Microsoft Ignite 2019: How CISOs Should Simplify Security While Protecting Organizations

Microsoft CISO Bret Arsenault breaks down how he leads with vision to make the company more secure.

Is it better to have a few people understand the entirety of security, or have everyone understand a small portion of it?

That’s the question Microsoft CISO Bret Arsenault’s wife posed to him one day when he was struggling to simplify complex security issues and solutions for the company.

“She said, ‘Do you want 10 percent of the people to understand 100 percent of your job, or do you want 100 percent of the people to understand 10 percent of your job?’ and she was right,” Arsenault said at a session at Microsoft Ignite about the role of the CISO. “It’s better to have 100 percent of the people understand the most critical 10 percent of the things we have to go get done.” 

Arsenault said that at the end of the day, it’s his job to make sure that everyone — not just security employees — cares about security. The success of a company’s protection plan depends on it.

Three Main Factors in Protecting Information

Arsenault said that protecting information depends on three major factors: identity management, data and telemetry, and device health. Employees are involved in all three.

Whether the CISO reports to the CEO, or the two operate as peers, doesn’t really matter. “At the end of the day,” Arsenault said, “the user is in charge.”

So when he became CISO 10 years ago, Arsenault invested heavily in data and telemetry to collect information on user habits to help build security solutions that would also work with user experience. It’s led to several changes, including a movement toward eliminating passwords, which the company is in the process of doing right now.

To ensure that devices are healthy, Microsoft also changed the way employees can use outside devices to access the network and made them managed devices — crucial for protecting against threats while operating in a world that’s growing more connected by the minute, Arsenault said. He cited a growing number of recent attacks that were “supereffective in using [the Internet of Things]’ and then pivoting from IoT to something else.”

CISOs Should Simplify and Clarify Their Security Plans

Because security plans and procedures need to be used properly by all employees, it’s important to break down security using language that everyone in the organization can understand, Arsenault said. 

“Security is a complex topic, whether you’re talking about operations or development or configuration management,” he said. “It’s supereasy to get caught up in the complexity of it.

To counter such complexity, he mapped out on a single page all of his department’s initiatives. Some he referred to as “factory services.” These are programs that are always running and things the company is always doing. Others are “epics” — essentially, programs in pilot phase. At the end of their trials, they’d either become new factory services; be merged into existing factory services; or be killed off, if they didn’t work as expect.

To demonstrate how useful the tool was, Arsenault asked for anyone in the crowd who had a similar one-sheeter to raise their hand; no one did. He then asked them who would like one, and every hand shot up.

MORE FROM BIZTECH: Learn about the growing role of the chief digital officer.

CISOs Should Lead With Vision

To achieve solutions that everyone in the organization can adhere to, Arsenault said that a CISO must often rethink the security norms.

Rethinking the current landscape is what led him to push for the elimination of passwords. Instead of having employees create and remember complex logins, which they were mandated to change after a certain amount of time, Microsoft is now shifting to using biometrics to log in at work. This not only enhances the user experience, but also takes a load of work off of the IT department, which no longer needs to service those passwords.

The company also uses artificial intelligence and machine learning to analyze what’s working and how it can improve. For example, when the company changes a security policy, they also do sentiment monitoring. This tells them what employees are saying about the change, allowing Arsenault and his team to fix any issues.

“I like to think of security as being the airbags of the industry,” Arsenault said. “They should always be protecting you, but never in the way.” 

It’s all part of what he calls “digital empathy.” It’s about making sure the privacy principles are clear, being honest about where the company is when it comes to security, and being hopeful for the future, he said: “Make sure the user understands the value of what you’re doing.” 

Find more of BizTech's coverage of Microsoft Ignite 2019 here.

Keara Dowd/BizTech Magazine
Nov 05 2019

Sponsors