What Am I Talking About?
I finished reading the entire Cyber Safety Review Board Report on the Microsoft Exchange online intrusion, (yes, I’m a loser,) and WOW, I'm losing my marbles! Cyber Security Culture Development is officially on the main stage.
If Netflix experiences a severe brand damaging incident, Hulu picks up market share. If Hertz experiences a severe system crash, Enterprise Rent-A-Car picks up the market share. If the Federal Reserve experiences a severe ransomware breach, a global economic disaster occurs.
These risks are not the same for the public. Your program should not be the same as others in the cyber security culture, human risk, and security awareness specialization. I’m beyond shocked and thrilled to see cyber security culture highlighted as a primary shortcoming leading up to the incident.
Here are my thoughts:
Aligning Accountability with Security Culture
The report pointedly states, "The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations."
Adding more clarity to my Netflix, Hertz, and The Federal Reserve analogy, this statement underscores the paramount importance of aligning accountability with security culture. In a landscape where a single breach can shift market shares or trigger a global economic disaster, a one-size-fits-all approach to human risk and security awareness simply won't suffice. Each organization must tailor its program to its unique risks and responsibilities.
Clearly put, the more risk your mission, data collected, and organization places on the public, the more expectation we have of you to clearly define, communicate, monitor, and hold employees accountable to your security policies and procedures.
Valuing All Cybersecurity Professionals Equally
The report also sheds light on an ongoing issue within the cybersecurity community:
"Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management."
This insight reveals a continued imbalance in the recognition and prioritization of governance, risk, and compliance (GRC) specialists compared to their technical counterparts. The truth is, less technical job duties within cyber are equally valuable and necessary as Security Operations Center engineers. It's time to break down the silos and acknowledge that every role within the cybersecurity domain is crucial for a comprehensive and effective security posture.
The Role of Leadership in Driving Cultural Change
The report suggests a proactive approach for Microsoft's leadership:
"To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products."
This one is for the BISO’s!
This recommendation is particularly relevant for Business Information Security Officers (BISOs), who play a pivotal yet often underappreciated role in shaping an enterprise's cybersecurity stance. Clear direction and support from the top can empower BISOs and their teams to implement effective security measures that resonate with each business unit's unique needs and objectives.
Concluding Thoughts: Nobody Likes an Ambulance Chaser
This is not the time to criticize or blame Microsoft.
While the report is gloomy, Microsoft did a substantial number of things quite well. It is not my intent to degrade the enterprise with the most enormous threat landscape in the world but to help clarify lessons learned with my own flavor of perspective and specialty.
If the report's substance is ignored, well, that would be the time to pile-on.
You can find the full Cyber Safety Review Board Report here: