Recently, the State of New York has taken steps towards passing the nation’s first cybersecurity regulation which explicitly tells financial organizations in New York what they must do in their security program. You can read an overview of this in the article, “Full Employment for CISOs in New York.”
The main question I have is, does it make sense to legislate the details of a security program versus allowing organizations to build programs that meet the business needs and risk tolerance of their organizations?
Before I answer that question, let me first state that overall, I believe the directives in the regulation generally make sense. In fact, they are practices that most security professionals would have as part of their standard operating procedures. It is a little odd though that they explicitly call out two technology areas – multi-factor authentication and encryption – for inclusion, while staying very high-level on the other security control areas. Again, not that multi-factor authentication and encryption are bad areas to focus on, but why are those included and while other important security controls, such as email security, Web security, anti-virus, identity management, and many other security categories?
Now back to the main question of this blog, is legally requiring specific security practices a good thing? My take is no. However, should regulators consider cybersecurity as part of their supervisory responsibilities? Yes, as part of their view of the organization’s risk management program. Ultimately, organizations are responsible for their own risk management programs and how much risk they can tolerate and how best to mitigate that risk.
Just as regulators don’t direct in detail other aspects of the organization’s business practices, nor should they do it for their cyber risk management practices. There are just too many opportunities for unintended consequences to arise. For example in my experience the more detailed the regulation, it not only becomes overwhelming for the CISO looking to implement, but there’s also a greater chance that the security program turns into a checklist program and not a risk management focused one.
I realize it is a bit cheeky for me to make security resolutions for your security program, but I believe you will find these recommendations to be straightforward and highly actionable. In no particular order:
- If you can’t do it, outsource it. Don’t not do it because you don’t have the expertise or the capital budget to buy or manage the particular security control in question. Now more than ever many security controls can be consumed as services as opposed to being purchased in the form of software or hardware appliances. Increasingly security professionals, just like their cousins in the IT department, can leverage the cloud to get the services they need and save money and time to boot. Security professionals should use 2017 to accelerate their transformation from owning every aspect of the implementation and maintenance of the control to being the strategists and architects of their security controls.
- Plan for an incident response now, well before you need to use it. In this era of near certainty of business impacting security incidents, it’s key to plan now for the variety incidents that will likely hit your business. You know what they are likely to be: ransomware, DDOS attacks, email-borne impersonation attacks, botnet infections, insider threats – malicious, accidental, policy violating, and a handful of others. Work with the relevant functions around your organization, write your incident response plan down and run a table-top exercise or two in 2017. It is much better to do it in theory once or twice before you have to do it for real.
- Make employee security awareness training an everyday affair and not a once a year, video watching boredom fest. While no security program should wholly rely on employees to save them from security incidents, having well-informed and engaged employees greatly helps reduce the risk and mitigate the damage of the inevitable breach. Pushing out a 30-minute video once a year does not. Attacks are dynamic and unpredictable, and so should be the user training. Build informative user messages and tests into the daily operation of your security program. When employees do the right thing, let them know. When they don’t, help them understand why what they did was risky. For example, make it easy for them to report likely spam and other suspicious emails. If you must block something they did, like visiting a sketchy Web site, make sure you tell them why they were blocked and what their options are.
- Evaluate your critical business processes and make sure that they are not completely vulnerable to hacked IT systems or the impersonation of executives or critical partners. Given how easy it is to spoof or hack an organization’s email, it is amazing to see how many business processes are 100% dependent on trusting the content in emails. One needs only to consider the number of fraudulent wire transfers that are generated from simple email requests apparently from executives or business partners to understand the absurdity of fully trusting an email. Please make sure every business process of an importance of yours has automated fraud inspection and out-of-band checks-and-balances that are built-in to the process. Don’t expect your users to be the first and last line of defense.
- I realize this resolution is like requesting three more wishes as your third wish from the Genie (Genies don’t go for that by the way), but I strongly recommend leveraging the SANS 20 Critical Security Controls as a key security framework to benchmark your organization for 2017 and beyond. While there is a lot of depth behind these 20 controls, overall I find this SANS list to be both simple and comprehensive. A great framework to use to frame your security resolutions for 2017 and beyond.
For a quick resource, here’s an eBook from Mimecast outlining five tips to combat email-based attacks.
We recently announced some changes to our MSP program that will be effective from 1 April 2017. We understand that these are disruptive to some of our MSP partners, and we’ve received robust feedback since the announcement. So first I apologize for any distress caused by how we handled these changes and secondly I wanted to explain a bit more about our thinking behind the changes to our MSP program. I also wanted to make myself available to talk with any partners that might still be concerned and want us to work with them on this transition.
In aggregate, we do think these changes are better for customers, better for our partners and better enable us to deliver our services to you and to customers on a sustainable long-term basis.
So a quick summary of the key changes:
- Starting from 1 April 2017, we will only be offering new Mimecast accounts through MSP’s for end users that are contributing a minimum of $100 a month (net to Mimecast).
- We are eliminating entry level email security (basic anti-spam and anti-virus) SKU’s for very small customers.
Here’s the thinking that got us to design the change:
- The economics of delivering entry-level email anti-spam and anti-virus to very small businesses are generally unattractive to SaaS providers. McAfee perhaps most recently illustrated this with their MXLogic product. After years of building a user base that contained much marginal business from thousands of tiny customers, they found it difficult to invest meaningfully in their platform. Ultimately as we all know, they decided pulled the plug on the entire offering. We don’t believe it serves anyone within the Mimecast eco-system to venture down this path, so our decisions are been aimed at steering far away from this fate. Our $100 minimum per customer per month is designed to help us do this and will benefit our partners in a more profitable way.
- We do have conviction that customers should purchase more comprehensive protection to deal with growing email security threats. We feel that especially for small customers who often don’t have any additional layers of protection, entry level email security is not a good solution on its own. So we want to encourage our partners to ensure their customers include more protection, deliver the coverage that they require and do so in a way that is cost effective. So our new entry level SKU now includes our integrated Targeted Threat Protection services. This means that while some very small customers will be paying us more, they will also be getting advanced security protection against phishing, malware, ransomware or impersonation attacks.
We do understand that this is disruptive to some of our MSP partners. We are sorry about that. We are here to work with you to minimize that disruption, within the constraints that we have.
You may know that I am brand new in my role here at Mimecast and frankly am extremely excited about what we can do to help our channel partners innovate and grow. Making a change like this to our MSP program was not an easy decision for the managers that have worked on this before my arrival, but you can be assured of our commitment to being a great partner to you going forward.
Please reach out if I can be helpful to your business as we navigate this change.
A recent survey confirms that Microsoft Office 365 continues to outpace Google’s G Suite in the race to the cloud. Overall it’s clear that more organizations are using cloud or hybrid deployment models over on-premises, but let’s dig into the survey results.
Let’s start with the Bitglass Cloud Adoption Report, which is in its third iteration, for some context into how things have changed over the years. In 2014, the report found that 16% of organizations were using Google Apps for Work (now rebranded G Suite). At that time, only about 8% were found to be on Office 365. Google at that point had a 2X lead on Microsoft! Since then, the picture has changed dramatically. In 2015, Office 365 closed the gap and squeaked past to take a 25% to 23% lead. The ’16 report saw that lead extend as Office 365 now controls a commanding 35% to 24% advantage. Bitglass says this report was created using an internally-developed tool that analyzed over 120,000 companies.
We’ve also heard that cloud adoption is progressing faster than industry experts originally expected. In the spring of 2016, Redmond Magazine reported on a recently completed Gartner survey showing Office 365 was either in use or planning to be used in the next six months by 78% of respondents. This is up 13% from two years ago when the survey was run last. What’s interesting is that the use of Exchange on-premises only dropped by 5%, with most feeling that hybrid environments will remain popular and persist well into the future.
It’s no surprise to hear that Office 365 continues to gain ground and extend their advantage in corporate accounts. I’ve referenced before that Office 365 adds 50,000 customers a month and as of June 2016, that was true for 28 straight months! What’s more, the service has been growing by about 40% year-over-year and looks poised to top 120 million corporate users by this time next year. Interested in learning more about how organizations are managing risk while moving to the cloud? Check out this market trend report by Microsoft MVP J. Peter Bruzzese titled, Resetting Your Expectations on Office 365.