Duty of Care for the Remote Workforce: Q&A With GitHub’s Security Team
In this Q&A, GitHub’s security experts share how they keep their remote workforce safe and how duty of care has changed since the pandemic.
Every organization has a legal and moral obligation to ensure employees’ physical safety and mental well-being while at work. For dispersed workforces, however, doing so comes with additional challenges. While convenient, video conferencing fails to replace the personal connection employers traditionally rely on to engage with their people. As a result, many businesses are rethinking their approach to duty of care to consider remote workers’ needs.
In a recent episode of The Employee Safety Podcast, Peter Steinfeld was joined by GitHub’s Head of Global Workplace Security & Safety, Avril Eklund, and Crisis Management & Business Continuity pro, Sean O’Mara. GitHub employs nearly 2000 employees distributed across 15 countries, about 70 percent of which worked remotely even before COVID-19. Prior to joining GitHub, Avril was Head of Security Operations and Incident Management for WeWork. Previously, she also held various roles in state and local law enforcement. Similarly, before joining GitHub, Sean ran business continuity and crisis management for the Federal Reserve. He also held emergency management positions for New York City and the city of San Francisco.
During the discussion, Avril and Sean discuss how duty of care and business continuity have changed since the pandemic and share ways that organizations can maintain consistent communication with remote employees. You can listen to the full episode below.
Q&A with GitHub’s Security Team
GitHub was largely a remote team before COVID-19. What was the shift for your company like post-pandemic?
Avril Eklund: We were about 70 percent remote before the pandemic, which set us up for a bit of an advantage, but it was nice to see how quickly the entire company embraced the remote culture. We evolved our home office policy to accommodate additional needs and ensured our employees felt safe and comfortable working at home so that they could remain productive despite the chaos going on around them.
Sean O’Mara: I am in constant awe of how resilient our employees are to everything. If I’ve learned one thing, it’s that individuals add up to cumulative resilience for an enterprise.
Adapting to change is a crucial aspect of maintaining business continuity. Companies that are new to remote work often cite that it’s harder to communicate—especially in urgent situations. What tips can you give to ensure that company communication gets to remote workers?
AE: At GitHub, we’ve always relied heavily on asynchronous communication, so we use GitHub, the platform itself, to make sure there’s plenty of documentation so that everyone knows what everyone else is working on and where to find that information.
We used the tools we had until we could get a mass communication system onboard, and once we got it, we rolled it out as quickly as we could, got everybody trained on it, and just kept moving.
You have to work with what you have in the beginning and keep improving from there. People come back to what feels normal to them, which is the workplace. When things started getting chaotic, many people looked internally to our security team to be a source of truth and lead the way for them. Knowing what information people were looking for—and knowing how to get it to them—became critical.
“Organizations have to think about where their leadership and team members exist so they aren’t clustered around one hazard.”Sean O'Mara Crisis Management & Business Continuity, GitHub
Has the pandemic changed business continuity?
SO: A lot of traditional business continuity focuses on physical locations—where your offices are, whether your servers are up or down, etc. Those are certainly not going away. That infrastructure is still very important. But looking at the human infrastructure has been a pivot.
Organizations have to understand the skill sets that their people have, where they are geographically clustered, and the risks that go along with these factors. You have to think about where your leadership and team members exist so they aren’t clustered around one hazard.
What are some ways you ensure your remote employees’ safety? How do you extend ‘duty of care’ into peoples’ homes?
AE: Our information security team provided guides to people on how to keep their wifi and devices safe, how to make sure that they use VPN, and take measures to protect their access.
We also provided training videos on preparing a “Go Bag,” so when wildfires pop up, people know what they need to run out the door and be ready to go.
Given ongoing civil unrest and protests this year, we put together a guide on how to stay safe during demonstrations. We’ve also provided resources on how to keep safe during COVID-19. Once we got AlertMedia in place, we were able to go beyond the legally required duty of care and developed this customer service piece of security and safety.
Despite being a small team (there are only five of us), we’ve expanded beyond the larger incidents like hurricanes and earthquakes. For example, we leverage technology to monitor and alert our employees to regional and local incidents relevant to them. Our goal is to give our employees more peace of mind so they can do their best work—wherever they are—and not be worried about their safety.
Is there any concern that employees begin to expect that business continuity and security leaders offer concierge emergency management services?
SO: There is a risk that you can get caught in concierge emergency management. Setting expectations early is wise. Be honest with yourself and your team about what your capabilities are.
AE: We made it clear early on what we considered our actual responsibility and found that education goes a long way. A lot of the employees at GitHub didn’t realize that we were a three-person security team supporting the whole company for the majority of 2020. So when we first started using AlertMedia, we had the California wildfires and started getting feedback from people asking why we didn’t notify them about a very specific local fire or fires that occurred before we even had the system. Once we explained that we were a three-person team trying to monitor the globe, people were completely understanding. Some of it is just education—people don’t know what to expect, so let them know you’re going to do what you can. But there will be limitations, and they will understand.
As it relates to duty of care, what do you think security and business continuity leaders should be thinking about as we embark on a new year with an ongoing pandemic?
AE: We need to think about how to support remote workforces. Even for a remote-first company like GitHub, I’d be surprised if our in-office numbers were the same after COVID, which I think will be true for other companies.
Security leadership will have to focus on what services they can provide remote employees and figure out where their duty of care starts and ends. At this point, people are figuring out where they work the best. If you’re productive going to the office only twice a week, your company will probably support that versus making you come in five days a week. There’s also considerable commute time and money saved, especially for people working in large cities where you spend a lot of time just driving to work. I won’t be surprised with traditional offices if we see hybrid models where people come in two or three days a week and aren’t in the office five days a week anymore. This will present business continuity challenges that security leaders need to be ready for, like knowing where people are and knowing who’s in the office when.
SO: Chaos will happen every year that we’re alive, so embrace that the only certainty in life is uncertainty. Build yourself and your program to accept that you’re going to get knocked off course [at some point]. A random event will land on your plate, and you’re going to have to adjust to it. Setting that expectation with your team leadership and your organization will pay dividends.
“Our goal is to give our employees peace of mind so they can do their best work—wherever they are—and not be worried about their safety. ”Avril Eklund Head of Global Workplace Security & Safety, GitHub
What’s something the audience can take action on today to help them improve their employee safety program?
AE: Relationship building and finding security champions within your organization are keys to
building a successful security program. You have to find the people that will help you spread your message and build trust within your organization so that people look to you as a source of truth.
Looking forward, there will be more privacy-related issues that security teams are going to run into with remote workers and know where people are. Our employees have to trust us if they’re going to share information about their lives, and we have to earn that trust.
SO: Understand the communication style in place. Figure out where and how employees communicate and emulate as best as you can to get your messages across and get engagement.
If everyone is using a communication medium that you’re uncomfortable with, just dive right into it. That’s how you’re going to get an audience. You can tell people the sky is going to fall, but it always goes a lot further to empower them to do something about it. Whatever you can do messaging-wise around that is a lot more valuable than giving people a list of bad things that could happen.
Portions of this transcript were edited for clarity or brevity.