I run a company whose team is split across two countries. Some people are in our Ho Chi Minh City office, some are at home in Vietnam, some are in Japan, and on any given day a few are logging in from a café with the kind of Wi-Fi you’d never put a password into if you stopped to think about it. That’s not a special situation anymore. That’s just how most teams work now.
When we became this distributed, I did what I think most people do. I bought tools. A VPN here, a password manager there, two-factor authentication because someone told me I had to. Each one solved the problem in front of me that week.
And then one day I looked at what I’d built and realized something uncomfortable. I had a pile of security tools. I did not have a security framework. Those are not the same thing, and the gap between them is exactly where most companies get hurt.
What a hybrid work security framework is — and what it isn’t
Here’s the thing I had wrong. I thought a framework was a collection of the right products. Identity tool, device tool, network tool — check, check, check. If I owned them, I was covered.
But a framework isn’t the tools. It’s the order. It’s deciding what you protect first, what depends on what, and where a single weak layer makes every layer above it pointless. The tools are just how you carry out those decisions.
I’ll give you the concrete version. If you roll out device security before you’ve fixed identity, you’ve built a strong lock on a door whose key anyone can copy. The order was wrong, so the spend was wasted. That’s the failure mode of “buy tools reactively” — every piece works, and the system still leaks.
So when I rebuilt it, I stopped asking “what should I buy?” and started asking “what order do these layers go in?” Here’s the order I landed on. Five layers, each one assuming the one below it is already solid.
The five layers of a hybrid work security framework
Layer 1 — Identity: prove who is actually there
When everyone worked in one office, the building did a lot of your security work for free. You could see who was at the desk. That signal is gone now. The only thing standing between your data and the rest of the world is whether you can prove that the person logging in is the person you think it is.
I learned how fragile this layer is the expensive way. Early on, the two-factor authentication for our official Facebook account and our Apple Developer account — the one we ship our iOS app from — was tied to one early team member’s personal phone. Then he left, and not on great terms.
Two weeks later we went to ship a bug-fix update. The login screen asked for the six-digit code sent to his iPhone. It took us longer than I’d like to admit to reach him, and the update just sat there, frozen. The two-factor authentication we’d set up to keep us safe was the exact thing that locked us out.
That’s why identity comes first — not because it’s trendy, but because every layer above it inherits its weakness. Multi-factor authentication, single sign-on, and a clear answer to “who has an account and why” are the floor. And for shared accounts specifically, we now run MFA through 1Password’s team plan, so more than one person can generate the codes. One person’s phone should never be a single point of failure for the whole company.
The model that makes this work in a hybrid setup is Zero Trust — the assumption that no login is trusted just because it’s “inside” the network, because there is no inside anymore. If that idea is new to you, I wrote about why Zero Trust is the foundation of hybrid work security separately. Read that first if Layer 1 feels shaky. The rest of this framework assumes it.
Layer 2 — Device trust: prove what they’re connecting from
Once you trust the person, the next question is the machine. A verified employee logging in from a personal laptop that hasn’t been updated in a year is still a risk — you’ve confirmed the driver and ignored the car.
Device trust means you check the state of the device before you let it in: is the disk encrypted, is the OS current, is endpoint protection running. In a hybrid team you can’t walk over and check someone’s laptop, so this has to be automatic. The honest payoff here is less dramatic than you’d expect — fewer mystery incidents, and fewer “my computer is acting weird” tickets that turn out to be something worse.
Layer 3 — Access and data: give people only what they need
This is the layer I underinvested in the longest, and I think most companies do too. We’re good at locking the front door and careless about who can walk into every room once they’re inside.
The principle is least privilege: each person gets access to exactly what their job needs, and nothing else. The shift in thinking is to stop protecting the perimeter and start protecting the data itself. When your team is everywhere, the perimeter is a fiction. The data is what’s valuable, so that’s what you scope access around.
Layer 4 — Visibility and response: you can’t protect what you can’t see
The first three layers are about prevention. This one is about the assumption that prevention will eventually fail, and that the question that decides whether a small problem becomes a large one is: how fast did you notice?
You need logs of who accessed what, alerts when something looks abnormal, and a written answer to “what do we do in the first hour” before you need it. I’ll be direct: this is the layer everyone skips because nothing bad has happened yet. That’s also exactly why it’s the one that determines how bad the eventual incident is.
Layer 5 — Governance and people: the layer tools can’t cover
Every layer above this can be bought. This one can’t. Governance is the policy that says what’s allowed, who owns it, and how new people learn it on day one instead of month six. And people are where most real incidents start — a reused password, a convincing phishing email, a file shared with the wrong link.
In a hybrid team this is harder, because you can’t rely on the hallway conversation that used to spread “hey, don’t click that.” You have to design the awareness in. For us that meant short, specific guidance built into onboarding rather than a once-a-year training nobody remembers.
How to roll it out without trying to do everything at once
If you read the five layers and felt your shoulders tense, that’s normal. The mistake at this point is to try to build all five at once, stall, and end up with nothing finished. You don’t need to boil the ocean. You need an order, which is the whole point.
The way I’d sequence it: in the first month, fix Layer 1 completely — MFA on everything, and an accurate list of who has access. In the next two months, get Layer 2 and Layer 3 to a baseline. Then build Layer 4 and Layer 5 as ongoing practice rather than a one-time project, because they never really “finish.” Each step assumes the one before it is done. That’s the framework doing its job.
The mistakes that quietly leave you exposed
A few patterns I’ve seen — and made — more than once.
The VPN trap is the most common. A VPN puts a remote device “inside” your network, which in a hybrid world just means you’ve extended your trusted zone to a café table. It’s a tool, not a framework.
Then there’s the reactive tool pile I started with — buying in the wrong order and assuming coverage equals protection. And the one that costs the most: leaving Layer 5 to chance. You can spend heavily on the technology and still get undone by one person, one click, on an ordinary afternoon.
Where this leaves you
A hybrid work security framework is a sequence, not a shopping list. Most companies aren’t insecure because they lack tools — they’re exposed because they bought them in the wrong order and never decided what depends on what.
I run a distributed team for a living, so I think about this more than I’d like to. If you’re working out where your own gaps are, I’m happy to talk it through.
Frequently asked questions
What is a hybrid work security framework?
It's the order in which you secure a distributed team — not a set of tools. A framework decides what you protect first (identity), what depends on what, and where one weak layer makes every layer above it pointless. The tools just carry out those decisions.
What are the five layers of a hybrid work security framework?
Identity (prove who is logging in), device trust (prove what they connect from), access and data (least privilege), visibility and response (notice fast when prevention fails), and governance and people (the layer tools can't cover). Each layer assumes the one below it is already solid.
Is a VPN enough to secure hybrid work?
No. A VPN extends your trusted zone to wherever someone connects from — in practice, a café table. It's a useful tool, not a framework, and on its own it leaves identity, device trust, and the human layer unaddressed. If you're working out where your own gaps are, it's worth mapping the layers in order.
Let’s Talk — 30 Minutes
If you’re working out where your own security gaps are, I’m happy to talk it through. Thirty minutes to map what a framework might look like for your team — no comparison chart, just your situation.
Book 30 minutes →
Shogo Harada原田 祥吾
CEO · Linnoedge Inc. · LinkedIn↗
Operating IT offshore development and overseas expansion support businesses across two bases: Tokyo and Vietnam. A leader who believes in “Systems over Spirit,” structuring cross-border businesses that often tend to be opaque. Committed to providing “reproducible quality” to organizations and clients rather than relying solely on individual skills.