As an ‘adventurer and explorer, in both the physical and digital worlds’, Glen Robinson is perhaps uniquely prepared to navigate the acceleration in hybrid working, learning and living that we have all experienced over the last year.
And as National Technology Officer (NTO) at Microsoft UK, he is also uniquely placed at the intersection of technology, policy, impact, education and regulation to make a difference. Helping navigate the challenges, and enabling the opportunities hybridity brings, so that customers, partners and community alike can all achieve more. With so many takeaways from our recent discussion, here are some of my highlights, providing insights into the many different aspects impacting security, the tangible steps you can take today, and both the technology and education support available and accessible - from SME right through to Enterprise.
Helping to ensure future market opportunities alongside appropriate policy, regulation and legislation is just one aspect of the NTO role, for example Glen is currently working with the Department for Digital, Culture, Media & Sport (DCMS) on a trusted identity framework. This centres on how our government departments and the public sector more broadly will think about identity in the future, and how this operates across our regulated industries and the private sector as well. It considers identity as just one component of security and can help to build trust, possibly the most important currency of our time, alongside better enabling interoperability and maintaining high levels of privacy too. This work also directly feeds into how Microsoft shapes and aligns its product development:
‘So when we bring new tech to the marketplace, the market is ready to receive them’
But taking a step beyond defined, or the defining of, policy, regulation and legislation, it is clear that a core focus for Glen is also what he describes as ‘soft policy’. This involves working at an senior organisational level with a CDO, CSO or CIO who is ‘looking to do things differently’ and informing them about the technical and legal controls/frameworks and compliance standards that Microsoft affords to customers. This enables these leaders to make informed decisions which would not, for example, exclude them from the use of Microsoft’s latest innovative technology. This also extends to trust. So much control can be given to customers, from where data sits, to who can access it and the management of encryption keys etc – so the conversations are moving towards customers having the controls to build trust with their customers themselves, as part of an overall shared trust model.
With the broad rise in security attacks alongside the pandemic, especially impacting specific sectors such as healthcare and financial services, examples of high profile enterprise breaches with equally high profile coverage, and a 400% rise in attacks impacting SMEs, security has taken centre stage. And it could be expected that the challenges and support needed are very different to negate the risk. But Glen has seen the commonality around the issues first hand.
‘I would say it's really that the requests are quite similar, and that they're all that they're all. Where do we start? So it's almost this shift from, we've had a very traditional mindset and how we approach security. So we've taken a very traditional perimeter based security approach. And then Microsoft comes along and starts using phrases like zero trust and defence in depth, and they're like, okay, we're not really too clear on exactly what that means. So can you help me understand how we set ourselves up as an organisation for that, what sort of skill sets, what sort of people, all the foundational components organisations are going to need to have?
And although large commercial enterprises may have more resources at hand, many of those are still invested in quite traditional approaches, from capabilities around people and skills, to technology services and capital investments. Conversely, smaller organisations do not have the same level of legacy and can be a lot more open and agile to change, and able to implement rapidly - but may have challenges regarding people and skill resources.
The shared issue is clearly the how of making the shift…. What do we need to do, Where do we start?
Underpinned by insights in Microsoft’s latest report ‘Driving Trust and Agility’ alongside the C-Suite conversations that are a key component of Glen’s NTO role, two leading security pain points or vulnerabilities emerge as recurring issues. The first lies beyond the remit of cybersecurity specialists: it is having a foundation of basic cyber hygiene:
‘it takes a village, this is the whole organisation. So I think, in the modern world, cyber defence is an organisational responsibility. It's not a team's responsibility to protect an organisation necessarily anymore’.
So what do these basic requirements look like? Examples include strong password policies with a minimum of 12 character passwords, the use of Multi Factor Authentication (MFA) and consistent integrated device management. This is especially important with the work from home shift catalysed by the pandemic seeing many people working with neither a work supplied nor a work managed device. If personal devices over consumer internet connections are used for work activity, what is the risk profile that results?
‘If you have an unmanaged device, you don't know if it's patched, you don't know what's run on there. You don't know where data has been stored and how it's been secured. So it really is the sort of that that shift has driven this focus around basic hygiene in this context of mobile working'.
And as we transition into an increasingly hybrid working and learning world, to enable the continuation of benefits such as flexibility and productivity, getting basic hygiene right becomes a key building block for its actualisation.
The other key pain point Glen observes is very specific and centred around incident response, very much the mantra of ‘who are you going to call?’ With the level of attack sophistication constantly increasing, and not just during COVID, fully embracing Zero Trust and ‘defence in depth’ is critical to negate bad actor risk. When you (hopefully) have the protection in place to detect a breach or risk of one, do you have the requisite tools, skills and capabilities to deal with the exposure expediently – and learn from it too.
So what is that process? What's your support network? You know, who can you just pick up the phone to go 'Help'? And then suddenly, you've got the expert forensic resources coming in and helping you diagnose and identify problems helping you remediate rapidly, and then have that feed back into your business for continuous improvement. So you don't have that same issue again, in the future?
Despite an acceleration in investment around digital transformation, especially cloud, some organisations have delayed ‘everyday’ maintenance activities such as on-prem infrastructure refreshes and patching. So what is evergreen technology and how can this help? Glen shares the example of cloud services and Microsoft Teams that we were using for our discussion, with security teams consistently evolving the solution and increasing the protection available to consumers across data information, identity and authentication. With this operational burden removed, it helps customers stay on top of the everyday activities that matter too.
Microsoft currently analyses around 8.2 trillion threat signals every single day and from these insights patterns can be discerned around the type of attack vectors. Reflecting on this and other areas of our discussion, password or weak password security is the biggest threat by far. Bad actors can use an aggressive password spray attack to cycle through lists of passwords up to 12 characters in length, or simply apply brute force to break into accounts.
‘if it's anything less than 12 characters… it's a pretty weak approach to security and so it's really about building a combination - having a strong password policy in itself with 12 characters, linking that to multi factor authentication … and this suddenly gives you such a significantly stronger set of protections in itself’
This is readily enabled with technologies available today, so if you have Microsoft 365 and Windows 10, multi factor authentication is straightforward to do. There are also password management systems and devices to randomly generate passwords and developments such as Windows Hello to help remove them completely. Speaking with Glen on this at length, support is clearly there for organisations large and small, so a key element here is helping to encourage behavioural change – the convenience benefits gained from improving security habits could be an excellent way to start and help build that crucial buy-in.
Aligned with simplifying your security integration platform and protecting remote / hybrid working, Zero Trust comes to the fore as a superb methodology and set of principles to follow to support continual improvement in security. And this is not simply one thing you just ‘turn on’ – it’s a collection of many things across technology, culture, people and mindset – securing and managing devices and data, and verifying and protecting identifies for access, whether you are working on an ‘everyday’ SharePoint collaboration, or analysing highly sensitive data.
‘if you're thinking about that Zero Trust approach and you're consistently mature in terms of your approach to it and you're making those incremental improvements then that in itself for me is probably one of the most important things’
Supporting this, Microsoft have published a Zero Trust Maturity Assessment available here to enable organisations to understand where they are now, the ‘as-is’ state and consider their desired ‘to-be’ maturity posture. And critically, they can target very specific areas to make very quick wins and move up the maturity index quite quickly, seeing tangible progress and again, helping to build that security buy-in which can make such a difference.
Investment in organisational culture - the skills, embedding of continual learning and an ethos of shared responsibility for security across all levels of the organisation – is an imperative. Any individual can be a vector for an attack – we are only ever as strong as the weakest link, reinforcing the need for MFA by design. As part of this it is also really important to address why people may not be ‘buying in’ to adopting technology solutions.
One aspect is privacy concerns so communication here is critical; being transparent to people about how their data is going to be used as part of security protection – and why. In the same way we think about Zero Trust maturity, this level of transparency maturity is vital too. Another area is the technology experience itself, many people have been ‘scarred’ by memories of poor user experiences in the past. It is a very different proposition now, and both communicating this, and making the solutions available is key, bringing seamless simple experiences to life, and creating benefits on all levels - as Glen demonstrates by example!
‘I just look at my screen. And it does it [security] for me, I'm not even having to type. It is a huge improvement and not just from a security perspective, but from a productivity point of view as well’
As part of Glen’s technology leadership role within Microsoft, including recruiting for multiple roles across the business, he is continually focused on helping to address the diversity gap in this sector, which came through strongly in the ‘Driving Trust and Agility’ report findings, especially within the cybersecurity discipline. And having a diversity of experience in technology is not just the right thing to do, it also brings richness in thinking, creativity and decision making too and it is excellent to see the strong focus on this area.
‘It's something that we're actively investing in to try and build that pipeline of diverse candidates across all different facets of diversity. The report talked around gender diversity, and I think that's just one area that we're looking at, we're looking at racial diversity, all aspects of diversity… we're constantly trying to do better’.
And concrete actions are being taken right now, for example a significant and opt-in internal initiative with HR asking questions to actually make sure the right data is available to understand the level of diversity that does and does not exist in the business. This provides the knowledge to act and it is fantastic to see how this focus is transitioning to partner relationships too.
So we're now starting to get the data through in our systems, which tell us how diverse our workforce is, we're sort of challenging our partners to think similarly about these problems as well Do they have the data to understand them their own diversity, and then that will enable us to be a lot more purposeful in where we invest, where we focus and where we, you know, where we build programmes to try and drive better diversity in the future’.
And it is clear that work needs to extend beyond organisational boundaries to education outreach. Visibility of role models and changing the narrative on ‘what a tech career looks like’ is vital to reduce the drop off in STEM subject uptake by girls in particular at GCSE and A-Level, or the application of STEM skills in ultimate career choices. As ambassadors around STEM and STEAM, there was so much synergy in the outlook and activity across my discussions with Glen, this lends itself to a future dedicated post (and actions!) but for now this point really resonated, describing Glen’s upcoming visit to a girls school that specifically focuses on autistic young ladies. Mentoring, visibility and active listening is so key to change.
‘I am looking forward to going down to spend in the morning with them to talk about experiences but really to understand more some of the challenges that they face and the reasons why they would or wouldn't consider a career in technology and then sort of try and either bring some of that back to our own business or indeed hopefully convince them that this is a good is a great opportunity’
From this expansive discussion, it is clear that security is not just underpinned by technology solutions such as Multi Factor Authentication – it is equally another MFA – a Multi Factor Approach that brings together technology, culture, methodology, education, mindset and skills, creating trust and empowering resiliency and agility. The importance of awareness and access to learning opportunities also comes to the fore, from SME to Enterprise and from Student to Adult looking to skill, reskill or upskill.
And there is fantastic support available! From the new ‘Driving Trust and Agility’ ebook, to the Microsoft Learn platform which affords many free resources, to LinkedIn Connect supporting apprentices, and the new Global Skills Initiative to train 25 million people worldwide. Such a positive trajectory to build diversity in security – and diversity of experience in technology more broadly too.
Dr. Sally Eaves is a highly experienced Chief Technology Officer, Professor in Advanced Technologies and a Global Strategic Advisor on Digital Transformation specialising in the application of emergent technologies, notably AI, FinTech, Blockchain & 5G disciplines, for business transformation and social impact at scale. An international Keynote Speaker and Author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations in 2018 and has been described as the ‘torchbearer for ethical tech’ founding Aspirational Futures to enhance inclusion, diversity and belonging in the technology space and beyond.