The hybrid workforce model is a novel workplace trend that provides employees the freedom to work from their homes while occasionally reporting to their offices. At the onset of the COVID-19 pandemic, organizations all over the world were forced to adopt remote working, or work-from-home, as the new norm. However, as organizations are gradually beginning to accommodate employees in their office spaces, a blended workplace model has become indispensable. There are several variations to how a hybrid model can be structured: remote-first; office-occasional; or office-first, remote-allowed. Organizations can choose from any of these three models or can map out a structure that works best for them.

While the hybrid workforce model offers many advantages, like flexibility, autonomy, increased productivity, and lower operating costs, it also increases an organization’s vulnerability to cyber threats and attacks. Since employees are constantly migrating between their homes and office spaces, conventional approaches to cybersecurity are no longer adequate.

Cybersecurity standards that were revised to accommodate remote working conditions cannot be extended to hybrid working environments. It’s crucial to understand that, besides technology, humans also constitute an important aspect of cybersecurity, so it’s insufficient to practice a compliance-driven approach to cybersecurity without keeping in mind the human element. A risk-based approach is an effective solution to fortify an organization’s cybersecurity framework.

What is a risk-based approach to cybersecurity?

In this model, the primary focus is on identifying, prioritizing, and reducing risks as opposed to a maturity-based approach, where the focus is on monitoring all resources within an organization’s network. Since all assets are monitored with the same priority and degree of control, a maturity-based approach reduces the efficiency with which risks are identified and reduced, in turn leading to inefficient spending. The risk-based approach, on the other hand, is a strategic method that aims to make IT spending more efficient.

A risk-based approach also offers a considerable edge over traditional compliance-driven approaches, where the primary goal is to meet regulatory compliance standards and pass audits. Rather than crossing items off the compliance regulation list, a risk-based program is concerned with assessing and reducing an organization’s exposure to risk. A risk-based stance is deemed to be proactive rather than reactive in that the fundamental aim is to prevent and reduce cyber threats and risks.

Implementing a risk-based cybersecurity program using Gartner’s CARTA

The Continuous Adaptive Risk and Trust Assessment (CARTA) introduced by Gartner is a strategic approach to risk management and can be adopted by organizations willing to take a risk-based stance on cybersecurity. Continuous monitoring and analysis is central to the CARTA framework, enabling quick detection of and response to potential risks. Embracing this approach allows organizations to make dynamic decisions based on risk and trust. In traditional security solutions, security decisions are considered to be static or binary since they either allow or block decisions. This approach actually increases the possibility of risks that tend to grow progressively more dangerous.

In a risk-based approach, however, decisions should be dynamic and based on context to keep up with the constantly changing security landscape. This is particularly important for a hybrid workforce model where the movement of employees between remote and in-office locations is highly unpredictable. This requires organizations to monitor their network continuously and make dynamic, contextual decisions that are based on risk and trust.

According to Gartner, CARTA can be implemented across three phases of IT security and risk management: Run, Build, and Plan.

Run: In this phase, the organization utilizes data analytics to detect anomalies in real-time. These data analytics tools exploit machine learning algorithms, and the detection is automated to accelerate the response to threats. In addition, the network should be monitored continuously to detect threats.

Build: This phase is related to DevOps, where security is integrated into the early stages of development. In this stage, potential security risks are identified before the applications are released into the production stage. Since modern applications are assembled from libraries rather than built from scratch, the libraries must be scanned thoroughly for any risks or vulnerabilities. Likewise, the organization must not only perform continuous monitoring and risk assessment for its ecosystem but also for the digital partners who interact with its ecosystem on a regular basis.

Plan: In this phase, the organization uses analytics to model and predict areas of risk and their implications on the overall security. Based on this, the organization defines the acceptable level of risk and sets priorities, keeping in mind compliance and governance. This in turn helps make contextual and dynamic decisions, as opposed to binary decisions such as allow or block.

 7 CARTA imperatives for a risk-based approach

Gartner has provided the following seven CARTA imperatives that organizations should follow in order to adopt a risk-based approach to cybersecurity:

  1. Replace one-time security gates with context-aware, adaptable, and programmable security platforms.

  2. Continuously discover, monitor, assess, and prioritize risk—proactively and reactively.

  3. Perform risk and trust assessments early in digital business initiatives.

  4. Instrument infrastructure for comprehensive, full-stack risk visibility, including sensitive data handling.

  5. Use analytics, AI, automation, and orchestration to speed the time it takes to detect,  respond, and scale.

  6. Design security as an integrated, adaptive, programmable system, not siloed.

  7. Put continuous data-driven risk decision-making and risk ownership into business units and product owners.


Sai Manasa
Product Marketing Associate