Cybersecurity 101: What Are the Three Pillars of a Robust Strategy

Erica Toelle: Hello and welcome to Uncovering Hidden Risks, a new podcast from Microsoft, where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now, let's get into this week's episode. Welcome to another episode of the Uncovering Hidden Risks podcast. In today's episode, we will discuss how to tactically create a cybersecurity strategy. We'll cover topics such as how to balance strategy and execution, ideas for working with the C-suite, and our predictions for future challenges. Let's start by introducing today's guest who will join us for the discussion. Nash Shaker is an AVP of Information and Cyber Security at Canadian Western Bank Financial Group. Thanks so much for joining us today, Nash.

Nashid Shaker: Thanks, Erica. I'm really excited to be here with you all today. Antonio, it's always a pleasure seeing you. I like to think of myself as an enthusiast in whatever I'm passionate about. I really hope to bring a blend of technical expertise and business acumen to our conversation today.

Erica Toelle: Also joining us today is Antonio Maio. Antonio is a managing director with Protiviti, where he leads the Technology Consulting Practice across Canada. Thanks for joining us, Antonio.

Antonio Maio: Thanks so much, Erica. It's great to be here. I've been working with Nash and her team for over a year. And, Erica, you and I have known each other for several years. So I really appreciate you having me as part of the podcast.

Erica Toelle: Perfect. And with that, let's dive into today's topic. Nash, you've worked on several cybersecurity strategy initiatives. When you start one of these programs, how do you structure the program and the different areas of focus at a high level?

Nashid Shaker: So embarking on a cybersecurity strategy initiative, it's really crucial to take a comprehensive and holistic approach. What I normally do when structuring a program is really looking at that broader perspective, so that high macro level view, and then bringing it down a little further. From a broad perspective, it's never good to look from just a narrow lens of your own environment. It's important to consider kind of that larger threat landscape that extends beyond just the organization's media boundaries. I'll use the financial industry as an example, just because that's where I work. And looking at the macro environment really directly feeds into the strategy itself. I was reading an article and it was speaking about how before 2012, reported risks were predominantly economic in nature. Over the past 10 years, this has shifted considerably. And technology risk has now emerged due to the growth of online activity, dependency on service availability from virtually anywhere at any time. And then obviously COVID-19 and geopolitical risks such as the Russian invasion of Ukraine really highlights these risks even further. So taking these far-reaching consequences, one can really see the immediate boundaries that become essential. When taking that micro look and bringing it down to the core of one's organization, the vision is really at the center of every program. And having a vision and that north star that everyone can kind of work towards or be directed to and having that align to the organization's vision is a key component within any program. And then building down into those foundational pillars and those key pieces that form a part of the program as a whole. So looking at one being threat management and intelligence. They need to understand evolving threats and the threat environment. Organizations need to leverage their intelligence to anticipate attacks. For instance, understanding tactics and things like the dark web chatter and planned attacks on online banking services and how to inform mitigation strategies. And then understanding that broader perspective will help to actually build into this pillar itself. Then looking at risk management, you're identifying quantifying risks is vital. If you don't understand your risks, then you don't know how to mitigate them. For example, considering the risks associated with remote customer transactions during the pandemic and adapting security measures accordingly, those are all kind of foundational, core components within this pillar. The third one is your security-centered culture. People are the keys to success. They also expose us to a substantial amount of weakness. Building that knowledge with shared attitudes and ownership fosters that culture of security awareness. CWB has identified this as such a key component and so important, that they have a dedicated team focused on providing awareness, building that culture, and promoting education not only for its internal but looking at its clients as well. So implementation as multifactor authentication to our clients, they wouldn't understand why that would help them. It's providing protection without them necessarily knowing it, but then that education piece is so important to help cement the why. And last but not least is really governance and looking at that from a technology standpoint and a security standpoint. Implementing governance frameworks helps to ensure compliance. It also helps with the delivery of services in a controlled, secure, and repeatable manner, that would be the ultimate goal of governance, essentially. So I'm not sure if you saw kind of how the pillars, they feed into the vision, which then really should be addressing our macro, and that forms a lot of that piece within the security program itself. So in taking a risk-based approach and developing a risk management process, strategies should then focus on mitigation of these risks to help improve efficiencies.

Antonio Maio: So Nash, I like what you said about starting with a broad perspective and using that to draw the vision and not getting too deep into your own environment just yet. But I wonder, how does an organization know when it's time to, say, re-evaluate their cybersecurity strategy at this kind of higher level versus getting down into and focusing on the tactical execution? How do you know when to focus on which area?

Nashid Shaker: The first piece is actually identifying if a strategy exists at all. A lot of organizations don't have a strategy and haven't built that within their daily practice. Our CISO at CWB really focuses on and always promotes being proactive as opposed to being reactive. And being proactive requires strategic thought. So once you've said, okay, yeah, a strategy exists, and then we're looking at when did you need that refresh, you generally look at what are the emerging threats that are within our emerging threat landscape. That can lead to a strategy shift. When COVID hit, everything went remote. Suddenly, we had to pivot because security went beyond the walls of our organization. And it was boundless. So having to shift based on now the risks that have emerged and now what we're exposed to would mean a relook at those priorities. Technology advancements is another. To keep ahead of our competition, we all know we have to embrace technology and technological innovation. However, introducing new technology introduces vulnerabilities and increases our risks. So we would need to be reassessing our strategies to adopt these new technologies such as blockchain or AI while ensuring that we are secure, resilient, and dynamic. Regulatory changes from a larger level. On the tactical side, it would be kind of smaller changes. But more on the larger scale, those would influence the strategic kind of shifts, and then obviously, major incidents -- so a breach. If you look at the solar wind supply chain attack that occurred, this was considered one of the most serious cyber espionage attacks on the United States, and it obviously hit into Canada as well. But because it was successfully breached, the US military, many US-based federal agencies, and agencies that are responsible for nuclear weapons and critical infrastructure services, and a majority of Fortune 500 organizations, were all hit. Looking at that, an organization itself would then need to look at, okay, are we set up correct if something were to happen to us, based on these attacks that you're witnessing in the news and in your macro? The last one would be any growth -- business growth, changes, organizational restructuring, mergers and acquisitions. That would cause a shift in the business model, which would mean that there would need to be a shift in your cyber strategy to better align. We purchased or acquired a company in a different province. And so that means that CWB has expanded to a much bigger audience across a vast Canada. Taking that into account, you've got to embed those pillars that are speaking to this acquisition, and make sure that those same people are educated, you've got the right strategies in place. And then obviously, you'd look at it more tactically when you're building out your vulnerabilities -- any vulnerabilities that are identified that require prompt resolution or routine security assessments, or kind of minor regulatory changes.

Erica Toelle: Nash, I love how you set this up with the broader strategy and then when to get tactical. I'm just curious, what is a top risk that organizations tend to overlook either in one of those areas or some other area?

Nashid Shaker: One of the significant risks that organizations tend to overlook is really I think the human factor. While technology advancements are vital, employee behavior and decisions can considerably impact cybersecurity. The financial industry handles sensitive data, making it a prime target for social engineering attacks. If we look at a phishing attack targeting bank employees, they are exploited easily, and they trust what is coming forward to them. So we're constantly being exposed to risks within the organization, which then exposes the organization to various vulnerabilities. So it's essential to foster that culture of vigilance and empower employees to identify and report suspicious activities, so that they can ultimately be safeguarded.

Erica Toelle: Antonio, you also help many customers with their cybersecurity strategies. In your observations, how have cybersecurity programs changed and evolved over just the past few years? And then, how have you seen parties adjust based on this shift?

Antonio Maio: That's a great question. I think Nash touched on that with some of the reasons why you would re-evaluate a cybersecurity vision or direction. But, you know, I think when organizations were first moving to the cloud, we first saw a lot of hesitancy, at first due to cybersecurity concerns, compliance concerns, often questions about data residency and how that related to various regulatory frameworks around the world. Eventually, these organizations started to transform to cloud computing. You know, more cybersecurity capabilities were built into the platforms, abilities for complying with regulations, taking those regulations into account in a very meaningful way. So many organizations became comfortable with cloud computing, especially when the cost implications of that were taken into account. Cybersecurity strategies started to evolve to incorporate concepts like zero trust architectures at that point. And I think most organizations are now very comfortable with having a majority of their infrastructure if not all of their infrastructure in the cloud. And those strategies were driven for a long time by having the zero trust architecture. And we still see that, but in the last few years, we've seen those strategies continue to evolve. And now there's a big focus on cybersecurity tool consolidation. For example, especially in the areas of XDR -- extended detection and response -- this is happening in part to reduce and simplify the security toolsets that we have. So we see a lot of focus on tool consolidation, tool rationalization, organizations going from, you know, 75 or 100 different cybersecurity tools for various point purposes to moving more to a suite of tools that deal with the threats holistically across their cloud computing infrastructure. Some of that's driven by cybersecurity teams wanting to simplify the tools that they use. Some of it's being driven by cybersecurity budgets coming under pressure. So organizations trying to do more with less, for example. Also, as we see the number of threats increase, the number of attacks increase, having a SOC team be able to deal with it efficiently, quickly, that also is moving more towards automation within the SOC. So automating how we deal with some cybersecurity threats that SOC analysts can focus on more high-value threats. So we do see cybersecurity strategies shifting towards that. Then, in recent months, we've seen a big focus put on AI, AI, artificial intelligence coming into our SOC teams in a very meaningful way. And helping those teams again to become more efficient, to learn more quickly, to analyze tool chains automatically and more quickly, and deal with some of the really common threats automatically, again so that they can focus on more advanced threats and really stay ahead of attackers. It's a lot of the shift that we see in cybersecurity strategies. So, Nash, I would like to ask you, you know, touching back on some of the stuff that you were saying, what suggestions would you have for how teams can manage increasing security demands to better prioritize those competing demands? Because we don't see our SOC teams, our cybersecurity teams increasing dramatically, and we do still see pressure on budgets there. So how would you kind of suggest that you deal with that increasing demand or prioritize?

Nashid Shaker: It's a really good question, and something that I think prioritization is a struggle in life for a lot. I know it's tough for me. But if we're looking at, say, CWB and bringing in their "people first" culture, that's at the core of its operations. And effectively managing and then escalating security demands while juggling competing priorities requires a delicate balance. I only bring in culture because it's important to take an organization's culture and values into account when trying to navigate through these strategies trying to prioritize based on these competing impacts. Some suggestions to kind of address this would be looking at risk assessments and prioritization. So bringing in the organization's values and its commitment to its customers will help assess risk more effectively. If you look at the launch of a new online banking feature and the security risks involved within that, it's important to look at those demographic groups that are more vulnerable to a cyber scam such as the elderly and then prioritize accordingly. Other ideas are alignment to business goals. So aligning our security efforts to the business goals strengthens that case for resource allocation, which comes into, you know, budget constraints that a lot of us are facing. So if an organization, for example, can emphasize personalized customer experience, investing in secure digital channels that provide tailored financial advice, enhances customer-first approach, that's in alignment to our goals, and ultimately, that's focusing on where do you prioritize. Another suggestion is adopting a risk-based approach and tailoring security measures to maintain customer, investor, and employee trust. That will help safeguard the organization's reputation and reinforce the culture that is being built. This really means assessing potential risks and aligning our security measures with core values, especially where customers trust is at stake. For example, if any mobile app is being launched, in this scenario customers trust is paramount, because any security lapse could totally undermine the organization and jeopardize those customer relationships. And to your point, as you were mentioning, Antonio, automation and technology. It's super cool what's coming out and the things that now we can do. These are examples of how we can bring forward more efficiencies to better manage some of these competing priorities. If we can embrace automation, we can enhance the experience while maintaining security. But the investment in AI and in all of these technologies is being able to show that that benefit output that we would need to demonstrate.

Erica Toelle: Nash, I love how you connect cybersecurity to your "people-first" culture. To dig into something related, how do you think cybersecurity can contribute to the bottom line or the mission of an organization?

Nashid Shaker: Cybersecurity, it's not just a defensive strategy, it really can be a powerful driver for an organization's success. And cybersecurity can essentially contribute to the bottom line and mission of the organization by helping organizations protect their intellectual property, or maintaining their customer trust, enabling innovation, enhancing investor confidence, and ultimately trying to reduce financial impacts through mitigation of what a breach would cause. So these are ways of why aligning your security strategy to the organization's mission is vital and taking into account, as mentioned, the culture of the organization. Because it allows you the ability to demonstrate commitment to safeguarding the organization and building that fostering of trust, essentially. One thing that is always really good to consider and where you really can show that bottom line piece is the importance of regulatory requirements. In industries like financial industry or the health industry, regulations are nonnegotiable; you have to do it. So if you can ensure compliance and demonstrate the benefit within that compliance through your cybersecurity measures, then organizations can avoid penalties and they can maintain their reputation. Ultimately, cybersecurity aligns with an organization's bottom line and mission by facilitating business continuity, protecting valuable assets, and fostering an environment of trust and growth, then we'll probably be more successful when trying to mitigate the risks, through driving innovation and growth. I don't know, I often think, imagine exploring new technologies without the fear of jeopardizing data or compromising your operations.

Antonio Maio: I think you shared some great points there, Nash, especially, I really like when you talked about how you approach cybersecurity from a people-first culture as kind of part of your core operations, and that cybersecurity isn't just a defensive strategy. I often like to think that in implementing a cybersecurity program, you're trying to make every employee part of your security solution. And I think that aligns with those kinds of points that you said. You know, I think back, too, to a study that I looked at that came in 2023 by PWC. It found that CEOs, international CEOs, they listed cybersecurity as kind of their fourth highest risk concern overall across the risks to their organization. I wonder if you have any tips for how security and IT professionals can engage with leadership around this topic? Because it is one of their top concerns. It's their fourth highest concern in this particular strategy. And you often need to get that executive buy-in to move ahead with a cybersecurity program or some aspect of a program. So any suggestions or tips there for how to engage with leadership?

Nashid Shaker: I should bring you in, because every time I speak to you, you're able to articulate and explain things in such a fantastic way.

Antonio Maio: Thank you.

Nashid Shaker: Every single time we've had a meeting. So, one, if that could be a tip, just bring Antonio into the leadership circle, and you'll be golden. But if we want to like dive into other tips and tricks of the trade, I was trying to think through, and if you look at -- just as an example and then kind of highlighted through how you could potentially do it -- is if you look at the 2019 Capital One hack, a hacker illegally accessed and obtained 100 million Capital One credit card users' personal and banking information due to a misconfiguration of a firewall. This allowed the intruder to access users' data storage by Capital One on Amazon Web Services. So I took that snip exactly as I'd read. And the reason why I'm doing it is because I want to kind of -- I'll get to my point, I promise. But if we break this down, if we can learn to, one, speak the language of the business, then you can translate that technical jargon into business terms. To try to explain cybersecurity risks and strategies in ways that resonate with the organization's overall objectives gets a substantial amount more buy-in. For instance, with the Capital One hack, if instead of discussing firewall configurations as a root cause, you could instead focus on the potential financial and reputational impact of that data breach, due to inadequate security measures. So it's all about framing the messaging, I guess. Another piece is always looking at that alignment with your business priorities. So demonstrating how a secure environment can support the revenue growth, customer trust, and regulatory compliance. For instance, explaining how a robust cybersecurity supports initiatives for expanding into new markets or launching new innovative products, it builds up to the priorities, as I was discussing a little bit earlier. One thing that a lot of organizations struggle with, and I know I've struggled with it, is how do you quantify risks and impacts? It's really hard to do, because you're essentially trying to quantify what hasn't actually occurred yet because you're being preventive. So being able to do this in a way that leadership understands the tangible consequences, it goes a far way. If you look at Capital One and you look at the number of clients that might have been impacted and they left the bank and the financial implications of that and using those kinds of examples to bring forward, it's how do you do that within your own environment? It is a tough one, but it can go a far way because everyone loves numbers, and everyone likes seeing those numbers. And another one is scenario planning, looking at using these exercises can help walk leaders through potential security incidents and potentially the consequences to underscore the importance of preparedness. Going through, say, a tabletop exercise with an executive or even your board of directors, it's a great way to also build confidence in the leadership team, who are actually going to be managing through an incident should something occur, and defining those roles and responsibilities. I don't know if every organization knows who is accountable for making that ultimate decision of, do you pay, or do you not pay. If you don't, these types of exercises can help show that or highlight that. Another thing that I've often thought about is, what if the person who is making the decision to pay or not to pay is off hiking the West Coast trail, completely remote without any connection? What happens in those types of situations? So it helps to kind of demonstrate a lot of things just by the nature of the exercise. Ultimately, it's trying to have a proactive instead of a reactive mindset through regular updates, education, building up that culture, and trying ready really, really hard to remove that fear factor associated with cybersecurity and this idea of security equals no, or security equals ruining the fun. Because by reducing the fear and promoting more of, we're in this as a culture, we're in this as a community, then you're able to have open collaboration and more inputs, and this leads to effective risk management.

Antonio Maio: So, Nash, you brought up some really great points there, there's a few of them I wanted to kind of perhaps touch on with you. The quantifying risks and impact, that is really hard to do, like you've said. I've worked with some organizations that have said, you know what, until a breach happens, we're good, we're not going to do anything. And that's a really surprising and scary approach to take. So, you know, touching on your other point of being proactive versus reactive, I do think that when you're talking to leadership, emphasizing that as a strategy around cybersecurity is a really, really important thing to do. Because it is hard to be behind the eight ball, to get hit by an attack, and then figure out what to do. And then finally, the scenario planning. We sometimes think of that as tabletop exercises. I think that, too, is a really great point, because it does help you figure out some of those scenarios, right. Like you said, a ransomware attack hits, do we pay the ransomware, do we not? That's a hard call to make. And, you know, if someone is out hiking, if the person has to make that call, that helps you to figure our roles and responsibilities as well so that those people have a backup. So I just want to say, great points to bring up there. I think all of those are really helpful in thinking about how do you bring leadership into -- providing the buy-in that you need to move ahead with these programs.

Nashid Shaker: Thanks. It's good to hear from yourself and from what you've experienced in the industry, too. You get caught in your world and you don't often know if the struggle is real outside of the just the confines of your organization.

Antonio Maio: Yeah, getting out of the echo chamber, and yeah, understanding what others are doing, too.

Nashid Shaker: Exactly.

Erica Toelle: Nash, I'd love to dive in a little bit to something you also brought up earlier around preparing for future technology innovation. So I think the hot topic of 2023 is AI, of course. So, you know, AI initiatives all will probably require some access to data, right, to get the benefit of AI. So as a cybersecurity leader, how are you thinking about preparing for the future that's going to inevitably have some AI usage? Like what are you doing today to prepare for that potential eventuality?

Nashid Shaker: It's a critical consideration. As you mentioned, like we anticipate AI being integrated into various aspects of our lives. We've all watched movies when we were children, and a lot of that stuff is coming forward, and it's all because of AI and the direction that we're going as a society. So including cybersecurity, there are several key factors to think about to ensure a secure future. Jumping before we understand the full potential or the security risks to an organization can lead to additional risks. Everyone wants to jump on the AI bandwagon, and we should be going that direction, as mentioned, but if we don't do it with more thoughtful witness, then we are going to be exposed to more risk. So some of the things that we should consider and put in place is establishing a stringent data governance practice. Making sure that, you know, with AI relying heavily on data and robust data governance, it ensures that data integrity, privacy, accuracy is all taken into account. And then implementing measures like data encryption and access controls to safeguard that sensitive information. Another thing is, and Antonio, you had mentioned it, around zero trust architecture. It should form the foundation I think of any AI initiative. Zero trust is ultimately, you don't trust anything until you do. And so assuming that no entity is trusted by default, it will automatically mean implementing strict access controls for continuous monitoring. And then the human oversight. A lot of conversations and discussions around, well, where do humans fit in, as we move more into that direction. But AI should really be working in tandem with the human expertise. Human oversight ensures that AI decisions align with security objectives and ethical standards. So it's working together, as opposed to one or the other. So by proactively addressing some of these considerations, cybersecurity leaders can help shape the future of AI in a way that enhances security, fosters innovation, and then safeguards the interests of individuals, organizations, and really society.

Erica Toelle: Antonio, you have such great experience running a consulting business that works with a bunch of different customers, addressing cybersecurity concerns. What are your predictions for cybersecurity in the next maybe two to four years?

Antonio Maio: So that's a hard question, of course, kind of predicting the future, but my personal predictions for the next few years are, first of all, we've kind of already talked about this, AI is going to drive efficiencies in detection, prioritization, and analysis of both risks and security threats. I think that's inevitable that AI is going to become part of that story. Second, I think organizations are still going to be defining and refining their approaches to cybersecurity. I do think that is a continually evolving thing, and it's going to continue to happen, especially as our toolsets consolidate, as tools continue to evolve. We're going to continue to see tool consolidation in this space, as cybersecurity teams, organizations look to simplify, make their SOC teams more efficient, uncover risks more efficiently and deal with them quicker. I do think we are still going to have a cybersecurity skill shortage. We're just starting to see education programs ramp up to meet the demand for cybersecurity skills, right. We see in the media now that you have university programs or degrees that focus in cybersecurity. Those are just starting. So I think in the next, say, two to four years, we're still going to see that shortage, but I think measures are being put in place to deal with it. Even my kids -- I have two daughters -- they're both focused on cybersecurity in their high school and university programs. So that's great to see. I think we're going to see data protection compliance and cybersecurity teams working more closely together. Those have often been teams that have worked in silos, where the privacy team and the compliance team will occasionally talk to the cybersecurity team. They might meet once a week. But I think those teams are going to get much closer together. I think we're going to see a lot of those silos break down, especially as you move into the cloud and you start to see many of the capabilities and tools we need to utilize are all part of the same consuls, right. So it's less about having individual teams and more having functional areas that work together. So those are some of my predictions.

Erica Toelle: Thanks, Antonio. And thank you so much, Nash. Sadly, I think that's about all the time that we have today. So to wrap it up, I'd love to ask you a question that we ask all of our guests on Uncovering Hidden Risks, and that is: What is your personal motto, or what words do you live by? So, Nash, maybe starting with you?

Nashid Shaker: Work from a place of possibility. When you're in a place of possibility, you can always go beyond expectations and improve performance and to just improve in general. So that would probably be it.

Erica Toelle: And how about you, Antonio, what's your motto?

Antonio Maio: So I love this question, because I do have a motto that I try to live by. It's, always be learning, be grateful, and be kind. Those are the things that are important to me.

Erica Toelle: Well, I think those are both just beautiful mottos and words to live by, so thank you so much for sharing. And thank you again Nash and Antonio for joining us today on Uncovering Hidden Risks.

Nashid Shaker: Thank you so much for having us.

Antonio Maio: Thank you, Erica. Thanks, Nash

Erica Toelle: We had a great time Uncovering Hidden Risks with you today. Keep an eye out for our next episode. And don't forget to Tweet us at msftsecurity, or email us at UHR@Microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to Uncovering Hidden Risks on your favorite podcast platform. And you can catch up on past episodes on our website: uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.