{"id":17385,"date":"2020-01-09T09:00:31","date_gmt":"2020-01-09T17:00:31","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/09\/news-11121\/"},"modified":"2020-01-09T09:00:31","modified_gmt":"2020-01-09T17:00:31","slug":"news-11121","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/09\/news-11121\/","title":{"rendered":"Changing the monolith\u2014Part 1: Building alliances for a secure culture"},"content":{"rendered":"<p><strong>Credit to Author: Todd VanderArk| Date: Thu, 09 Jan 2020 17:00:23 +0000<\/strong><\/p>\n<p>Any modern security expert can tell you that we\u2019re light years away from the old days when firewalls and antivirus were the only mechanisms of protection against cyberattacks. Cybersecurity has been one of the hot topics of boardroom conversation for the last eight years, and has been rapidly increasing to higher priority due to the size and frequency of data breaches that have been reported across all industries and organizations.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/01\/31\/ciso-series-talking-cybersecurity-with-the-board-of-directors\/\" target=\"_blank\" rel=\"noopener\">The security conversation has finally been elevated out of the shadows of the IT Department and has moved into the executive and board level spotlights<\/a>. This has motivated the C-teams of organizations everywhere to start asking hard questions of their Chief Information Officers, Chief Compliance Officers, Privacy Officers, Risk Organizations, and Legal Counsels.<\/p>\n<p>Cybersecurity professionals can either wait until these questions land at their feet, or they can take charge and build relationships with executives and the business side of the organization.<\/p>\n<h3>Taking charge of the issue<\/h3>\n<p>Professionals fortunate enough to have direct access to the Board of Directors of their organization can also build <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/04\/10\/4-prevention-strategies-enterprise-level-security\/\" target=\"_blank\" rel=\"noopener\">extremely valuable relationships at the board level as well<\/a>. As cybersecurity professionals establish lines of communication throughout organizational leadership, they must keep in mind that<strong> these leaders, although experts in their respective areas, are not technologists<\/strong>.<\/p>\n<p><a href=\"https:\/\/medium.com\/microsoft-cybersecurity\/humans-of-cybersecurity-the-future-is-a-boardroom-with-more-security-aware-business-eafbe504c54\" target=\"_blank\" rel=\"noopener\">The challenge that cybersecurity professionals face is being able to get the non-technical people on board with the culture of change in regards to security<\/a>. These kinds of changes in culture and thinking can help facilitate the innovation that is needed to decrease the risk of compromise, reputation damage, sanctions against the organization, and potential stock devaluation. So how can one deliver this message of <em>Fear<\/em>,<em> Uncertainty<\/em>,<em> and Doubt (FUD)<\/em> without losing the executive leaders in the technical details or dramatization of the current situation?<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-90428\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/01\/Changing-the-monolith-1.jpg\" alt=\"\" width=\"2000\" height=\"1335\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/01\/Changing-the-monolith-1.jpg 2000w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/01\/Changing-the-monolith-1-300x200.jpg 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/01\/Changing-the-monolith-1-768x513.jpg 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/01\/Changing-the-monolith-1-1024x684.jpg 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/01\/Changing-the-monolith-1-293x195.jpg 293w\" sizes=\"auto, (max-width: 2000px) 100vw, 2000px\" \/><\/p>\n<p><em>Start by addressing the business problem, not the technology.<\/em><\/p>\n<h3>The answer isn\u2019t as daunting as you might think<\/h3>\n<p>The best way to start the conversation with business leaders is to begin by <a href=\"https:\/\/medium.com\/microsoft-cybersecurity\/what-we-lose-without-a-vision-1a08238dadb8\" target=\"_blank\" rel=\"noopener\">stating the principles of your approach to addressing the problem and the risks of not properly addressing it<\/a>. It\u2019s important to remember to present the principles and methods in a way that is understandable to non-technical persons.<\/p>\n<p>This may sound challenging at first, but the following examples will give you a good starting point of how to accomplish this:<\/p>\n<ul>\n<li><strong>At some point in time, there <\/strong><em><strong>will<\/strong><\/em><strong> be a data breach<\/strong>\u2014Every day we\u2019re up against tens of thousands of &#8220;militarized&#8221; state-sponsored threat actors who usually know more about organizations and technical infrastructure than we do. This is not a fight we\u2019ll always win, even if we\u2019re able to bring near unlimited resources to the table, which is often rare itself. In any scenario, we must accept some modicum of risk, and cybersecurity is no different. The approach for resolution should involve mitigating the likelihood and severity of a compromise situation when it ultimately does occur.<\/li>\n<li><strong>Physical security and cybersecurity are linked<\/strong>\u2014If you have access to physical hardware, there are a myriad of ways to pull data directly from your enterprise network and send it to a dark web repository or other malicious data repository for later decryption and analysis. If you have possession of a laptop or mobile device, and storage encryption hasn\u2019t been implemented, an attacker can forensically image the device fairly easily and make an exact replica to analyze later. By using these or similar examples, you can clearly state that physical security even <em>equals<\/em> cybersecurity in many cases.<\/li>\n<li><strong>You can\u2019t always put a dollar amount on digital trust<\/strong>\u2014Collateral damage in the aftermath of a cyberattack go well beyond dollars and paying attention to cybersecurity and privacy threats demonstrate digital trust to clients, customers, employees, suppliers, vendors, and the general public. <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2019\/04\/29\/microsoft-releases-biannual-digital-trust-reports-4\/\" target=\"_blank\" rel=\"noopener\">Digital trust underpins every digital interaction by measuring and quantifying the expectation that an entity is who or what it claims to be and that it will behave in an expected manner<\/a>. This can set an organization apart from its competitors.<\/li>\n<li><strong>Everything can\u2019t be protected equally; likewise, everything doesn\u2019t have the same business value<\/strong>\u2014Where are the crown jewels and what systems\u2019 failure would create a critical impact on the organizations business? Once identified, the organization has a lot less to worry about and protect. Additionally, one of the core principles should be, \u201cWhen in doubt, throw it out.\u201d Keeping data longer than it needs to be kept increases the attack surface area and creates liability for the firm to produce large amounts of data during requests for legal discovery. The Data Retention Policy needs to reflect this. Data Retention Policies need to be created with input from the business and General Counsel.<\/li>\n<li><strong>Identity is the new perimeter<\/strong>\u2014Additional perimeter-based security appliances will not decrease the chance of compromise. Once identity is compromised, perimeter controls become useless. Operate as if the organization\u2019s network has already been compromised as mentioned in principle #1. <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2018\/12\/17\/zero-trust-part-1-identity-and-access-management\/\" target=\"_blank\" rel=\"noopener\">Focus the investment on modern authentication, Zero Trust, conditional access, and abnormal user and information behavior detection<\/a>. Questions to ask now include, what\u2019s happening to users, company data, and devices both inside and outside the firewall. Think about data handling\u2014who has access to what and why and is it within normal business activity parameters?<\/li>\n<\/ul>\n<h3>The culture of change in the organization<\/h3>\n<p>If leadership is not on board with the people, process, and technology changes required to fulfill a modern approach to cybersecurity and data protection, any effort put into such a program is a waste of time and money.<\/p>\n<p>You can tell immediately if you\u2019ve done the appropriate amount of marketing to bring cybersecurity and data protection to the forefront of business leaders\u2019 agendas. If the funding and the support for the mission is unavailable, one must ask oneself if the patient, in this case the organization, truly wants to get better.<\/p>\n<p>If, during a company meeting, a CEO declares that \u201cdata protection is everyone\u2019s responsibility, including mine,\u201d everyone will recognize the importance of the initiative to the company\u2019s success. Hearing this from the CISO or below does not have the same gravitas.<\/p>\n<p>The most successful programs I\u2019ve seen are those who have been sponsored at the <strong>highest levels of the organization and tied to performance<\/strong>. For more information on presenting to the board of directors, watch our <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/ciso-cybersecurity-strategy?rtc=1\" target=\"_blank\" rel=\"noopener\">CISO Spotlight Episode with Bret Arsenault, Microsoft CISO<\/a>.<\/p>\n<h3>Stayed tuned and stay updated<\/h3>\n<p>Stay tuned for &#8220;Changing the monolith\u2014Part 2&#8221; where I address who you should recruit as you build alliances across the organization, how to build support through business conversations, and what\u2019s next in driving organizational change. In the meantime, bookmark the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noopener\">Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us at <a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener\">@MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/01\/09\/changing-the-monolith-part-1-building-alliances-for-a-secure-culture\/\">Changing the monolith\u2014Part 1: Building alliances for a secure culture<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/01\/09\/changing-the-monolith-part-1-building-alliances-for-a-secure-culture\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Todd VanderArk| Date: Thu, 09 Jan 2020 17:00:23 +0000<\/strong><\/p>\n<p>Digital transformation is a daunting task. In this series, I explore how change is possible when addressing the components of people, process, and technology that make up the organization.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/01\/09\/changing-the-monolith-part-1-building-alliances-for-a-secure-culture\/\">Changing the monolith\u2014Part 1: Building alliances for a secure culture<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/\">Microsoft Security<a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[4500],"class_list":["post-17385","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-cybersecurity"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17385"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17385\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17385"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}