Uncovering Hidden Risks 10.25.23
Ep 13 | 10.25.23

Unveil Data Security Paradoxes


Erica Toelle: Hello and welcome to Uncovering Hidden Risks, a new podcast from Microsoft, where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. [ Music ] I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview Team. And now, let's get into this week's episode. [ Music ] Welcome to another episode of the Uncovering Hidden Risks podcast. In today's episode, we will discuss trends, insights, and strategies in data security, with some paradoxes observed from a newly published Microsoft report called the Data Security Index. We will then share a few recommendations to help you solve the paradoxes, and strengthen your organization's data security posture. Let's start by introducing today's guest, who will join us for the discussion. Herain Oberoi is the general manager of Data Security, Privacy, and Compliance at Microsoft. Herain, would you like to share a bit more about your background and experience?

Herain Oberoi: Sure thing, Erica. So I'm the GM for Data Security, Compliance, and Privacy at Microsoft, what you would call a boomerang. So I was at Microsoft for 12 years. I left for six, and now I'm back. And one of the reasons I came back was because of what I saw Microsoft doing in the cybersecurity space in large, and then in particular, around data security, compliance, and privacy. And so I joke, I say I spent the first half of my career helping customers build their data states and clearly saw the need for growing data security and compliance. And now I get to spend the second half of my career helping customers protect and govern their data states.

Erica Toelle: Also joining us today is Tina Ying, senior product marketing manager on the Microsoft Data Security, Privacy, and Compliance Team. Tina, would you also like to share a bit more about your background and experience?

Tina Ying: Yes, sure. Thank you, Erica, for having me here. Hi everyone. I'm lead product marketing for data security and insider risk management. And I have been with the team for more than six years now. I really enjoy and love what I do, plus the team is always working on new and exciting projects. We are constantly learning new insights and sharing those stories that can help organizations secure data better. And I'm very glad to be here to discuss some of the new findings we have in the report.

Erica Toelle: Perfect. Can't wait. And with that, let's dive into today's topic. Herain, we mentioned that Microsoft has recently released a new report called the Data Security Index. Could you please explain what prompted the team to do this research and release this report, just as context for our listeners?

Herain Oberoi: Yes, absolutely. So with tens of thousands of customers that we help every day, we found that all of them look at data security as a key pillar of their cybersecurity program. And these customers are always looking for best practices and practical approaches to improve their security posture. And when you look out there at all the research that's there, a lot of that research is focused on the cost of data security incidents, but not as much in terms of best practices and architectures and ways to make things better. And so the team, you know, led by Tina, they set out to curate a practical set of best practices and learnings from our existing customers. And so what they did was they surveyed 800-plus data security decision-makers, and ended up with this report, which we're really excited to share today.

Erica Toelle: I've been attending quite a few conference lately, and these are exactly the types of questions that I hear our customers asking. So I think this report's really timely and can't wait to dive in to maybe some of the key findings. So Tina, could you please share some of the key findings from the report, and maybe what finding was most interesting to you?

Tina Ying: Yes, of course. Following our survey conducted this year in August, we uncover several interesting contradiction between best practices and actual practices. Or you can also say the contradiction between the perception and reality. So one particularly interesting finding was that having more data security tools doesn't bring more security, but the opposite. So the data in the report shows the organization that use more than 16 tools actually experience 2.8 times more data security incidents compared to those that use fewer. And decision-makers actually have the right intuition on that. Eighty percent of decision-makers agree that a comprehensive data security platform with integrated solutions is superior to using multiple [inaudible 00:05:02] point solutions. However, in practice, the usage of solutions remains very fragmented. So on average, organization are still using more than 10 different tools to manage data security. I found that insight very interesting, because more tools brings less security, but organization continue to adopt them.

Erica Toelle: It seems counterintuitive that having more tools doesn't equal better security. I'm curious why the data shows this trend. Herain, in your customer conversations, have you also observed this happening?

Herain Oberoi: Yes, you're right, Erica, you know, it is somewhat counter intuitive, but you're going to have to start with even thinking about okay, what does it mean to have more tools? So let's start with that definition. It can mean that an organization has, you know, one set of tools or solutions for data loss prevention. They might have another set of tools for email security, yet another one for endpoint detection and response, and yet another one for identity and access management. Add to it then you have other tools for e-discovery from the legal teams, and you might have other tools for regulatory compliance and privacy. So with all this different tooling, you get a lot of additional complexity. And let me give you some examples. So let's start with something as simple as data classification. You need to classify and look at your data, and you need to classify whether that data is sensitive or it's not, and what kind of data is. And so when you have multiple tools, it means that you might classify that data once for data loss, and then you have to go classify it again to do e-discovery. And so now you're got separate silos of data, and then you have to create separate silos of policies that work in the classifications. That's just a basic layer. Now let's talk about alerts. When you have multiple tools, you're going to get alerts from all of those tools. More tools means more alerts. More alerts isn't necessarily a bad thing, but if you're getting duplicate alerts, now you got to sift through those duplicates, and it's going to take you more time to get through all of the alerts. And so more alerts doesn't necessarily mean the quality of the signal is necessarily better. And now so you've sifted through the alerts. You know which ones you care about. And then you think about incidence response. Every time an incident occurs, each admin of a particular tool has to conduct their own investigation. Then they have to reconvene and then manually determine the nature of the incident. And so in doing all of this, a lot can get lost in translation, and ultimately what that does is, your mean time to response and resolve an incident starts to go up. And so you get these false alerts. You get longer time to resolve it incidents, the mean time goes up. And therefore, you know, your security incidents are going to go up as well. And so now you have gaps in between all of these different silos. What one of our customers referred to as the Swiss cheese version of security, where you've got a lot of holes.

Tina Ying: Yes, it's almost like an inertia in solution adoption, where an organization can just acquire more solutions and adopt them as a response to, like, anxiety and uncertainty around data security. And I want to add one thing that Herain say about alerts. In the research report that we had, we actually see that organization will use more tools, they will receive more than twice the volume of alerts than an organization that use fewer tools. And they can only review a smaller percentage of them as well.

Herain Oberoi: That's exactly right. So to net this out, more tools means more alerts, means more siloed investigations. And ultimately longer response times.

Erica Toelle: Yes, that sounds really frustrating. I'm sure organizations know that this duplication isn't efficient, but they're stuck in an ecosystem of siloed solutions. Tina or Herain, how do you think organizations can break this pattern?

Tina Ying: Yes, I can chime in here. I mean, this is certainly not easy. Here's my take on it. First, security leaders must recognize the false sense of confidence that often arises from relying on many, many isolated solutions. It's crucial to understand that vendor consolidation not only reduce costs, but also could help you to enhance security, even though this may seem counterintuitive. The Data Security Index report we just mentioned provides a lot of data point that illustrate how fewer but integrated solution can actually lead to improved security. It is a very valuable research and resources for organization to share with their peers and leaders so they can reconsider their strategy in this regard. Herain, what advice do you usually give organization that have the challenge of using isolated point solutions?

Herain Oberoi: Yes, I mean, I think it's a couple of things. Awareness is definitely the first step. Security leaders need to be aware of the issue, understand why it happened in the first place, and a lot of times it's because different teams in the security org have different goals that lead them to buy solutions for their specific use case. And each team wants to perform their best, and that leads at best to reprocurement. But security doesn't work in silos. Even if you purchase the best solutions, if they don't work well together, you're going to have gaps and inefficiency and security like we just talked about. And so the security leaders need to be committed to not just buying best in breed, but to making this change and set it up as integration as a priority and as a goal. They need to ask questions like, do the solutions we're going to purchase work well with other solutions to improve our overall security posture? Will it weaken it? And they can even add it as one of the solution selection criteria. So security leaders need to lead their teams with the goal of enhancing all of security posture and efficiency. And from there, they can then facilitate the collaboration across the teams to work together and support that teamwork. So this kind of approach fosters forward thinking. It prevents teams from getting overly fixated on existing practices or isolated use cases. And it allows for the implementation of the necessary changes towards a more integrated and effective approach.

Tina Ying: Yes, it definitely takes a village to enhance security and the effort should be unified. And I think the solution, the integrated solution, can help support that effort.

Erica Toelle: Thank you both for sharing these fantastic recommendations with our listeners. I wish we had enough time to cover all the great insights in the report, but unfortunately we don't today. So for those listening, you can actually read the entire report at aka.ms/datasercurityindex. And we'll also include that link down below in the show notes. To wrap up, let's shift gears a bit. Herain, I'm aware that your team at Microsoft has made some substantial improvements in data security and compliance over the past few years. Could you please tell us a little bit more about how the solution set has evolved, and how it can assist organizations in enhancing their data security and compliance efforts?

Herain Oberoi: Yes, that's a great question, Erika, and appreciate you asking. So data security's become a central focus for our team in the light of continuously evolving data and risk landscape. And I believe a mature and integrated data security platform empowers organizations to achieve several objectives, discovering sensitive and valuable data, detecting critical risk associated with that data, and ultimately preventing incidents by implementing controls based on that assessed risk. So all of these capabilities have to work together to build a robust defense around the data, which is the most important asset for an organization. One of the examples that we bring these solutions together is the data classification capability that I mentioned earlier as well. That's built into the platform. This capability is best in class. It uses machine learning and AI to help identify sensitive data, very precisely. And all of our data security and compliance solutions leverage that same platform and classification in order to apply those controls. So I can give you an analogy to understand the power of this platform. Imagine you've got a home entertainment setup, you know, with a TV, your sound system, a gaming console, and a streaming device. And each of these devices comes with its own separate remote control. And using these individual remotes, you can turn the volume up and down, turn the devices on and off, but it can be really cumbersome and confusing, because you have to keep swapping these things out, and they don't work with one another. And so you have to remember which remote is used for which function, and each remote works a little differently. And so now, consider the unified data classification capability as the universal remote. You don't have to classify your data multiple times for each solution that's using it. You just do it once, and whether you are doing e-discovery or data loss prevention, your data's been classified once, and just like the universal remote, you don't have to deal with that added complexity. So as you mentioned, what else are we doing to continue evolving this platform? Alright, so now that we've got this universal remote in place, we've got these common platform capabilities, we can start to add more solutions on top of that. So it's not just data loss. It's not just e-discovery. Things like insider risk. Things like lifecycle management. You can keep adding new solutions to the overall platform, while sharing those underlying components and keeping that complexity simple and not creating new silos of data.

Erica Toelle: I love that universal remote analogy. It's really easy to understand. Tina, I know your focus is specifically on innovation in data security. What are some of the recent developments that you can share here?

Tina Ying: Yes, I really love that analogy of how a unified platform brings solutions together, and to [inaudible 00:15:37] on that, I think the reason innovation we have in data security is really to see what's the net in value, or new synergy that we can create, using this integrated platform. And then so one of the prime example here is that that's a protection, bringing together information protection, insider risk management, and data loss prevention together. So what that protection does is that you see where the sensitive data is and actually also see what's at risk along that data. And then based on that, we can actually understand the user context, assign user risk level, and then apply and enforce DOP controls based on the user's risk level. So the outcome of it is that a high-risk user can be prevented from actual training data, while low-risk user can work as usual. And then this can only be achieved if all the solutions are viewed on top of the same platform, using the same classification, using the same policy engine. And so it can really be seamlessly brought together to enable an organization to implement those more adaptive data security strategy. And then so it really resonate with our report very well, because you see that the more integration you can bring together, the better your security will be. So that's a prime example I like to mention here.

Erica Toelle: So we do have a little time left before I wrap it up. Now that we've been through it once, are there any other interesting findings from the report that you want to mention?

Herain Oberoi: Sure, Erica. There were lots of interesting fact-findings. One that comes to mind is data security decision-makers tend to overestimate how secure their systems are. So specifically, 75% were satisfied with their data security solutions, and 80% said they knew where their data is, and they could assess their risk accurately. However when we looked at the actual numbers, those organizations had about an average of 59 data security incidents a year. And that's a pretty high number. And so there's a high confidence level in terms of data security decision-makers feeling like they know what's going on with their data, and yet when you look at the number of incidents, that's pretty high. So we found that to be pretty astounding and also another one of those paradoxes that came out of this research.

Erica Toelle: Thank you so much, Herain and Tina, for joining us today. To wrap up, we'd love to know what is your personal motto or what words do you live by?

Herain Oberoi: Love that question, Erica. I really believe in believing with positivity and possibility, so when we focus on all the things that are going right, we see more potential, which leads to more positive action. And there's this wonderful quote that I heard some time ago that I'l leave you with, which is, when fear comes knocking, let faith answer the door. So don't be driven by what can go wrong, but rather by what is possible.

Erica Toelle: And how about you, Tina? What's your motto?

Tina Ying: Yes. I think my recent one is to just be useful. This actually was shared by one of our marketing leaders at Microsoft, and I just love it. And I've been living with this. Just focusing on the value I can bring to the table, and be useful. Then opportunities will naturally come.

Erica Toelle: Well, I love both of those mottoes. Thank you so much for sharing. And thank you again Herain and Tina for joining us today.

Herain Oberoi: Thank you, Erica.

Tina Ying: Thank you. [ Music ]

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us at msftsecurity, or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to Uncovering Hidden Risks on your favorite podcast platform. And you can catch up on past episodes on our website, UncoveringHiddenRisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus. [ Music ]