The term return to office (RTO) has dominated headlines for the past year. But despite the noise, data tell a different story: Full-time office life isn’t coming back—at least not in the same way.

According to 2025 research, 85% of organizations now stipulate an attendance policy, but only 37% actually enforce it.

The numbers reveal what most workers already know: Hybrid work has become the real norm.

RTO really means hybrid

Even when companies ask employees to come back, few expect five full days a week. On average, employers expect 3.2 days in office per week, according to a study by CBRE.

Think about the everyday realities:
• A parent leaves midday for their kid’s school event and logs back in from home afterward.
• A contractor in another city joins a brainstorming session from a personal laptop.
• A team member works from home when the train line is down or the office HVAC breaks.

Even in companies with formal RTO mandates, work still happens everywhere. Whether it’s from home, the office, or on the go, flexibility is now woven into how businesses operate.

Employees aren’t willing to compromise

Employees now see flexibility as part of a job description. When six in 10 remote-capable workers prefer a hybrid arrangement, it’s not a perk anymore; it’s a baseline. And with fewer than 10% wanting to be entirely onsite, organizations that ignore flexibility risk losing top talent to those that embrace it.

The message is clear: The future of work isn’t about choosing between remote or in-office. It’s about enabling both, fluidly and securely.

Checklist for IT and security leaders

Many organizations are still building their infrastructure as though the office is the center of gravity. In reality, the network perimeter has dissolved, and the endpoints accessing sensitive company data are increasingly outside IT’s direct control.

This new model demands a shift in thinking. Here is a checklist that can help IT and security leaders prepare.

Plan for permanent hybrid

• Treat hybrid as the default, not a temporary workaround.
• Map all employee, contractor, and offshore access points.
• Build policies, access controls, and support structures that account for fluctuating locations and device types.

Protect the data, not the device

• Encrypt sensitive data at rest and in transit.
• Implement strong authentication (MFA) and least-privilege access.
• Focus on securing the data itself, as opposed to the entire device. This can be accomplished with secure containers or technologies that strongly isolate personal and work environments on a device, like Venn’s secure enclave.

Rethink user experience

• Deploy security tools that work seamlessly across office, home, and mobile devices.
• Use single sign-on and adaptive authentication to minimize friction.
• Monitor and adjust workflows to prevent users from finding workarounds that compromise security.

Establish clear boundaries

• Define acceptable use policies for personal and contractor devices.
• Clearly communicate expectations for remote access, collaboration tools, and data handling.
• Train employees and contractors regularly on security policies and compliance requirements.

Continuously reassess risk

• Conduct periodic audits of data access, endpoint posture, and third-party vendors.
• Track changes in the workforce: new contractors, offboarding, or device upgrades.
• Adjust controls and policies as technology, regulations, and business needs evolve.

RTO doesn’t mean going back

Return to office isn’t a reversal of remote work; it’s an evolution of it. The workplace of 2025 is a flexible, unbounded environment that requires IT and security strategies to be just as adaptive. Companies that recognize this early and start building for hybrid work as the default, rather than the exception, will not only be more secure but also more attractive to today’s workforce.