The Jericho Forum promoted a new concept of security called de-perimeterisation that focused on how to protect enterprise data flowing in and out of your enterprise network boundary instead of striving to convince users and the business to keep it on the corporate network. This shift to “secure assets where they are” proved quite prophetic, especially when you consider that the original iPhone didn’t release until 2007 (which triggered the sea change of user preferences shaping enterprise technology decisions that is now just normal).

One CISO: Our network has become a mini-internet

A lot has changed since the days when we knew exactly what is on our network. A CISO of a multinational organization once remarked that its corporate network has become a miniature internet. With hundreds of thousands of devices connected at all hours including many unmanaged devices, the network has lost its ability to create trust for the devices on it. While network controls still have a place in a security strategy, they are no longer the foundation upon which we can build the assurances we need to protect business assets.

In this blog, we will examine how these concepts (captured succinctly in the Jericho® Forum Commandments) have helped shape what has become Zero Trust today, including Microsoft’s Zero Trust vision and technology.

Accepting de-perimeterisation frees security architects and defenders to re-think their approach to securing data. Securing data where it is (vs. artificially confining it to a network) also naturally more aligned to the business and enables the business to securely operate.

Blocking is a blunt instrument

While security folks love the idea of keeping an organization safe by blocking every risk, the real world needs flexible solutions to gracefully handle the grey areas and nuances.

The classic approach of applying security exclusively at the network level limits what context security sees (e.g. what the user/application trying to do at this moment) and usually limits the response options to only blocking or allowing.

This is comparable to a parent filtering content for their children by blocking specific TV channels or entire sites like YouTube. Just like blocking sites in security, the rough grain blocking causes issues when kids need YouTube to do their online classes or find websites and other TV channels with inappropriate content.

We have found that it’s better to offer users a safe path to be productive rather than just blocking a connection or issuing an “access denied.” Microsoft has invested heavily in zero trust to address both the usability and security needs in this grey area

• Providing easy ways to prove trustworthiness using multi-factor authentication (MFA) and Passwordless authentication that do not repeatedly prompt for validation if risk has not changed as well as hardware security assurances that silently protect their devices.
• Enabling users to be productive in the grey areas – Users must be productive for their jobs even if they are working from unmanaged networks or unusual locations. Microsoft allows users to increase their trust with MFA prompts and enables organizations to limit or monitor sessions to mitigate risk without blocking productivity.

While it’s tempting to think “but it’s just safer if we block it entirely”, beware of this dangerous fallacy. Users today control how they work and they will find a way to work in a modern way, even if they must use devices and cloud services completely outside the control of IT and security departments. Additionally, attackers are adept at infiltrating approved communication channels that are supposed to be safe (legitimate websites, DNS (Domain Name Servers) traffic, email, etc.).

The Jericho Forum recognized emerging trends that are now simply part of normal daily life. As we make security investments in the future, we must embrace new ways of working, stop confining assets unnaturally to a network they do not belong on, and secure those assets and users where they are and wherever they go.

Learn more about Why Zero Trust. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Back to the future: What the Jericho Forum taught us about modern security appeared first on Microsoft Security Blog.

Security is a major concern of not only major governments but of other entities using Microsoft Power App intake forms. Organizations and agencies needed to be certain that Microsoft Power App intake forms could not be used to collect data from large, sensitive databases containing personal information like names, addresses, Social Security or national security identification numbers, telephone numbers, or bank account information for direct deposit. If internet-facing forms collect personal information, and are not securely implemented, bad actors can use those forms to cleverly gain access to millions—if not billions—of personal records.

We authored this white paper specifically for those agencies and organizations who are transforming data intake to partially or 100-percent paperless. Microsoft wants to ensure that customers are implementing our technologies with the most secure approach possible, and adhering to compliance with all data privacy laws. Microsoft is also making recommendations in the white paper regarding the best way to implement the NIST Cybersecurity Framework in order to identify, protect, detect, respond, and recover from cybersecurity attacks.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms appeared first on Microsoft Security Blog.

Here are seven benefits:

1. Azure AD is simple to set up and works with almost everything, meaning once identity is in the cloud. It may be accessed by any entity that requires access and used for all on-premises and cloud applications. Azure AD MFA—using the Microsoft Authenticator app—is one the easiest MFA solutions for users to adopt and one of the fastest ways to take a passwordless approach.

To learn more, read Microsoft Recommending Non-Expiring Passwords to Office 365 Customers.

2. SSO reduces the threat of untimely termination/identity decommissioning by decreasing “identity sprawl,” so you can have one identity in multiple applications per user.

To learn more, read Azure AD Seamless Single Sign-on.

3. A single, unified MFA reduces the success of phishing attacks due to password reuse or social engineering with the enforcement of MFA.

To learn more, read Email Phishing Protection Guide—Part 3: Enable Multi Factor Authentication (MFA).

4. The SSO/IDaaS approach paves the way for eliminating basic authentication and password spray attacks.

To learn more, read Your Pa$$word doesn’t matter.

5. MFA and SSO increases user satisfaction—making the CISO a business enabler rather than a productivity and collaboration roadblock.

To learn more, read Go passwordless to strengthen security and reduce costs.

6. Azure AD is more available than on-premises AD FS and other IDaaS. Microsoft guarantees 99.9 percent uptime—a difficult SLA to achieve on-premises.

For details, see SLA for Azure Active Directory.

7. Azure AD Conditional Access enforces the Zero Trust model for all authentications.

To learn more, visit Achieve Zero Trust with Azure AD conditional access.

Also, bookmark the Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Quick wins—single sign-on (SSO) and Multi-Factor Authentication (MFA) appeared first on Microsoft Security Blog.

How do we secure identity?

Start by evaluating how users are authenticating to all applications inside and outside the organization. I say all applications, because it doesn’t take much effort for a hacker to pivot from a low-value, non-sensitive application to a high-value and highly-sensitive application, quickly gaining access to confidential or restricted data.

Similarly, Multi-Factor Authentication (MFA) must be enforced for all users as well, not just highly privileged users. Remember that it is simple for bad actors to pass-the-hash, run a Golden Ticket Attack, or use other techniques to elevate their privileges and gain access to sensitive data.

Modern authentication encourages us to reduce vulnerable legacy authentication methods, including Kerberos and NTLM. Additionally, modern authentication requires that we rely on more than one factor of authentication for all users. These factors range from something you know (password or one-time password), something you have (hardware token or soft token), or something you are (biometrics like 3D facial recognition or fingerprint matching).

Start with MFA.

Requiring MFA for all applications, whether on-premises or in the cloud, is a great start. When using MFA, consider enforcing an authenticator app or a one-time password mechanism as they are typically not as susceptible to man-in-the-middle attacks, compared to text-back codes or phone calls that may be intercepted with spoofing.

The least vulnerable MFA mechanisms include FIDO2, which utilizes a biometric device or USB hardware token like YubiKey, and machine learning systems that can provide conditional access based on Zero Trust and time-of-authentication context.

Here is the context commonly evaluated by machine learning authentication systems:

• Can an authentication token be obtained?
• Does the user have a valid username, password, and a second form of authentication (MFA), like a biometric validation (fingerprint or 3D facial recognition) through an authenticator app?
• What is the risk score of the user?
• Is the user authenticating from two places at nearly the same time (Impossible Traveler)?
• Has the user’s password been discovered on the Dark Web because of an account and password database breach?
• Is this a reasonable time for the user to be signed in based upon past behavior?
• Is the user signing-in from an anonymous source like a Tor exit node?
• What is the risk score of the device?
• Has the device experienced unresolved risk in the last several days?
• Has the machine been exposed to malware?
• Is the machine running a high-risk application?
• Are the antimalware signatures up to date?
• Are all the critical and high software patches applied?
• Are there sensitive documents on the device?

With the enforcement of MFA, a single, unified MFA reduces the success of phishing attacks due to password reuse or social engineering. With web-based Authentication-as-a-Service (AaaS) applications, MFA is easy to implement across the enterprise. Modern operating systems now enforce multifactor authentication by default, including Windows 10 Hello, macOS, iOS, and Android. Most modern on-premises and cloud applications should be able to consume SSO authentication standards like SAML or OpenID and OAth2 authorization.

Moving toward a secure SSO posture

Implementing a single identity source for all applications leads the organization to a better and less time-consuming and complicated user experience, and an arguably more secure SSO posture by:

• Reducing the number of passwords that users need to remember or save—quite often insecurely—to access their applications.
• Introducing pass-through authentication and authorization, so that once a user authenticates to an operating system, they have unprompted access to both on-premises and cloud apps, using the same security token created when they signed in to the operating system using MFA.
• Reducing the threat of untimely termination/missed identity decommissioning by decreasing “identity sprawl,” which is what you encounter when your organization has multiple identities in multiple applications per user. That is sometimes the result of non-integrated entities or not yet integrated entities and affiliates. B2B approaches to SSO can be explored to solve the problems associated with not integrating a business unit or operating group into the organization’s core directory.

Considering user satisfaction is critical.

MFA and SSO together increases user satisfaction, making the CISO a business enabler rather than a productivity and collaboration roadblock. Cloud-based MFA and SSOP directory systems have been shown to be more available than on-premises directory or federation services with many cloud providers providing 99.9 percent uptime. A three-nines Service Level Agreement (SLA) is challenging to achieve on-premises with limited IT staff and budget!

Stay tuned

Stay tuned for the next installment of my Changing the Monolith series. In the meantime, check out the first three posts in the series:

• Part 1: Building alliances for a secure culture
• Part 2: Whose support do you need?
• Part 3: What’s your process?

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 4: Quick tech wins for a cloud-first world appeared first on Microsoft Security Blog.

Here are a few tips to create teams unified around a common mission:

1. Define the mission and implement it like any other business plan

First, you must know what you are trying to achieve. Are you protecting trade secrets? Limiting reputation damage? Reducing the chance of unauthorized access to sensitive data? Complying with all local, regional, and national data protection laws? Trying to keep employees safe? Keep patients, passengers, customers, and business partners safe? Is the answer “All the above?” Define an order of risk magnitude.

Focus on what success looks like, identify quick wins, and get the opinions of executive leadership. What do they view as success? Don’t settle for unrealistic answers such as “We want 100 percent security.” Explain what is realistic and offer your approach as a business plan.

2. Define success—be able to articulate what it is and how it can be measured

When you start any endeavor, how do you determine when it is finished? While information security has a lifecycle that never ends, certain foundations must be established to foster a culture of security and privacy. Success could look like reducing risk to trade secrets, reducing the impact of third-party risk, or protecting an organization’s reputation.

However, success is defined for your mission, success needs to be measurable. If you can’t summarize success during an elevator pitch, a monthly CEO report, or a board presentation, you haven’t defined it appropriately.

3. Leverage a methodology and make it part of the game plan

Think of the methodology as a game plan. There aren’t enough people, not enough time, and a finite amount of money. Attempting to do everything all at once is a fool’s errand. The moment you know what you’re trying to achieve, it allows you to create a plan of attack. The plan should follow a proven set of steps that move in the right direction.

A popular methodology right now is the Zero Trust model, which has been waiting in the wings for its big debut for over a decade. Zero Trust has made it to the spotlight largely because the conventional perimeter has been deemed a myth. So, what is your approach to achieving security, compliance, and privacy once you have chosen a methodology?

Zero Trust

Reach the optimal state in your Zero Trust journey.

Learn more

4. Market the plan

One of the main hurdles I constantly witness is that the larger the organization, the more isolated the business units—especially in IT. In many cases, cybersecurity leadership does not engage in regular communication within factions of IT. To name a few, there are application development, user support, database teams, infrastructure, and cloud teams. And almost always outside their purview resides HR, Legal, Finance, Procurement, Corporate Communications, and Physical Security departments.

In a previous role, I found success by borrowing employees from some of these other departments. Not only to help build political capital for the cybersecurity team, but to land the security awareness message with the populace and connect with the aforementioned units within IT and business leadership. To do the same, start by building a plan and define your message. Repeat the message often enough so it’s recognized, and people are energized to help drive the mission forward.

5. Teamwork in the form of governance

Once “inter-IT” and business relationships are established, governance can commence—that ultimately means creating process and policy. Involve as many stakeholders as possible and document everything you can. Make everyone aware of their role in the mission and hold them accountable.

Take for example a mobile device policy. Whose input should be solicited? At a minimum, you should involve HR, Legal, Finance, the CIO, and the user community. What do they want and need? When everyone agrees and all requirements are negotiated, it’s amazing how quickly a policy is ratified and becomes official.

Cybersecurity, privacy, compliance, and risk management should be managed like any other business; and any business values process. Without process, product doesn’t get manufactured or shipped, patients don’t heal, and the supply chain grinds to a halt. Without process, there can be no consensus on how to protect the organization.

Stay tuned

Stay tuned for the next installment of my series, Changing the Monolith: People, Process, and Technology. In the meantime, check out the first two posts in the series, on people:

• Part 1: Building alliances for a secure culture
• Part 2: Whose support do you need?

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 3: What’s your process? appeared first on Microsoft Security Blog.

Let’s look at some concrete steps you can take to begin that process in your organization. But first, a little context.

The data privacy landscape

Since Data Privacy Day commenced in 2007, the amount of data we collect has increased exponentially. In fact we generate “2.5 quintillion bytes of data per day!” Unfortunately, we’ve also seen a comparable increase in security incidents. There were 5,183 breaches reported in the first nine months of 2019, exposing a total of 7.9 billion records. According to the RiskBased Data Breach QuickView Report 2019 Q3, “Compared to the 2018 Q3 report, the total number of breaches was up 33.3 percent and the total number of records exposed more than doubled, up 112 percent.”

In response to these numbers, governments across the globe have passed or are debating privacy regulations. A few of the key milestones:

• Between 1998 and 2000, The E.U. and the U.S. negotiated Safe Harbor, which were privacy principles that governed how to protect data that is transferred across the Atlantic.
• In 2015, the European Court of Justice overturned Safe Harbor.
• In 2016, Privacy Shield replaced Safe Harbor and was approved by the courts.
• In 2018, the General Data Protection Regulation (GDPR) took effect in the E.U.
• On January 1, 2020, CCPA took effect for businesses that operate in California.

Last year, GDPR levied 27 fines for a total of € 428,545,407 (over $472 million USD). California will also levy fines for violations of CCPA. Compliance is clearly important if your business resides in a region or employs persons in regions protected by privacy regulation. But protecting privacy is also the right thing to do. Companies who stand on the side of protecting the consumer’s data can differentiate themselves and earn customer loyalty.

Don’t build a data privacy program, build a data privacy culture

Before you get started, recognize that improving how your organization manages personal data, means building a culture that respects privacy. Break down siloes and engage people across the company. Legal, Marketing, SecOps, IT, Senior Managers, Human Resources, and others all play a part in protecting data.

Embrace the concept that privacy is a fundamental human right—Privacy is recognized as a human right in the U.N. Declaration of Human Rights and the International Covenant on Civil and Political Rights, among other treaties. It’s also built into the constitutions and governing documents of many countries. As you prepare your organization to comply with new privacy regulations, let this truth guide your program.

Understand the data you collect, where it is stored, how it is used, and how it is protected—This is vital if you’re affected by CCPA or GDPR, which require that you disclose to users what data you are collecting and how you are using it. You’re also required to provide data or remove it upon customer request. And I’m not just talking about the data that customers submit through a form. If you’re using a tool to track and collect online user behavior that also counts.

This process may uncover unused data. If so, revise your data collection policies to improve the quality of your data.

Determine which regulations apply to your business—Companies within the E.U. that do business with customers within the E.U., or employ E.U. citizens, are subject to GDPR. CPPA applies to companies doing business within California and meet one of the following requirements:

• A gross annual revenue of more than $25 million.
• Derive more than 50 percent of their annual income from the sale of California consumer personal information or
• Buy, sell, or share the personal information of more than 50,000 California consumers annually.

Beyond California and the E.U., India is debating a privacy law, and Brazil’s regulations, Lei Geral de Proteção de Dados (LGPD), will go into effect in August 2020. There are also several privacy laws in Asia that may be relevant.

Hire, train, and connect people across your organization—To comply with privacy regulations, you’ll need processes and people in place to address these two requirements:

1. Californians and E.U. citizens are guaranteed the right to know what personal information is being collected about them; to know whether their personal information is sold or disclosed and to whom; and to access their personal information.
2. Organizations will be held accountable to respond to consumers’ personal information access requests within a finite timeframe, for both regulations.

The GDPR requires that all companies hire a Data Protection Officer to ensure compliance with the law. But to create an organization that respects privacy, go beyond compliance. New projects and initiatives should be designed with privacy in mind from the ground up. Marketing will need to include privacy in campaigns, SecOps and IT will need to ensure proper security is in place to protect data that is collected. Build a cross-discipline team with privacy responsibilities, and institute regular training, so that your employees understand how important it is.

Be transparent about your data collection policies—Data regulations require that you make clear your data collection policies and provide users a way to opt out (CCPA) or opt in (GDPR). Your privacy page should let users know why the data collection benefits them, how you will use their data, and to whom you sell it. If they sell personal information, California businesses will need to include a “Do not sell my personal information” call to action on the homepage.

A transparent privacy policy creates an opportunity for you to build trust with your customers. Prove that you support privacy as a human right and communicate your objectives in a clear and understandable way. Done well, this approach can differentiate you from your competitors.

Extend security risk management practices to your supply chain—Both the CCPA and the GDPR require that organizations put practices in place to protect customer data from malicious actors. You also must report breaches in a timely manner. If you’re found in noncompliance, large fees can be levied.

As you implement tools and processes to protect your data, recognize that your supply chain also poses a risk. Hackers attack software updates, software frameworks, libraries, and firmware as a means of infiltrating otherwise vigilant organizations. As you strengthen your security posture to better protect customer data, be sure to understand your entire hardware and software supply chain. Refer to the National Institute of Standards and Technology for best practices. Microsoft guidelines for reducing your risk from open source may also be helpful.

Microsoft can help

Microsoft offers several tools and services to help you comply with regional and country level data privacy regulations, including CCPA and GDPR. Bookmark the Security blog and the Compliance and security series to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity and connect with me on LinkedIn.

The post Data privacy is about more than compliance—it’s about being a good world citizen appeared first on Microsoft Security Blog.

Build the right cybersecurity team

It could be debated that the concept of a “deep generalist” is an oxymoron. The analogy I frequently find myself making is you would never ask a dermatologist to perform a hip replacement. A hip replacement is best left to an orthopedic surgeon who has many hours of hands-on experience performing hip replacements. This does not lessen the importance of the dermatologist, who can quickly identify and treat potentially lethal diseases such as skin cancer.

Similarly, not every cybersecurity and privacy professional is deep in all subjects such as governance, technology, law, organizational dynamics, and emotional intelligence. No person is born a specialist.

If you are looking for someone who is excellent at threat prevention, detection, and incident response, hire someone who specializes in those specific tasks and has demonstrated experience and competency. Likewise, be cautious of promoting cybersecurity architects to the role of Chief Information Security Officer (CISO) if they have not demonstrated strategic leadership with the social aptitude to connect with other senior leaders in the organization. CISOs, after all, are not technology champions as much as they are business leaders.

Keep business leaders in the conversation

Leaders can enhance their organizations’ security stance by sending a top-down message across all business units that “security begins with me.” One way to send this message is to regularly brief the executive team and the board on cybersecurity and privacy risks.

Keep business leaders accountable about security.

These should not be product status reports, but briefings on key performance indicators (KPI) of risk. Business leaders must inform what the organization considers to be its top risks.

Here are three ways to guide these conversations:

1. Evaluate the existing cyber-incident response plan within the context of the overall organization’s business continuity plan. Elevate cyber-incident response plans to account for major outages, severe weather, civil unrest, and epidemics—which all place similar, if not identical, stresses to the business. Ask leadership what they believe the “crown jewels” to be, so you can prioritize your approach to data protection. The team responsible for identifying the “crown jewels” should include senior management from the lines of businesses and administrative functions.
2. Review the cybersecurity budget with a business case and a strategy in mind. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cybersecurity budgets tied to what looks like a “good fit” for the organization is recommended.
3. Reevaluate cyber insurance on an annual basis and revisit its use and requirements for the organization. Ensure that it’s effective against attacks that could be considered “acts of war,” which might otherwise not be covered by the organization’s policy. Review your policy and ask: What happens if the threat actor was a nation state aiming for another nation state, placing your organization in the crossfire?

Gain buy-in through a frictionless user experience

“Shadow IT” is a persistent problem when there is no sanctioned way for users to collaborate with the outside world. Similarly, users save and hoard emails when, in response to an overly zealous data retention policy, their emails are deleted after 30 days.

Digital transformation introduces a sea of change in how cybersecurity is implemented. It’s paramount to provide the user with the most frictionless user experience available, adopting mobile-first, cloud-first philosophies.

Ignoring the user experience in your change implementation plan will only lead users to identify clever ways to circumvent frustrating security controls. Look for ways to prioritize the user experience even while meeting security and compliance goals.

Incremental change versus tearing off the band-aid

Imagine slowly replacing the interior and exterior components of your existing vehicle one by one until you have a “new” car. It doesn’t make sense: You still have to drive the car, even while the replacements are being performed!

Similarly, I’ve seen organizations take this approach in implementing change, attempting to create a modern workplace over a long period of time. However, this draws out complex, multi-platform headaches for months and years, leading to user confusion, loss of confidence in IT, and lost productivity. You wouldn’t “purchase” a new car this way; why take this approach for your organization?

Rather than mixing old parts with new parts, you would save money, shop time, and operational (and emotional) complexity by simply trading in your old car for a new one.

Fewer organizations take this alternative approach of “tearing off the band-aid.” If the user experience is frictionless, more efficient, and enhances the ease of data protection, an organization’s highly motivated employee base will adapt much more easily.

Stayed tuned and stay updated

Stay tuned for more! In my next installments, I will cover the topics of process and technology, respectively, and their role in changing the security monolith. Technology on its own solves nothing. What good are building supplies and tools without a blueprint? Similarly, process is the orchestration of the effort, and is necessary to enhance an organization’s cybersecurity, privacy, compliance, and productivity.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the monolith—Part 2: Whose support do you need? appeared first on Microsoft Security Blog.

The security conversation has finally been elevated out of the shadows of the IT Department and has moved into the executive and board level spotlights. This has motivated the C-teams of organizations everywhere to start asking hard questions of their Chief Information Officers, Chief Compliance Officers, Privacy Officers, Risk Organizations, and Legal Counsels.

Cybersecurity professionals can either wait until these questions land at their feet, or they can take charge and build relationships with executives and the business side of the organization.

Taking charge of the issue

Professionals fortunate enough to have direct access to the Board of Directors of their organization can also build extremely valuable relationships at the board level as well. As cybersecurity professionals establish lines of communication throughout organizational leadership, they must keep in mind that these leaders, although experts in their respective areas, are not technologists.

The challenge that cybersecurity professionals face is being able to get the non-technical people on board with the culture of change in regards to security. These kinds of changes in culture and thinking can help facilitate the innovation that is needed to decrease the risk of compromise, reputation damage, sanctions against the organization, and potential stock devaluation. So how can one deliver this message of Fear, Uncertainty, and Doubt (FUD) without losing the executive leaders in the technical details or dramatization of the current situation?

Start by addressing the business problem, not the technology.

The answer isn’t as daunting as you might think

The best way to start the conversation with business leaders is to begin by stating the principles of your approach to addressing the problem and the risks of not properly addressing it. It’s important to remember to present the principles and methods in a way that is understandable to non-technical persons.

This may sound challenging at first, but the following examples will give you a good starting point of how to accomplish this:

• At some point in time, there will be a data breach—Every day we’re up against tens of thousands of “militarized” state-sponsored threat actors who usually know more about organizations and technical infrastructure than we do. This is not a fight we’ll always win, even if we’re able to bring near unlimited resources to the table, which is often rare itself. In any scenario, we must accept some modicum of risk, and cybersecurity is no different. The approach for resolution should involve mitigating the likelihood and severity of a compromise situation when it ultimately does occur.
• Physical security and cybersecurity are linked—If you have access to physical hardware, there are a myriad of ways to pull data directly from your enterprise network and send it to a dark web repository or other malicious data repository for later decryption and analysis. If you have possession of a laptop or mobile device, and storage encryption hasn’t been implemented, an attacker can forensically image the device fairly easily and make an exact replica to analyze later. By using these or similar examples, you can clearly state that physical security even equals cybersecurity in many cases.
• You can’t always put a dollar amount on digital trust—Collateral damage in the aftermath of a cyberattack go well beyond dollars and paying attention to cybersecurity and privacy threats demonstrate digital trust to clients, customers, employees, suppliers, vendors, and the general public. Digital trust underpins every digital interaction by measuring and quantifying the expectation that an entity is who or what it claims to be and that it will behave in an expected manner. This can set an organization apart from its competitors.
• Everything can’t be protected equally; likewise, everything doesn’t have the same business value—Where are the crown jewels and what systems’ failure would create a critical impact on the organizations business? Once identified, the organization has a lot less to worry about and protect. Additionally, one of the core principles should be, “When in doubt, throw it out.” Keeping data longer than it needs to be kept increases the attack surface area and creates liability for the firm to produce large amounts of data during requests for legal discovery. The Data Retention Policy needs to reflect this. Data Retention Policies need to be created with input from the business and General Counsel.
• Identity is the new perimeter—Additional perimeter-based security appliances will not decrease the chance of compromise. Once identity is compromised, perimeter controls become useless. Operate as if the organization’s network has already been compromised as mentioned in principle #1. Focus the investment on modern authentication, Zero Trust, conditional access, and abnormal user and information behavior detection. Questions to ask now include, what’s happening to users, company data, and devices both inside and outside the firewall. Think about data handling—who has access to what and why and is it within normal business activity parameters?

The culture of change in the organization

If leadership is not on board with the people, process, and technology changes required to fulfill a modern approach to cybersecurity and data protection, any effort put into such a program is a waste of time and money.

You can tell immediately if you’ve done the appropriate amount of marketing to bring cybersecurity and data protection to the forefront of business leaders’ agendas. If the funding and the support for the mission is unavailable, one must ask oneself if the patient, in this case the organization, truly wants to get better.

If, during a company meeting, a CEO declares that “data protection is everyone’s responsibility, including mine,” everyone will recognize the importance of the initiative to the company’s success. Hearing this from the CISO or below does not have the same gravitas.

The most successful programs I’ve seen are those who have been sponsored at the highest levels of the organization and tied to performance. For more information on presenting to the board of directors, watch our CISO Spotlight Episode with Bret Arsenault, Microsoft CISO.

Stayed tuned and stay updated

Stay tuned for “Changing the monolith—Part 2” where I address who you should recruit as you build alliances across the organization, how to build support through business conversations, and what’s next in driving organizational change. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the monolith—Part 1: Building alliances for a secure culture appeared first on Microsoft Security Blog.