A people-first approach to fostering cyber resilience
Sarah Armstrong-Smith, Chief Security Advisor, Microsoft
People are at the core of cybersecurity. When you hear about millions of records being exposed in a data breach, or thousands of daily phishing attacks, it’s easy to forget that these numbers represent real people who have been affected, potentially in a very serious and traumatic way.
If there’s one thing I’ve learnt working in cybersecurity, it’s that we have to keep people front and center, always.
Putting people first helps with another key factor in defining a successful cybersecurity strategy: seeing the bigger picture. If your organization is targeted by a cyber-attack, you can’t only look at the technical response; you have to consider the wider crisis management response too. That mean thinking about what you’re telling stakeholders, protecting your reputation, and ensuring business continuity.
My career started with Millennium Bug preparedness over twenty years ago and since then I’ve worked in a range of different organizations and roles, but the one constant has been my interest in resilience. Fostering business resilience in a cybersecurity context is about asking “What if…? and “So what…?” You have to figure out what parts of a business are really critical and why, before you can implement plans to protect them. Then you work backwards to understand the technologies, the services, and the users at stake, and how they’re all connected, and what the impact may be if they are compromised.
The importance of taking a ‘big picture’ approach to cybersecurity has been reinforced during the ongoing COVID-19 pandemic. Many organizations have been forced to transform their ways of working almost overnight, be it moving to the cloud must faster than anticipated or suddenly having to allow employees to use their own devices from home. We can’t overlook cybersecurity in this context.
Cybercriminals are inherently opportunistic and the current crisis has been ripe for the picking. We know that they’ve pivoted their phishing attempts, for instance, to play on people’s fears and emotions, while also deliberately targeting healthcare organizations on the frontline. People are being fooled and duped under incredibly stressful circumstances – and it’s not their fault. The days of being able to easily identify a phishing email are over; they are increasingly sophisticated and hard to distinguish from the real thing.
So instead of blaming users when they fall foul to a scam, we need to be doing everything possible to protect them. That’s what human-centric security is all about: designing, building, and operating IT systems in a way that keeps the users in mind through the entire life cycle.
Looking at cybersecurity from a cross-cutting perspective can be daunting for some organizations, especially if they’ve traditionally thought of security as sitting solely with the IT department. But the rapid pace of technological change and the fact that digital tools are increasingly interwoven into every aspect of a business makes this approach essential.
I see my role as helping our customers navigate that journey and making sure they are getting the best out of all their security services and tools, whether or not they come from Microsoft, in order to increase their overall resilience.
I only joined Microsoft a few months ago, but something I noticed immediately was how passionate, tight-knit and collaborative the cyber community here is. And this I think is essential. Since security is an enabler for every aspect of a business, we have to widen our definition of what it means to work in cybersecurity and collaborate across diverse skillsets and areas of expertise. There’s so much we can learn from looking across different sectors and areas to understand what works well and what we can do better. The possibilities are endless, because in the end, everything is connected.
