Brian Tuskan, Chief Security Officer, Microsoft
COVID-19 has profoundly changed the way we live, work, and provide security. So, what's the new normal for corporate security? I see increasing reliance on technology, remote working environments, clear communication, and good corporate citizenship. Pre-COVID-19, a majority of our US security teams worked within corporate office space, while our international security team experienced a hybrid-work environment using both home and in-office work. As we know in our profession, security is not a 9 to 5 job. We deal with life-safety emergencies 24x7 and have adapted to remote working environments outside of brick and mortar offices. COVID-19 has forced many businesses and organizations to work remotely as well, and they are learning to leverage technology to maintain business operations.
For the past five years at Microsoft, we have embarked on a bold initiative to virtualize our security operations. By leveraging cloud technology and a seamless, integrated technology platform, we successfully virtualized the security operation experience to nearly 100%. During the COVID-19 mandatory restrictions on accessing work offices, we managed the physical security of over 700 worldwide locations with a limited amount of security personnel on-site. The vast majority of our security operations were virtualized using COTS (commercial off-the-shelf) cloud technology solutions such as secure integrated work communication portals. 100% of our FTE security managers and 95% of our security operations center personnel worked from home with minimal staff onsite as essential workers. We had all regulatory and privacy mandates covered through strategic virtualization planning to ensure we were compliant with GDPR and UL Certification for our security operations centers.
Even though COVID-19 cases continue to increase, more and more countries are lifting their restrictions to allow people back to their offices and workplaces. Microsoft operates in over 120 countries, so our approach to getting back to the workplace has been very thoughtful and measured. We're not looking at being the first to the office. We're following government guidelines and will allow employees back to the workplace with a hybrid approach, ensuring our environments are safe and secure (stocking enough PPE, using self-health attestation apps, frequent cleaning and sanitizing, and maintaining proper social distancing).
One of the challenges I foresee with people returning to the workplace during this pandemic is the over-reliance of physical security to be the "enforcer" of new policy violations. It is especially tricky in "campus" environments where there are multiple entries and exits. It's relatively easy to control high-rise building access. There are usually limited ways to enter a building; however, in open-campus settings, entry into the office is generally managed through card key access.
If an employee refuses to comply with local regulations, their management or HR should be notified to address first. Security should be the last resort. We're also leveraging technology to help with compliance. We have tied building card access to our required daily self-attestation health app. So, if an employee or vendor doesn't self-attest that they don't have a fever and other required health check questions for entry, their card access to the building will be disabled.
Employees know they have the responsibility to be good corporate citizens and help their colleagues through the uncertainly of working in a pandemic. I feel the best option is to maintain frequent and clear employee awareness and communications on the current health and safety posture for their specific countries and offices.