Security Unlocked 7.28.21
Ep 38 | 7.28.21

Talking Security With Non-Security Professionals

Transcript

Nick Fillingham: Hello, and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft's Security, Engineering, and Operations teams. I'm Nick Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research, and data science.

Nick Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.

Natalia Godyla: And now, let's unlock the pod. Hello, everyone. Welcome to another episode of Security Unlocked. Today we have Sarah Armstrong-Smith on the episode, who is a Chief Security Advisor at Microsoft, and technically she's coming to join us to talk about her four-part blog series, Becoming Resilient by Understanding Cybersecurity Risks, but the conversation is just so much bigger than that title indicates. Typically, we have conversations on this podcast to discuss technical concepts in security and the technologies that support the security industry, but today we- we're going to deviate a bit and discuss how to talk about security to non-security persons.

Nick Fillingham: Right, so if you're a listener of this podcast, chances are you are a security professional, that's your job. You're in information security, you're in cybersecurity, and from time to time you're gonna have to talk to folks that don't understand your world, don't understand your role, don't understand the- the threat landscape. But, you know, one of the great things that Sarah's gonna cover in this, uh, in this episode today is some really helpful tips and guidance on how to connect with folks that don't understand this space, and how to have a conversation that is- that is impactful. It's not a technical conversation, but it's a very, very valuable one and I think, uh, listeners will really enjoy it.

Nick Fillingham: But before we jump into today's conversation with Sarah, a quick plug for, uh, episode six of Security Unlocked: CISO Series with Bret Arsenault. This is the, uh, final episode of this first season. It's a cracker. It's Bret interviewing Roland Cloutier, who is the CISO for TikTok. These two gentlemen go way back, so they have a fantastic chemistry and a fantastic conversation about security. We'd love you to listen to that after this, but we'd also love to get your feedback. This is the end of the first season for CISO Series with Bret Arsenault, and we would love to know what you liked, maybe guests you'd like to hear from. Natalia, how can folks get in contact with us?

Natalia Godyla: You can find the series at securityunlockedcisoseries.com. But as Nick said, if you do have feedback, feel free to email us, Tweet us. You can send a note to us at securityunlocked@microsoft.com, or you can DM us or mention us on the Twitters @microsoftsecurity.

Nick Fillingham: On with the pod.

Natalia Godyla: On with the pod.

Nick Fillingham: Welcome to the Security Unlocked podcast. Sarah Armstrong-Smith, thanks for your time.

Sarah Armstrong-Smith: Thank you. Great to be here, Nick.

Nick Fillingham: Sarah, we are chatting you in the AM for- for Natalia and I, which is very unusual. We normally don't get out of bed this early.

Sarah Armstrong-Smith: (laughs).

Nick Fillingham: But you're dialing in from London, is that right?

Sarah Armstrong-Smith: Just, well, the UK. I think everyone just thinking the UK equals London, but... (laughs).

Nick Fillingham: Where- where are you in the UK?

Sarah Armstrong-Smith: I live in a little village called Wilt- in Wiltshire, which is 100 miles or so away from London. I live in the country, it's great.

Nick Fillingham: So I'm, my last name is Fillingham, and there's a very small hamlet called Fillingham about 100 miles out of the UK. Ever been there, do you know about it? Is it famous? It's famous, right? Everyone knows about it.

Sarah Armstrong-Smith: No. Don't ask me-

Nick Fillingham: No.

Sarah Armstrong-Smith: ... if I've met the Queen either, because that's another q- very favorite question (laughing).

Nick Fillingham: Have you met anyone royal?

Sarah Armstrong-Smith: I don't think I have actually. No, I'm not important enough.

Nick Fillingham: Oh. All right, well, maybe we'll get to the list of famous important people that you have met later on.

Sarah Armstrong-Smith: (laughs).

Nick Fillingham: But welcome to the podcast. I'm really excited for this conversation because we're gonna cover a topic that we probably should have covered long ago, and so it's great to have you on. We're gonna talk about how to have impactful security conversations with people that aren't security professionals. So, you know, business people, leaders inside your organization that either don't have much exposure to security, maybe find security a bit daunting. And Sarah, you're here because you, uh, co-authored a series of blog posts on the Microsoft Security blog, which, you know, go- goes back actually to sort of late 2020, so it's a really interesting evolving conversation.

Nick Fillingham: Before we jump into that, can we learn a little bit about you? Uh, what's your role here at Microsoft, what's your path to Microsoft? Tell us what you do day-to-day.

Sarah Armstrong-Smith: Yeah. Yeah, sure. Yeah, so I'm Chief Security Advisor. I actually joined Microsoft last April. I joined just as the UK went into lockdown, so I've actually spent my entire Microsoft career from my home office, which has been very interesting.

Sarah Armstrong-Smith: But my background actually, um, stems from business continuity over 20 years ago when I found myself working on the Millennium Bug or Year 2000 program, and from there it kind of pivoted from business continuity to disaster recovery. I spent 12 years in cybersecurity, um, into data protection and privacy, so I very much kind of say I'm from the business side of cybersecurity, as opposed to the deeply technical side. So it's really looking at it, as you sort of said, from the business lens really, and that's hence the blog series and why we wrote it.

Natalia Godyla: Great, and for- for our listeners out there, it is called Becoming Resilient by Understanding Cybersecurity Risks, and it- it's a four-part series on the Microsoft Security blog. So with that, let's start with a- a- a big, broad question. So what is risk, how is it framed in the cybersecurity conversation?

Sarah Armstrong-Smith: Yeah. As you sort of say risk, it's such a- such a broad term and can mean different things to different people, so let's try and narrow it down a little bit. As you say, we're talking about technology and cybersecurity, so let's focus in on operational risk in particular. And if we were to give it a definition, it's really any risk that could alter or disrupt regular working of an organization as a result of uncertain conditions or threat. So it's very, very topical.

Sarah Armstrong-Smith: When we're thinking about maybe IT failures or cyberattacks, that's a really good example of operational risk in particular, and hence that's the, kind of the starting point of the conversation. And really what we're talking about then, when you're thinking about risk and that kind of magnitude of risk, you can't really put that into perspective in terms of the impact and likelihood of the risk without looking at it through that business lens and through the business context. And that's really why it's so important that we look at it from a business perspective when we're kind of thinking about risk in this context.

Nick Fillingham: And when we say risk here, I mean, obviously this is the Security Unlocked podcast, we're talking about cybersecurity, information security, but risk is obviously much broader than that. Like if I'm, if my business is m- manufacturing and I have a complex supply chain, and I have, you know, an entire part of my supply chain that goes down for whatever reason and I can't get a critical part or a critical component, that's not r- that's not really information security or cybersecurity, or is it?

Sarah Armstrong-Smith: Well, it depends on the cause. So when we talk about cause and effect, so the effect of an- an incident or a cyberattack could be that you've had a disruption in your supply chain, your systems have gone down. It could be a myriad of different things. But what we're looking at is what caused that to happen, and it's really, it just kind of brings it to home just how interconnected we all are with regards to, you know, when we're talking about incidents and these type of threats, it's very rare that it only just happens and is isolated to your own organization. As you sort of said, there's normally a ripple effect into the supply chain, to customers and partners.

Sarah Armstrong-Smith: So when we're thinking about the threat and the magnitude of some of these things that we're talking about, we have to kind of think in a much broader, much more holistically. And that's kind of really the subject of what we're talking about, is really, when we're trying to understand risk and where to prioritize the effort in what we do about it, we have to think about it in those broad, a much, much broader scale that potentially what we're used to thinking about. So we can't just look at in isolation from a purely IT or purely cybersecurity perspective without kind of, like you say, understanding that big picture.

Sarah Armstrong-Smith: And that big picture point of view and perspective is really where I come from, and it's really probably, if I think backwards to my background in business continuity, I'm really used to thinking at that scale really. Uh, what's the worst case scenario? And I think from a cybersecurity perspective, you know, we- we can conjure up all sorts of scenarios (laughing), but some of those are really being lived right now, aren't they? With regards to some of the attacks and some of the things that we- we're seeing.

Natalia Godyla: So with how many departments that are being affected by risk, who owns it? Who should be driving the conversation of risk within an organization?

Sarah Armstrong-Smith: In a nutshell, everyone is responsible for risk in, if you think about what they do and how they do it. But there's a difference between who's responsible and who's accountable. So we kind of think about if- if you whittle it down just to its lowest level, and you kind of said, "Okay, so who owns, who accepts the risk?" In a major incident, it doesn't have to be a cybersecurity incident, it could be any incident, you know, it could be an accident, it could be all type of things. But it's really the accountable person, or department, if you like, is the one who really has to kind of stand in front of the camera and explain (laughing)- explain to the world what happened and why.

Sarah Armstrong-Smith: So sometimes you can say, you know, ultimate accountability may reside with

Sarah Armstrong-Smith: ... the CEO, or the, the C suite of the organization. But they can't l- manage all risk. It then has to kind of filter its way down. So when we're talking about cybersecurity risk, or IT risk, and the responsibility for that kind of sits there. But the overall accountability for that risk, and the ownership, and potentially who, who determines the priority, what comes next, where are we gonna invest, you know, our money, an- and where we're gonna get the best return on that investment, and how we manage that risk is very much at that business C seat level.

Nick Fillingham: Is this word and this concept, risk, is that the sort of unifying taxonomy? Is that the unifying idea that allows you to have a, a, a conversation that crosses boundaries inside an organization? So, you know, we're gonna talk... That's, this, uh, the whole part of this conversation we're gonna have on this episode is, is how to have s- you know, impactful security discussions with folks that m- you know, either aren't in the security organization or, or maybe had no real exposure to it.

Nick Fillingham: Should we s- ha- lock onto this idea of risk as the sort of unifying concept? Is that, is that the glue? Or is that the bridge that's gonna allow different organizations and roles to talk to each other?

Sarah Armstrong-Smith: I think it's a really good point, [Nick 00:11:13], because it's w- it's, as you say, it's that unification of the

conversation, and puttin' it into a perspective and language that people can understand. I think when we think about cybersecurity in particular it's almost, like a, kind of a niche specialist area. We love our acronyms. (laughs).

Sarah Armstrong-Smith: It can also be quite daunting, it can be a, a very difficult area to understand, particularly when you're talking about the scope and scale of some of the cybersecurity threats. But I think if we talk about risk, and, uh, obviously risk means different things to different people. But if we were to talk to risk in the confines of the board or to the business, then we might kind of say the CIO will understand IT infrastructure risk. The CSO will understand cybersecurity risk.

Sarah Armstrong-Smith: But also not just cybersecurity, but the more general physical security and f- in- and information security as well, when we're talking about data protection. But then if we move further across that C suite, so we're talking to the CFO, then obviously they understand financial risk. So when we start puttin' it into context about what does this mean to them in different ways, because from a CFO's perspective, they might kind of be looking at it from a reputation and maybe, you know, w- what's the impact to the day-to-day business? It's gonna, is this gonna impact on profitability?

Sarah Armstrong-Smith: And I've only got a finite pot of money to spend. So when I'm thinking about where to prioritize my investment, my expenditure, it could be the tipping point from a CFO's perspective. Then if they can understand the magnitude of the risk and, and maybe why we need to m- put more investment to cybersecurity or some of the modernization of the IT infrastructure, for example, we can kind of try to say is, this is why we need to have different conversations and talk about risk in cybersecurity in different ways.

Sarah Armstrong-Smith: But even, again, from the COO, (laughs), perspective, again, lot's of acronyms here, but the COO, the chief operating officer, they're really responsible for the ongoing operation of the business. So IT is just one part of that. Right, you talked about, uh, Nick, you know, you also have supply chain, you have procurement that are mixed into all of these different conversations as well. So you kind of have to look at it from a big picture perspective. Look at w- look at the business. What's going on? You know, what are the factors that are impacting them?

Sarah Armstrong-Smith: So you've got internal and external factors that are at play. And you kind of have to think about the economy, the sector that they're in, whether that's, you know, some of these risks are unique m- maybe to a particular country. But, I think, uh, in a really good example, it kind of brings a lot of this home, is the pandemic itself. And just kind of how companies are rethinking and reevaluating, to a certain extent, their business models, you know, they had to invest on keeping services up and running, and have those communications with their customers, partners, and employees.

Sarah Armstrong-Smith: But many companies are now kind of thinking, "What next?" Particularly from that transformation perspective. And that interplay with technology is so important. So it's not just a case of understanding the risk, but equally, you also have to understand the opportunity that comes with a lot of these things as well. I do think risk is, is a really great way of unifying the conversation, but puttin' into perspective, more importantly, that your audience is going to understand. And I think that's really what we're talkin' about here.

Natalia Godyla: With all of these different risk conversations becoming more interconnected around a, a single risk and resilience strategy, how can cybersecurity practically be involved in that strategy? How can the leaders start to think about embedding cybersecurity in the overall risk strategy of the business?

Sarah Armstrong-Smith: Well, I think when we're talking digital we're talking about, you know, how IT and digital transformation is so embedded into everything that we're doing. And so is cybersecurity. So when you think about this kind of digital disruption and customers are moving to the cloud, they're multicloud environments, and they're embracing, you know, huge amounts of cloud applications and services. But coupled with that, with, with people working remotely from lots of different devices.

Sarah Armstrong-Smith: And we're not just talking about the IT infrastructure anymore either. We're also talking about operational technology. If you think about manufacturing, and all of these different interplays. We got IoT, and industrial control systems, and there's that cybersecurity really interplays into everything. And I think maybe sometimes, uh, um, cybersecurity might be thought about as a cost center, as a necessary evil, (laughs), let's say.

Sarah Armstrong-Smith: But actually, if we do it right, and we do it in the right way, then cybersecurity can really be a massive differentiator. And we can also turn a lot of these things where we're talking about the negative side of risk. We can talk about how we utilize cybersecurity as a business enabler for that longevity and that, and w- and having those transformation discussions. Because if security's built in by design and by default, from the outset of any of these discussions... And sometimes these discussions are further a- afield, um, and they're already, already been flight.

Sarah Armstrong-Smith: But we sometimes find that some of the cybersecurity discussion is a bit of an afterthought, maybe it's a bolt on, and that's a retrofit. And that's the di- that's the, where there, some of the difficulties come from. Because if it's not thought about from the outset, we, we introduce more risk, (laughs), actually. Because we end up introducing more vulnerabilities, more points of attack effectors, all of those type of things.

Sarah Armstrong-Smith: So it really just extrapolates the problem, and hence why, you know, the p- the conversation is today is actually, "How do we change the conversation? And how do we enable cybersecurity to be talked about on every one of these conversations that we're talking about, and not just an, from an IT perspective? But how can we have this conversation with marketing, let's say, or procurement?"

Nick Fillingham: Let's sort of maybe go back to basics. So I'm in the cybersecurity team, I'm in the information security team, the digital security team, I need to go have a conversation... Maybe it's even just lunch. I'm sittin' down with this person, and they're like, "Wh- What do you do? I don't get it. I don't understand your job. Tell me about cybersecurity." How do you recommend that security people start to introduce the concept of cybersecurity and sort of information security to folks in their organization, so same org- same company, same shared mission, but really don't have any idea sort of how that world works.

Sarah Armstrong-Smith: Well I, I think it's just puttin' it into perspective, like we sort of said. In terms of, what is it they do, what they're trying to do, what's their mission, and those type of things. So I think it's, it's, as much as we're trying to have a conversation about what w- we do, when we're trying to put it into a business perspective we und- we need to firstly understand what they do. (laughs).

Nick Fillingham: Mm-hmm (affirmative).

Sarah Armstrong-Smith: What are they key things that they need to be thinking about? So as you sort of said, Nick, what are they trying to do? Are they trying to break into new markets? Are they trying to get more exposure? Are they trying to increase their customer base? Are they trying to open up new ways of working? An- And all of these things combined. And I think if we can then understand the why from their perspective, the what and the why, we can then kind of introduce some of the security elements into that conversation.

Sarah Armstrong-Smith: And again, kind of echo it around risk. So if I'm thinking about new products and services, um, and some of these type of things, I wanna know, is this is a completely brand new service? Or is it an evolution of a current service that we're trying to do? And what's the, kind of the output of this? And, and who is the users? Is this sort of consumers? I- Employees? What data is we utilizing? How do we connect to it?

Sarah Armstrong-Smith: So there's, there's a lot of kind of just open ended questions that give us a real good feel for what's going on and why, and what those outcomes are. We can kind of really then bring in, even some of the discussions around identity, and, and those kind of controls, and policies. Have you kind of thought about, you know, what would happen if that w- got into the wrong hands? And I know with marketing, in particular, and when they're thinking about new products and services... And, and we can even relate to this from a Microsoft perspective, you know, we wanna make sure we're defending, (laughs), that doesn't get into the public domain before we're ready.

Sarah Armstrong-Smith: If someone were able to get hold of this IPR, this new product, this n- really new cool thing that's being developed, and if that was to get into the hands of a competitor, or if that was to get into the public domain, or whatever the case may be, what's the impact of that? So then we can start backtracking and say, "Okay, so we really don't want this to get out until we're ready. So what kind of things can we do to kind of control who, who, on that need-to-know basis..." So maybe we might start

Sarah Armstrong-Smith: ... think about therefore. Do we need to have like special project names or code names? (laughs). So when we're thinking, when we're talking about this in an open environment, and it could be we're talking about in the- in the office or we're talking about it in Starbucks, or- or (laughing), you know, we're talking about on the train, who's listening to that conversation? And- and- and, you know, who- who can derive information from that really?

Sarah Armstrong-Smith: So, and as- as you sort of said, it just maybe just kind of sparks that conversation, and- and as you sort of said, at this point or moment in time, we haven't really gone down a rabbit hole too much specifically on cybersecurity threat.

Nick Fillingham: Right.

Sarah Armstrong-Smith: We're just learning, we're just asking questions, and I think that just enables us to really kind of then think about what comes next. So if we can define potentially what the problem is, what the challenges might be, and what you're trying to do, um, then we can kind of then frame some of those specific cybersecurity conversations and some of the threats that may be, as we just talked about, what are the key risks? What are the things that are really gonna keep them up at night? And therefore, maybe how to prioritize that conversation about what comes next.

Nick Fillingham: So I wanna make sure I- I sort of understood that. In this scenario, it was a sec- you know, a security person meeting with somebody in marketing, and maybe it's the first conversation, it's- it's- it's a kickoff, it's the, you know, they don't know each other or they haven't worked together, um, before.

Nick Fillingham: So instead of jumping into the security person trying to explain the full gamut of what is cybersecurity, how does cybersecurity sort of exist, what is this thing that I do as a cybersecurity person day to day, it sounds like what you're recommending the security person does is just ask lots of questions to really, truly, deeply understand the- the goals and- and- and motivations and, uh, sort of strategy of that marketing person. So before you even start to explain what is malware and what is phishing and why is your password not strong enough?

Sarah Armstrong-Smith: (laughs).

Nick Fillingham: You know, it's- it's really like, "No, first I- I really wanna understand your world. I wanna understand the things that you care about, I wanna understand about your, th- the life cycle of the things that you, uh, create and manage." And from there, you- you're looking for sort of signposts, or you're looking for things that you can anchor back to this idea of risk. Did I get that right? Is that sort of what you would be recommending folks do?

Sarah Armstrong-Smith: In, 100%, in a nutshell. Absolutely. And it might just be that we can just pinpoint a couple of things that they've talked about, and then bring in some of these, you know, potential threats, have you though about this? You know, and- and how we can kind of work together.

Sarah Armstrong-Smith: Because if you just hit them with everything all at once, they're gonna be like rabbits in headlights really, and they'll probably (laughing)- they'll probably be more turned off than turned on. (laughs). And we want 'em to be turned on to cybersecurity, let's be honest.

Nick Fillingham: That's probably gonna be the, uh, episode title right there, we want you to be turned on-

Natalia Godyla: (laughs).

Nick Fillingham: ... to cybersecurity.

Sarah Armstrong-Smith: I know, we'll just be careful what people think they're tuning in for (laughing).

Natalia Godyla: Switching gears a bit, but in- in part two of this series, you walked through a really great example on human-operated ransomware to express how risk can happen in an organization, and walked through some of the practical ways in which you can protect against that risk. So w- would you mind sharing the human-operated ransomware example with us today?

Sarah Armstrong-Smith: Yeah, so I think it's worth just putting it into perspective. So, you know, we hear a lot in the news about ransomware, and- and really, from our perspective, why is this important and why now? So I think it's probably, let's just take a minute just so, just to explain the difference, I think, between what's human-operated ransomware and maybe commodity-based ransomware.

Sarah Armstrong-Smith: So if we were to roll the clock back maybe eight, 10 years ago, ransomware used to be very much focused on individuals, um, maybe, um, encrypting the hard drive, let's say. And maybe they'd be asked for a couple of hundred dollars to unencrypt their hard drive, but it was very much very random, um, a scatter gun approach. They didn't really care who was targeted, but it was very much targeted at people and individuals.

Sarah Armstrong-Smith: And over the kind of time, they kind of realized that actually if they wanted this to be more profitable, they have to target organizations, and that's really how things have evolved over that kind of timeframe. But when we bring it up to the current where we are now and what do we mean, so the- the ransomware itself has become much more targeted, and no longer are we just talking about the encryption of a network. Really what we're seeing with some of the attackers as well is they're actually extorting. They've already kind of exfiltrated data, they're looking at extortion, um, in terms of getting that data back or stopping that release of the data.

Sarah Armstrong-Smith: But before they've even kind of gotten ahold of the data itself, um, they need to do, they need to learn your organization, they need to know what's valuable to you and kind of making you more likely to pay that ransom. So if we think about really what's their objective, so their objective is really to try and monetize, um, the situation, trying to back you into a corner to force you to have to pay. And the hu- human-operated ran- element of this really is about them taking their time, really thinking about their- their target, so some of the targets, you know, really could be... Well, it could be anyone, actually. They can be small companies right up to huge enterprises, and everything in between.

Sarah Armstrong-Smith: But really, and again, when we think about the, um, the pandemic in particular, we've seen a real increase with regards to attacks on first, uh, firstline responders, hospitals, critical infrastructure, and there's a real psychology at play with regards to, you know, if we attack those frontline services right in the middle of a pandemic, right when the media and there's lots of attention, and people are really, being really fraught in this time, they're kind of more likely... How, are- are you gonna pay, or are you gonna risk being down, um, for a long- longer period of time (laughing) while you recover your services? And those type of things.

Sarah Armstrong-Smith: So I think I just wanted to kind of put that into context, really, with regards to what's the difference and why- why we're so concerned about this. But also, something we've witnessed over the last six months, 12 months, is the fact there's- there's a level of recklessness almost with the attackers and how far they're willing to go, with regards to they're not just talking about disruption but potentially destruction as well. And that kind of, as- as we sort of said, that ripple effect in the supply chain, that you're- you're t- you're taking down services, you're impacting people's availability to get access to- to operations and all of these type of things, and that's- that's really the concern that we're dealing with.

Sarah Armstrong-Smith: And it's trying to put that threat and that risk into a business perspective, and because, when we're talking about an event of this magnitude, which is really aimed at disrupting the enterprise at scale, that  

in this type of scenario, we're not just talking about taking the IT infrastructure down, uh, we're also talking about taking the operational business down as well. So as much as we've got a cyber response, we've got an IT response, we've also got to be thinking about what the business is doing in this scenario.

Sarah Armstrong-Smith: So if I encrypt, if I lock you out of your network, if I remove data, there's a crisis management response that has to kick in, and if I prevent people from being able to access their services or communicate with their em- consumers and all of these type of things, you're under a lot of pressure. So as much as we talk about the IT response, as we sort of said, what's the business doing? Do they have manual workaround procedures, can they even run their business in a digital environment, can they go back manual? Probably not.

Sarah Armstrong-Smith: So our objective r- really is twofold. It's one, to get the business up and running as quickly, uh, and efficiently as possible, assuming you've had a breach, but also to try and stop a breach from happening in the first place, or at least limiting the attack or limiting the impact of that. And that's why we have to elevate this discussion and the threats into a business-level discussion, because they need to understand the will and motivation of the attackers from one perspective, but also the fact that we, from a... We need to understand what's the business and the IT response combined, and kinda are they looking at this from that perspective?

Natalia Godyla: I can see why you use this example, it really comes back to the beginning of our conversation. I mean, one, with human-operated ransomware just being such a lucrative model and the increasing number of threats, cybersecurity has to have a- a seat at the table in all of the risk conversations. And then that last point you made, it's- it's end to end, the whole organization can be impacted by this, so there's a- a reason why- why the organization has to work together.

Natalia Godyla: So for the security teams, and- and actually, the broader organization, what should they be thinking about if there's an incident like this? How can, as a complex organization, they apply some best practices?

Sarah Armstrong-Smith: Yeah, well, I think it's really important first and foremost, you know, when we're talking about resilience, is really understanding, and it's p- part of the whole conversation, is what is important and what is critical to your business in terms of the data, the assets, and really trying to put some priority. But we talk a lot as well about the assume compromise perspective, and we- we- we utilize that example of marketing. But if we assumed that somebody could get access into your products, into your services, into your network,

Sarah Armstrong-Smith: ... into your data. What could they do with that data? So we're trying to put it some kind of perspective, really, in terms of if we know and understand our business and we understand what the impact is, we can start to take some proactive measures in terms of what we can do and how we do it. So the second part, really, is about this is constantly evolving, and it's not a one time event. So I think from an attackers perspective, it's a learn our defenses as well. So as much as, you know, we talk about a lot about don't pay the ransom and to rely on backups and those type of things. But actually it's important therefore that when we're talking about the backups, have we tested those backups? Are we actually backing up everything? Uh, and can we recover? So can we recover even back to the operating system and do a full rebuild?

Sarah Armstrong-Smith: How long would it actually take us if we were in that situation to have to do that? So are we talking about minutes? Are we talking hours? Are we talking days? And if we understand that, again, we can kind of put some perspective back to the business to say, okay, so marketing department or in a core sense, uh, any one of these procurement team, can you operate manually for X hours or days or weeks? Now they're probably gettiing into the weeks. (laughs). They'll probably say, no. This will probably be the end my business if I'm in that situation. So we can start to talk, put in some priorities in about what do we need to do and how do we need to kinda put this investment together?

Sarah Armstrong-Smith: But also we need to kinda think about what is their objective? You know, we talked about the data is one thing. But actually, how do they get access into the environment in the first place? Now the vast majority of attacks still start with some kind of credential theft. We mentioned phishing before. But actually, they will use any which way in. Literally. They don't really care how they get in. It's about them getting access in. So they'll either come through email or come through social engineering, where I'm kind of trying to get your own people to give up information. I'm potentially scanning for vulnerabilities in your network, unpatched servers, unpatched devices.

Sarah Armstrong-Smith: So any of those attack factors, any of those things really give me an entry in. And then what? So really what they're trying to do, so for them to be able to launch a successful attack, they need to have that elevated privilege. They need to be able to have that administrative control that enables them exfiltrate data or make changes and those type of things. So really what they're doing is two-fold. They're laterally moving across the environment, potentially from the on-premise into your Cloud, um, but elevating those privileges.

Sarah Armstrong-Smith: Um, so how do we counteract that? So we're counteracting as much as possible that initial entry point, but also trying to, uh, reduce their ability to get access into those administrators. So we talk a lot of about the principles of leased privilege and not having open ended access and these type of things. And we're often asked, how does Microsoft protect Microsoft, for example. How do we secure the Cloud environment? So we have things which is just in the... just enough, and just in time access. So if we had to make a change or do a configuration change, any of those type of things, if it only takes five minutes, we only give five minutes access. And really what we're trying to do is slow down, slow down the attack. And we can't stop every attack, so we're just trying to make it as hard and difficult as e- at every opportunity.

Sarah Armstrong-Smith: But also, if we think about, you know, we talked about the potentially unpatched, uh, our support devices. So kind of what we're trying to do is constantly modernizing and moving away from this legacy environment. Um, and we talk about Cloud and, a lot. But it's really just trying to understand some of the foundational, uh, what we call good hygiene practices, really, which is understanding those vulnerabilities, understanding the impact of those vulnerabilities, um, contin- and having continuous processes and to try and reduce those vulnerabilities down as much as possible.

Sarah Armstrong-Smith: But conversely, we talk about as well, is sometimes it's not possible for companies to be able to just universally upgrade. (laughs). You know, particularly we talk about a manufacturing cite let's say. We can't take a production line offline for too long, uh, because it costs money. You know, we talked about, you know, again, in some of these repercussions and those type of things. So we have to be mindful of 

these type of things, as well. And when we're talking to the business, we're talking to the risk, is how can you still manage your production line but be safe and secure? So a lot of the ca- the examples, we might talk about segmentation. We might talk about, again, slowing down the ability for the attackers to laterally move and get access into these type of environments.

Sarah Armstrong-Smith: So we're really looking at, uh, taking opportunities to reduce the risk down is one thing. They reduce that probability of attack. But again, if we then assume we are going to be attacked, how do we limit the impact? Um, and that's why we talked about the backups and testing those backups. But also it's important, as well, to have an immutable copy of that backup. So what I mean by that is a kind of a third backup if you like. It cannot be tampered with. It cannot be deleted. It's a safe, secure backup. So even if the attackers try to delete it, they try to compromise that backup in some way, you can be safe in the knowledge that you have a third copy of that backup. And that backup may sit, uh, in a Cloud environment or some other environment. But there's really multiple things that, uh, are at play here. But really what we're trying to do, and that's to say, reduce the probability of an attack from happening, and then reduce the impact if that attack were to occur.

Natalia Godyla: Before we jump off here, I, I wanted to pause and, and ask. So what are one or two big takeaways from the conversation today that you'd like our audience to really take to heart?

Sarah Armstrong-Smith: I just wanna say, A, is how do we make security a business enabler? How we turn it into an opportunity? Make sure that you can engage. You're having these right conversations with the right people, and just kinda break down those silos and those barriers. And don't come at it with any preconceptions, really. Just don't be afraid to have the conversation and start now. (laughs). Really, sooner rather than later. I think if I, there's a resonating theme, I think, one last thing would be about how do we turn people on-

Natalia Godyla: (laughs).

Sarah Armstrong-Smith: ... (laughs) to security?

Nick Fillingham: Hey Sarah, I think we should have you back for a part two of this conversation where maybe we can actually, we can talk about putting together an actual, uh, Cloud security strategy and, and then, and then moving from just simply how do you sort of open the door and start having a conversation with people, and then how do you actually land a sort of a modern Cloud-based security strategy with, with business leaders? Would you, would you, would you come back and complete that conversation with us? 

Sarah Armstrong-Smith: Uh, how could I say no? No, yeah absolutely. Yeah, it'd be cool.

Nick Fillingham: All right, Sarah. (laughs). Thanks so much for your time. We'll talk to you on another episode of Security Unlocked.

Sarah Armstrong-Smith: Thank you. Bye.