Securing your critical business assets

How to identify where to direct your security investments for greatest business impact 

An interview between Sarah Carney (SC), CTO-Enterprise and Hilary Walton (HW), Senior Account Technology Strategist. 

	Sarah Carney is the Chief Technology Officer for the Enterprise team at Microsoft Australia and New Zealand. In this capacity she spends time with corporate customers and their executive teams, sharing global technology innovations and listening to the challenges they are facing into as they build their businesses.
	Hilary Walton is an expert on organisational security approaches having worked for global intelligence organisations, governments and corporate entities. She is the author of the book “Security Culture”, the host of the popular podcast Digital Culture and prior to joining Microsoft she was the CISO for Kordia.

SC: You and I have been talking a lot about security recently, so I wanted to make sure we captured and shared some of your insights and experiences around security best practice.  

Question 1: Given how long you have been working in the industry, what has changed for you in how you have had to think about security over the years? 

HW: For me the big shift has been from building and protecting the perimeter to understanding and managing hybrid environments. I don’t think there are many organisations left that are 100 percent on premises and that means everyone needs a better understanding of how to manage security in a cloud context. Zero Trust has almost become an industry standard in this respect. It was easy when you could build a wall around everything and defend it, but we know that the favourite form of attack for hackers comes from targeting people and resources behind the wall. I often talk about building a security culture as there is almost no better defence than educating your people. 

SC: One big area of focus for me recently has been enabling Boards to help them make better decisions when it comes to security. It can often be hard for Board members who don’t have to live and breathe this every day to really understand what is happening in a space like security that can change so quickly. I’ve also recently seen a reluctance in executive leadership to sometimes implement new security measures as there is a sense that it will impact employee productivity. I have heard everything from multi-factor authentication being too onerous, through to verification for onboarding taking too long from a business perspective.  

Question 2: What guidance would you give to Boards to help them make better security decisions? 

HW: Don’t be afraid to lean in and ask the tough questions. If something doesn’t feel right, ask about it. Security for an organisation is really a choice around the risk they are willing to carry, versus the steps they might take to mitigate it. It can be hard to know the right questions to ask and security can often feel a bit like a dark art. As a Board member or Executive of an organisation you want to know that you have done everything possible to make sure you aren’t the next newspaper headline. You don’t need to know the detail around configurations for example, but you do want to make sure you have a feel for your organisation’s approach to security. Do you understand where you sit in terms of security maturity? Do you know where your security investment is going, what it covers and where your exposure might be? Those aren’t small questions, and they may be challenging for an organisation to answer, but they are the important ones. 

SC: I like the advice around asking the tough questions and pushing for answers, but from my experience, it can be hard for executives to know where to start when it comes to reviewing an organisation’s current security products and understanding where to make investments.  

Question 3: What advice do you have on how understand your organisation’s risk profile and where to invest or upgrade? 

HW: One of the approaches I have used is creating a critical asset assessment for the business. We know that business assets, whether they are applications, software or hardware are almost never centrally owned and managed. Business units have their own assets and for security teams it can be challenging to keep across everything the business has, and understand where they might be shadow IT creeping in. Creating a critical asset register is a way for organisations to go through everything, understand where it sits, how important it is to the business and who the owner of that asset is. This activity requires a lot of stakeholders to buy in and be involved but can become an asset itself. Knowing what you have and where it is can be half the battle. Once you have a picture of the assets, their criticality and how they are currently being managed, you can look at where you put your security investments. What I have found is that when you do this, it quickly becomes apparent where there are gaps in terms of security coverage. The other thing this shows, which is perhaps even more important in the current climate, is whether your existing security investments are in the right place. I have seen a lot of organisations who go through this process realise that their critical business assets, the ones they can’t afford to have any down time on, end up being the ones with little to no security coverage or investment. In an environment where every dollar counts and trade offs might be needed, getting to grips with a deep understanding of critical business assets is essential. 

SC: My greatest realisation when it came to learning about security is that it is a never-ending story. I think people often feel there is a destination they are aiming for when they embark on a security program, but I have learnt that it is an ever changing spectrum. Security projects are critical for a business to embark on, but there isn’t an endpoint when it comes to security (excuse the pun). You might move along the maturity scale, but then something changes, new threats appear, or new products are developed and approaches to cyber defence come to light. 

Question 4: As a CISO how did you keep up with the constant changes and threats to your business? What advice do you have for Executives when working out what is important and what is just noise?  

HW: It helps to view security as a journey, not a destination. There are so many products out there and so many different approaches to how you manage your security, that it can be hard to work out what is true and what is hype. Because cyber criminals are always changing their methods, I’m a fan of coming back to the security triangle – how does what I am hearing address or support confidentiality, integrity or availability for my organisation? I go to set of resources that I rely on which include podcasts, newsletters and conferences. I look for people who have a strong reputation and track record in the space. On top of that, I like to hear about what is new or what people might be thinking about when it comes to changing approaches to security. I have some news alerts set up, so I see content aligned to my security interests, but I wouldn’t ever rely on a single article I might read. A bit like the Zero Trust approach, I like to verify explicitly when it comes to my security reading! If something interests me, I will seek out additional resources and opinions to help me determine the validity of what I am reading. From my experience, security professionals don’t automatically believe what they see or read until it has been validated from multiple sources, that’s what makes them so good at what they do. A little bit of that security mindset will set all executives up for greater success when it comes to understanding their real business risk.