Shifting our cyber defences beyond the castle walls
Working on cybersecurity is a lesson in human ingenuity. When you look at attackers, you see how creative people can be – even if their skills are being misapplied. When you think of it defensively, it’s all about understanding a problem’s complexity. What seems simple to resolve on a small scale takes on another dimension when you need to do it globally, across multiple platforms, or in different locations. That’s when things really start to get interesting.
I studied engineering, dabbling in computer science on the side. It was a hobby I loved, but I was prepared to get a job in another field: I didn’t think anyone would pay me to work on something so interesting and fun! Fortunately, Microsoft thought otherwise. I joined the company as a graduate and two decades later, I’m still here. I stumbled into cybersecurity around 2000, but I wasn’t very excited about it; I thought it was going to be quite boring. I couldn’t have been more wrong.
The first major incident I remember came in 2001, when Microsoft users were compromised by the Nimda worm attack. This incident, which affected up to hundreds of thousands of machines worldwide, changed everything for us. Suddenly, security became a priority for everything Microsoft was doing and it has remained so ever since.
This was a significant shift for our customers too. Today, the need to regularly evaluate and adapt your security approach is widely understood, because once you’re connected to the Internet, you’re no longer in control of the threats nor the pace at which they evolve. But this wasn’t fully understood twenty years ago. Now we’re seeing another shift: the adoption of a zero-trust approach to security, where no person or device is automatically trusted. Both must be verified first.
This is necessary because the cyber-landscape has changed dramatically in recent years. Once upon a time, organizations were like castles: inside, you had your own networks, your own servers and your own workstations, and the outside world was kept at bay by strong virtual walls. The approach to security was to treat anything inside the walls as trustworthy, and treat anything outside as suspicious.
But the reality is that we aren’t living in metaphorical castles anymore. Instead we live in open cities. Users are mobile and they take company data on laptops, tablets and smartphones with them wherever they go. They don’t have to be in their organization’s premises to access and share company data. The strong castle walls no longer exist.
This new reality means that isn’t enough to just set a physical perimeter and assume that anyone inside has the right to be there.
This means not only verifying a user’s identity via password, for instance, but also controlling where and when they are logging in from. Are they attempting to access the network from an unusual location or at an unusual time? Are they using the same device as usual? And have they confirmed their identity using multi-factor authentication?
Asking these questions allows us to defend a new perimeter – the identity perimeter – and help individuals remain productive without compromising data security.
As Chief Security Advisor to some of Microsoft’s largest customers in France, Belgium, Italy, the Middle East and Africa, I encourage organizations to think about security from this perspective of enhancing productivity.
This means engaging with two types of Chief Information Security Officers (CISOs): the business-oriented kind, who have the ability to drive change across their organization, and the technical kind, who tend to be more knowledgeable about specific threats and mitigation efforts. Although I have different conversations with each, the goal remains the same: to make sure that the security team is an enabler for the business.
One of the most satisfying parts of my job is seeing the outcome of these conversations, when a customer implements security best practices we’ve discussed in order to transform how their business operates. Another aspect I enjoy is the constant learning.
Absolute security doesn’t exist. No matter how brilliantly you think you’ve done, there’s always a possibility that things will decline.
The trick is to focus on the learnings. As cybersecurity defenders, we all need to share our experiences, even the negative ones, because they happen to everyone. There’s no one out there doing cybersecurity perfectly every time, all of the time. I believe in being open and honest when things don’t go well, and not pretending things are better than they are. That’s how we encourage trust, innovation and problem-solving in cybersecurity.