Developing a risk-based approach to cybersecurity in the hybrid workforce model

Blog | 21-03-2022 | 3 Minute read

Developing a risk-based approach to cybersecurity in the hybrid workforce model

The hybrid workforce model is a novel workplace trend that provides employees the freedom to work from their homes while occasionally reporting to their offices. At the onset of the COVID-19 pandemic, organisations all over the world were forced to adopt remote working, or work-from-home, as the new norm. However, as organisations are gradually beginning to accommodate employees in their office spaces, a blended workplace model has become indispensable. There are several variations to how a hybrid model can be structured: remote-first; office-occasional; or office-first, remote-allowed. Organisations can choose from any of these three models or can map out a structure that works best for them.

While the hybrid workforce model offers many advantages, like flexibility, autonomy, increased productivity, and lower operating costs, it also increases an organisation’s vulnerability to cyber threats and attacks. Since employees are constantly migrating between their homes and office spaces, conventional approaches to cybersecurity are no longer adequate.

Cybersecurity standards that were revised to accommodate remote working conditions cannot be extended to hybrid working environments. It’s crucial to understand that, besides technology, humans also constitute an important aspect of cybersecurity, so it’s insufficient to practice a compliance-driven approach to cybersecurity without keeping in mind the human element. A risk-based approach is an effective solution to fortify an organisation’s cybersecurity framework.

What is a risk-based approach to cybersecurity?

In this model, the primary focus is on identifying, prioritising, and reducing risks as opposed to a maturity-based approach, where the focus is on monitoring all resources within an organisation’s network. Since all assets are monitored with the same priority and degree of control, a maturity-based approach reduces the efficiency with which risks are identified and reduced, in turn leading to inefficient spending. The risk-based approach, on the other hand, is a strategic method that aims to make IT spending more efficient.

A risk-based approach also offers a considerable edge over traditional compliance-driven approaches, where the primary goal is to meet regulatory compliance standards and pass audits. Rather than crossing items off the compliance regulation list, a risk-based program is concerned with assessing and reducing an organisation’s exposure to risk. A risk-based stance is deemed to be proactive rather than reactive in that the fundamental aim is to prevent and reduce cyber threats and risks.

Implementing a risk-based cybersecurity program using Gartner’s CARTA

The Continuous Adaptive Risk and Trust Assessment (CARTA) introduced by Gartner is a strategic approach to risk management and can be adopted by organisations willing to take a risk-based stance on cybersecurity. Continuous monitoring and analysis is central to the CARTA framework, enabling quick detection of and response to potential risks. Embracing this approach allows organisations to make dynamic decisions based on risk and trust. In traditional security solutions, security decisions are considered to be static or binary since they either allow or block decisions. This approach actually increases the possibility of risks that tend to grow progressively more dangerous.

In a risk-based approach, however, decisions should be dynamic and based on context to keep up with the constantly changing security landscape. This is particularly important for a hybrid workforce model where the movement of employees between remote and in-office locations is highly unpredictable. This requires organisations to monitor their network continuously and make dynamic, contextual decisions that are based on risk and trust.

According to Gartner, CARTA can be implemented across three phases of IT security and risk management: Run, Build, and Plan.

Run: In this phase, the organisation utilises data analytics to detect anomalies in real-time. These data analytics tools exploit machine learning algorithms, and the detection is automated to accelerate the response to threats. In addition, the network should be monitored continuously to detect threats.

Build: This phase is related to DevOps, where security is integrated into the early stages of development. In this stage, potential security risks are identified before the applications are released into the production stage. Since modern applications are assembled from libraries rather than built from scratch, the libraries must be scanned thoroughly for any risks or vulnerabilities. Likewise, the organisation must not only perform continuous monitoring and risk assessment for its ecosystem but also for the digital partners who interact with its ecosystem on a regular basis.

Plan: In this phase, the organisation uses analytics to model and predict areas of risk and their implications on the overall security. Based on this, the organisation defines the acceptable level of risk and sets priorities, keeping in mind compliance and governance. This in turn helps make contextual and dynamic decisions, as opposed to binary decisions such as allow or block.

 7 CARTA imperatives for a risk-based approach

Gartner has provided the following seven CARTA imperatives that organisations should follow in order to adopt a risk-based approach to cybersecurity:

  1. Replace one-time security gates with context-aware, adaptable, and programmable security platforms.
  2. Continuously discover, monitor, assess, and prioritise risk—proactively and reactively.
  3. Perform risk and trust assessments early in digital business initiatives.
  4. Instrument infrastructure for comprehensive, full-stack risk visibility, including sensitive data handling.
  5. Use analytics, AI, automation, and orchestration to speed the time it takes to detect, respond, and scale.
  6. Design security as an integrated, adaptive, programmable system, not siloed.
  7. Put continuous data-driven risk decision-making and risk ownership into business units and product owners.


We make use of an “Opt-In” policy, which ensures that you only receive relevant business/product information, including a monthly newsletter from ITR Technology, if consent has been received.
  • By subscribing, I agree that my data may be used according to the terms and condition of this website.
  • *Please note that in each email you receive you can at any time revoke your consent by unsubscribing. Simply click on the unsubscribe button/link and you will no longer receive product information, updates, and upcoming events from and about ITR Technology. This also guarantees permanent removal of your email address from our mailing lists.
  • Hidden
  • Hidden
  • Hidden
  • This field is for validation purposes and should be left unchanged.