This post is authored by Robert Hayes, Senior Director and Chief Security Advisor in Microsoft’s Enterprise Cybersecurity Group.
With the scale, scope, and complexity of cyber-attacks increasing by the week, cybersecurity is increasingly being seen as a primary issue for CEOs & Boards.
Advice is not hard to find, and there are a multitude of information sources and standards; the in-house CIO will have a view, and of course there are a myriad of vendors, each with a solution that promises to be the answer to all security problems.
Trust is at the heart of a successful security strategy, yet knowing who and what can be trusted, and whether that trust should be absolute or conditional, is extremely difficult.
In my conversations with CEOs I often ask them their degree of trust in five key security related areas:
- The people who work in their organization
- The organizations in their supply chain
- The integrity, resilience & security of their existing infrastructure
- The integrity, resilience & security of cloud based infrastructures
- The advice they receive, both internal & external
Unsurprisingly, the answer to each question is always varying degree of conditional, but not absolute trust.
Where the conversation becomes interesting, is where the CEO and I then jointly explore whether the infrastructure, processes, and policies of their organization reflect their intent to avoid absolute trust in these five key areas. Invariably, the answer is no.
Recurring examples of this inconsistency, each carrying significant organizational risk, are:
- IT administrators having unfettered and unaudited access to all corporate systems without effective security mitigations such as multi-factor authentication, and privileged access workstations in place.
- HR departments not instructing the IT department to cancel user access privileges for days, often weeks, after an employee is terminated or leaves the company.
- Supply chain contracts drawn up with no security provisions, standards, or audit clauses.
- No due diligence or impartial advice at Board level on the assurances and assertions made by both in-house IT teams and vendors on integrity, resilience and security.
A common closing theme of these conversations is the need for CEOs and Boards to have impartial advice and support to help them robustly challenge and undertake effective due diligence in this critical area, and the difficulty achieving this.
In the US proposed SEC regulation will mean that companies, in particular publicly listed firms, must have a cyber expert on their Board, yet there are currently very few executive or non-executive directors with this skill set, and who are comfortable operating at a Board level.
An alternative, but expensive position is to buy in the skill set from a third party, and there are many consultancies who will be delighted to have this conversation. However, some consultancies also have a vested interest in system integration, and their advice may not be as impartial as it seems.
Finally, there exists the challenging option of changing the relationship with key suppliers away from the classic customer – vendor to one closer to trusted strategic partner, supported by a robust due-diligence process. Many organizations are seeking to move closer to this type of relationship, whilst still maintaining sufficient distance to satisfy probity and procurement rules.
Whilst each of these options have challenges, the reality remains that without a trusted cybersecurity advisor, CEOs and Boards will continue to make decisions without effective challenge or scrutiny, that leave their organization vulnerable to cyberattack.
To learn more about how Microsoft can help you ensure security while enabling your digital transformation, visit us a Microsoft Secure.
Robert Hayes is a Senior Director and Chief Security Advisor in Microsoft’s Enterprise Cybersecurity Group.