Microsoft has created an education series called “Modern Workplace” which provides a variety of methods on how to leverage technology.
One of their series was on “How to keep your organization safe”. Recently they interviewed Mike Howard, CSO of Microsoft and Brett Arsenault, CISO of Microsoft on how they are addressing security in the modern workplace. Both executives have been featured in The Great Conversation in Security, a forum that takes place each spring in Seattle, Washington. This year it is March 6 & 7 at the Bell Harbor Conference Center on the Seattle waterfront.
Arsenault makes some great points on how every security department can scale and optimize their operations by relying on the efficiencies and security of the cloud. As you can see in the first graphic, he points to several elements of the security program that can prevent breaches. He says 85% of the breaches can be prevented from:
1. Ensuring you are using the latest operating system
2. Patching computer programs and keeping your machines up-to-date
3. Leveraging anti-malware technology
4. Providing identity protection
5. Providing good monitoring
However, according the Arsenault the costs and time spent doing these things constrains most security departments. This can be mitigated by leveraging the cloud.
Another interesting point that came out of the interview was his idea of the converged organization, which we are hearing more about in the discussion around Enterprise Security Risk Management (ESRM). To Arsenault and Howard, convergence is collaboration which includes information sharing, resource sharing, and leveraged response. It also relies on a change of thinking moving from a “fortress” mentality where you are trying to react to breaches, to an acknowledgment and assumption mentailty, that a breach will and does occur. This state of mind and readiness relies on detection and response, ensuring the resilience of business operations.
Howard underlined the need for intelligence in making risk-based decisions and ensuring proper planning and response through organizational collaboration and training. He showed how they were using intelligence gathering through video surveillance and law enforcement to model potential threats around the world. One example was an anarchist attack at one facility in the United States that was captured on video. The perpetrators were identified, the organization they belonged to investigated, and then other incidents were modelled using an information analysis and reporting tool called Power BI. As you can see in the graphic above it provides a rich, visual representation of data that can be quickly and intuitively understood and acted upon.
Howard also emphasized the maturity cycle of leadership in a security organization, emphasizing the needs to move from the tactical to the strategic and trusted advisor. This is more important in today’s risk environment considering the demographic shifts in our society, the evolving security landscape where threats are growing and coming at us faster than ever. The tools by which those threats are executed are becoming more advanced, for example through social media. To meet these challenges, it will take collaborative leadership with the risk owners of the business, persistent education and training, and metrics based implementation of security processes.
On the front end, he emphasized the need to hire business-savvy people who have collaboration skills and ensure they come from a variety of social and professional backgrounds. This diversity is a key foundation to innovation and change.