Four basic actions will go a long way to improving any organization’s security posture, a Microsoft Canada official has told security and privacy security officers.
Making sure systems are running the latest software, have been patched, anti-virus software is turned on and employees are security-aware don’t cost much, John Weigelt, the vendor’s national technology officer, told a Canadian Institute privacy law and compliance conference in Toronto last week.
But, he added, the four steps will go far to meet many threats, allowing CISO and CPOs to focus most spending on hard-to-stop attacks.
“Often the security expert comes in and says we need this new widget or new service or this new control,” he said. “Are you really getting that reduction in probability of exploit?”
“Your best bang for your buck is education awareness,” he added. The simplest way is putting posters on walls with the headline ‘Resist the temptation to click.’
And you may have to get tough. Every Microsoft software engineer has to pass mandatory security training every year, said.” If you don’t pass you don’t get to do any coding.” Similarly, sales staff have mandatory training on Microsoft’s privacy policy.
At the same time, Weigelt also complained organizations he sees still aren’t earmarking enough money for privacy and security. But, he said, both have to be built into a firm’s business plan — for example, he said, not keeping sensitive data longer than necessary is a good security policy, but there has to be money to pay for data minimization.
In an interview Weigelt said it’s not that Canadian organizations don’t see security and privacy as a “top topic.”
But “they need to make sure it’s there in the budget process … It’s a matter of understanding where are those things that need to be done, where can they get the biggest impact. One of the things that always strikes me is there are things that are very straightforward that organizations can do to have a meaningful difference” — like patching and awareness training.
“Canada is a country of small and medium enterprises. In many cases we find that sole proprietors are following their passionate for their business and IT support supports their business, but that’s not where their first focus is. And I’ve always had a premise that we need to make it very, very simple for small businesses to understand what needs to be done, or how they can improve their environment. So how to be more plain language about things.”
There are three things to consider when implementing data governance and security, he told the conference: First, it’s a continual process. “We can’t stay still — not as privacy professionals, not as security professionals, not as business professionals. Second, there must be buy-in from the board and C-suite. And third, security and privacy professionals have to find ways not to say ‘no’ to tell the business side, but ‘yes if you do it this way.'”
Security controls are like brakes on a car, he said — they help the business go faster in a structured way. “As we look at security and privacy let’s look at how we can catalyze the business. These controls help them do more, go faster.”