Michael Montoya, Chief Cybersecurity Officer, Microsoft Asia
We all have “a-ha” moments when that lightbulb above our heads is just too bright to ignore. One came to me when I was in a previous IT operations role. It happened on a day when I had two meetings: first with an endpoint agent team and another with a security operations team.
The endpoint team gave me detailed guidance on the possible performance degradation and alerts we could expect from another agent we were placing on user devices in the pursuit of greater security. Later, the security operations team asked for more resources to address an increasing number of incoming alerts caused by our large security footprint.
The irony raised by these back-to-back meetings struck me, and so I asked myself: “How many security tools do we have to protect our environment?”
Finding the answer was not as simple as I had hoped. But when I was eventually told the approximate number, it was clear to me that we had a problem – and I was part of that problem. People like me have been in the industry long enough to have dealt with server sprawl and application sprawl. Now, we were witnessing security sprawl.
It seems very logical in this world of rapid digital transformation – where businesses and organizations face constant and evolving digital threats – to deploy as many defenses as possible to ward off cyberattacks. The more barriers in place, the more protected you are, right?
Well, I don’t believe I am alone when I say that it is a logical fallacy to think that having more security tools means better security. In fact, they could have the opposite effect, according to new research by IT analyst firm, Frost & Sullivan.
“Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World” surveyed 1,300 respondents from 13 countries. This Microsoft-commissioned study drilled down into how organizations in our region view, approach, and practice cybersecurity.
One facet of the Study examined the experiences of organizations with different levels of security in place. What it found might, at first glance, seem counter-intuitive: Those that had gone to a lot of expense and trouble to put a wide array of security measures in place often encountered more security incidents than those with fewer defenses.
Moreover, they often took longer to recover from attacks. Of the surveyed organizations set up with more than 50 cybersecurity solutions, only 23% said they had been able to bounce back within an hour of a breach. For the organizations with less than 10 cybersecurity solutions, the figure was 40%.
The truth of the matter is simple: The number of security solutions you have won’t necessarily guarantee the safety of your data or protect your business reputation. The reasons can vary, but often over-complicated layers of complexity can make cybersecurity issues too hard for some companies to handle effectively.
Organizations with a multitude of deployed security solutions can find it difficult and expensive to have full visibility across all environments. And, that leads to ineffective detection and response. It can also result in a “passive defense posture” where complexity replaces agility and effectiveness. In an ocean of alerts, which can easily overwhelm us, we risk not taking fundamental security measures – such as basic cyber resilience among employees, patch updates, poor password management, and movement of files to insecure thumbdrives.
These are just a few of the things that can open the door to threats, including the four this Study identified as being high-impact in Asia Pacific:
- fraudulent wire transfers;
- data corruption;
- online brand impersonation, which is when a cyber fraudster creates a bogus webpage or a social media account, either to harm your brand or simply to gain the confidence of your trusting customers;
- and data exfiltration, whereby cybercriminals use various malicious ways to copy, transfer, or retrieve data from computers or servers
Most of the Study’s respondents knew about the dangers out there and regarded them as real threats – with 59% saying cybercrime threats had hindered them on their digital transformation journeys. But it is problematic to learn what many were doing, or not doing, to manage the risks and why.
Firstly, let’s look at the reasons why the organizations surveyed thought it was a good idea to have a cybersecurity strategy in place. Only 20% regarded cybersecurity as a powerful enabler of digital transformation and the key to future business growth and success. In contrast, 41% simply cited traditional and tactical reasons, like protection from attacks and differentiating themselves from their competitors.
Most also said that when it came to creating new projects, security issues were usually considered after – not before – launch.
In this regard, the Study supports an uncomfortable notion that many of us know to be true: Many business decision-makers in our region still cling to outmoded ways of managing risks, and this is leaving them ill-informed and unprepared for mounting cybersecurity challenges that can ultimately erode their growth prospects.
Digital transformation has made the need for safe and trusted technology a front-and-center factor for business success. But too many organizations still regard security as an add-on, or even an afterthought. Some businesses resist the need to tackle security issues – even as cybercriminals become more sophisticated and as traditional IT boundaries disappear with new devices, apps, and data entering the workplace.
To succeed and thrive as digital enterprises in the years to come, organizations must make security part of the natural flow of their business processes and cycles. And, to ensure security, privacy, and compliance, the protection of company data requires a new approach.
That is why Microsoft has a platform that looks holistically across all the critical end-points of today’s cloud and mobile world. It acts on the intelligence that comes from our security-related global threat monitoring and insights. And, we have a vibrant ecosystem of partners who help us raise the bar across the industry – helping to securely enable our customers’ digital transformations.
Finally, there is the need for cultural change. The boards of too many companies still pick up most of their information about what is happening in cyber from what they read in the media. That’s just not detailed enough to inform them of their specific risks and the mitigation strategies they should be supporting. Increasing the dialogue on this topic amongst board members and IT executives is critical for businesses to thrive in the era of digital transformation and the inevitable consequences of cyberattacks.
The value proposition of cyber defense is changing. Traditionally, it has been regarded as a cost. Now it should be seen as an asset, simply because customers are demanding a level of security and trust. The more companies digitize, and the more an economy becomes digitally led, the more cybersecurity becomes a business enabler.
As security professionals, our jobs continue to get more complicated and vital to our company’s survival. Use this study as a reminder to ask you yourself two questions: How many security tools do I have to protect my company? And, what role should security play in my company’s digital transformation?
As Microsoft CEO Satya Nadella so eloquently states: “right now Microsoft is probably on the right side of history”. Well, I believe we security and IT professionals are also on the right side of history.