no different than logging into a public Wi-Fi in a Starbucks.”
Corporate IT departments are used to having a lot of control over how people use technology. And when WFH started, they more or less lost that control. And that has corresponded with an uptick in attacks.
“Since March, we’ve seen an uptick in malware attempting to enter our network, including brute force attacks,” Loura notes. “We’ve seen a big increase in COVID-specific phishing attacks, such as emails saying, ‘Click here to get your COVID relief funds.’”
To manage, insulate and protect endpoint devices at home, Lumentum took aggressive steps. In addition to deploying multifactor authentication, it adopted Tanium’s cloud-based security service to help ensure that devices had the latest antivirus updates and security patches, which would have otherwise been made automatically through the corporate network. To thwart direct access to its network, Lumentum instituted a zero trust model, which requires an organization to verify every single device, even a known device, that is trying to connect to its systems before granting it access.
Tapping the power of agility
While the company’s security protocols have, by necessity, become more rigid, the shift to WFH has enabled the company to become more fluid, more responsive to the needs of workers and ultimately to become more agile in its processes and decision making.
For instance, says Loura, it’s human nature to be a creature of habit. People like structure. We also like the familiarity of the tools we use to work. That makes the adoption of new technologies and new ways of working “a challenge in any environment,” says Loura. “People have jobs to do and they get comfortable with the tools they’re using.”
Today’s new WFH culture forced many employees to break habitual behaviors. No longer able to sit in a conference room together, they have had to adopt tools like virtual collaborative whiteboards. Which in turn, says Loura, has brought “a new openness.”
That openness extends to the C-suite. Before WFH, Loura says, decision making could be a laborious and time-consuming process. Say Loura wanted to adopt a new million-dollar customer support platform; he would need to schedule a series of meetings with the executive team. It might take weeks to get the right executives in one room together.
Today, with WFH, “if I need a meeting with my executive team, I can get it this afternoon,” says Loura. “When questions come up, I can have the expert join the meeting in real time, answer the questions in the flow and not have to schedule a second meeting.”
That agility has allowed the executive team to tackle a comprehensive WFH security policy in relatively short order. “That, in fact, is one of the big ‘ahas’ from this experience,” Loura says. “We had to create that from scratch.”
New policies for the new WFH normal
With agile decision making in place, they quickly established a set of policies around a raft of WFH needs. Workers could make home office equipment requests, such as ergonomic chairs, through Jira Software team management tools. Lumentum is also allowing employees to get reimbursement for a portion of their broadband expenses. All work and personal travel must be cleared, and a quarantine period is required upon return.
Loura explains that these policies extend to return-to-work protocols as well. For example, Lumentum is rolling out sensored badges to track who is on the corporate premises and which specific areas they have visited. (The company is also exploring wearables for social distancing and contract tracing.) If an employee tests positive, he or she is required to report it to HR; Lumentum will protect employee privacy according to HIPAA guidelines: the person’s name won’t be revealed to other employees, including that person’s manager.
With policies like these in place, WFH has become a sustainable and workable solution moving forward. “We’ve learned some of our people prefer working from home,” Loura says. “They shorten their commute from one hour to two minutes. They’re more comfortable and productive.”
It’s human nature to be a creature of habit. That makes the adoption of new technologies and new ways of working a challenge in any environment.
Going forward, Loura says, some Lumentum employees will likely return to the office because they’ll either have to be on site to do their jobs (such as an R&D engineer needing to be in the lab) or because they’ll be more effective on premises. But others, the ones who have now shown they can effectively do their jobs either place (such as a sales associate), will have the option to choose. And for those eager for in-person collaboration and the creativity that can foster, the doors will open and stay open as soon as it is deemed safe.
“We have a plan for getting people into the office, but we don’t have a timeline,” explains Loura. That plan incorporates CDC guidelines for temperature taking, contract tracing, social distancing and other protocols. Meanwhile, Lumentum has built online training to prepare employees to use proper protocols in a full return-to-work environment.
In other words, thanks to Loura’s leadership, Lumentum will ensure that its next chapter minimizes both health and security risks while maximizing its freshly minted openness to change.