CISOs Should Simplify and Clarify Their Security Plans
Because security plans and procedures need to be used properly by all employees, it’s important to break down security using language that everyone in the organization can understand, Arsenault said.
“Security is a complex topic, whether you’re talking about operations or development or configuration management,” he said. “It’s supereasy to get caught up in the complexity of it.”
To counter such complexity, he mapped out on a single page all of his department’s initiatives. Some he referred to as “factory services.” These are programs that are always running and things the company is always doing. Others are “epics” — essentially, programs in pilot phase. At the end of their trials, they’d either become new factory services; be merged into existing factory services; or be killed off, if they didn’t work as expect.
To demonstrate how useful the tool was, Arsenault asked for anyone in the crowd who had a similar one-sheeter to raise their hand; no one did. He then asked them who would like one, and every hand shot up.
CISOs Should Lead With Vision
To achieve solutions that everyone in the organization can adhere to, Arsenault said that a CISO must often rethink the security norms.
Rethinking the current landscape is what led him to push for the elimination of passwords. Instead of having employees create and remember complex logins, which they were mandated to change after a certain amount of time, Microsoft is now shifting to using biometrics to log in at work. This not only enhances the user experience, but also takes a load of work off of the IT department, which no longer needs to service those passwords.
The company also uses artificial intelligence and machine learning to analyze what’s working and how it can improve. For example, when the company changes a security policy, they also do sentiment monitoring. This tells them what employees are saying about the change, allowing Arsenault and his team to fix any issues.
“I like to think of security as being the airbags of the industry,” Arsenault said. “They should always be protecting you, but never in the way.”
It’s all part of what he calls “digital empathy.” It’s about making sure the privacy principles are clear, being honest about where the company is when it comes to security, and being hopeful for the future, he said: “Make sure the user understands the value of what you’re doing.”
Find more of BizTech's coverage of Microsoft Ignite 2019 here.