CISA says security culture is accountability and other good news
I hope this week has been a good one for you, the world continues to be a challenging place and we have more layoffs. Yet there is Spring sunshine and we always have hope in community and network.
CISA report on Microsoft Incicident
A very comprehensive report from CISA concerning the 2023 Microsoft Exchange incident and I am glad to see it mention security culture as being accountability.
I don’t think any of us resent investigations or write ups of incidents: they help us learn from mistakes that any of us can make. However, it is often the only time that accountability and transparency really happen in security teams or security strategies in organisations. That CISA has clearly defined that accountability as shown here:
I know many would read this and think “oh right, more security awareness training”, but I read it differently. Msft is, as the report repeatedly highlights, a part of national and domestic infrastructure. It is almost impossible NOT to use a Msft product. They should prioritise security throughout the company and everyone is part of making sure that nothing is missed. They are infrastructure: they are providing services that businesses,schools and private individuals rely on for confidentiality.
This is not security is everyone’s responsibility, and therefore Margaret in Marketing has to do ten more awareness trainings. This is a culture of accountability and good practice that as a SAAS provider, should be by design and by default.
This is further underlined by CISA re-using a quote from Bill Gates about prioritising secure design before launching products:
I hope that people reading this will take those points on board. Especially the “between adding features and resolving security issues, we need to choose security”. The current rush to implement AI everywhere and the Teams Maybelline feature for example, could have waited. I know how challenging this when working under pressure, but this is what Just Culture and ‘Security culture” is: doing the right thing because you are accountable.Just like if you were making candy: you would adhere to food safety standards and flag any issues quickly. The move slowly and fix things mantra has never been more relevant.
Overall, the report is a long but worthwhile read and will be of great use to security teams communicating upwards. Incidents can happen at any time, and reports help us to show and justify where we have risk or where we should allocate resource.
Security Communications
The Cyber Ranch Podcast discussed how CISO can communicate effectively, with Geoff Hancock as guest speaker. He had some excellent,practical advice.I highly recommend a listen
Security by design
The Human Centred Podcast is still one of my new faves, and this week’s episode offers us more perspectives on human centred security design.
Surveillance tech
The 404 podcast has a great episode on flawed licence plate readers.
I also found the news of the ATT data breach to be disappointing but not surprising. I link both of these items as I find in security education, and politics, there is a lot of panic about TikTok etc. Yet the government, local HOA, and home grown companies that are more trusted are failing to protect data and sharing it when they shouldn’t be too. Perhaps it is worth looking at our own house before we throw stones. But I have always said, if you panic about TikTok, you should also care deeply about your car privacy, edtech privacy and security and what the government and tech co are sharing about you at home.
Have a great week, mercury is in retrograde so tech will break, comms will be slow, take the time to rest and don’t burnout!
M