Much of the work I do focuses on advising security leaders on how to better secure their Microsoft 365 implementations to ensure their organizations achieve the intended productivity benefits without sacrificing on security. My intent is to help strike a reasonable balance between productivity and security. I recently came across an insightful framework called the 10 laws of cybersecurity risk. These laws provide a comprehensive approach to understanding and managing cybersecurity threats, particularly as the threat landscape shifts in the era of AI. What I also try to bring to these conversations is an Adoption focus grounded in Organizational Change Management (OCM) fundamentals I have seen make a tremendous difference to the success of security strategies in large and complex organizations. In this post I’m going to explore the 10 laws of cybersecurity risk through an OCM lens, and briefly discuss how they can help you better calibrate your security strategy.
1. Security success is ruining the attacker’s ROI.
There’s no such thing as achieving a perfectly secure state, but you already know that. What you can do is deter attackers by disrupting their return on investment (ROI). By increasing the cost and decreasing the benefits for attackers targeting your most valuable assets, you make it less attractive for them to pursue your organization. This involves regular communication to keep users at your organization informed on what your security measures are prioritizing, and to solicit their participation throughout the journey.
2. Not keeping up is falling behind.
Cybersecurity is a continuous journey and on that road are threat actors who are mobilizing sophisticated tools for lower costs than ever before. Staying ahead of attackers requires constant vigilance and updates. Regularly patching systems, updating threat intelligence, and refining security strategies are essential. A massive difference can be made by ensuring users at your organization know how to work within the permissions model in place for your key digital information repositories, and the importance of proper permissions hygiene is being regularly reinforced.
3. Productivity always wins.
If security measures are too cumbersome, it’s a tale as old as time that your users find ways to bypass them to maintain productivity. It’s crucial to design security solutions that are both effective and user-friendly. A key to ensuring security protocols are followed without hindering business operations, is to have robust stakeholder engagement and input as security is being planned alongside platform or tool implementations.
4. Attackers don’t care.
Attackers will exploit any available method to breach your defenses, whether it’s through networked devices, social engineering, or exploiting configuration errors. Your job is to identify and mitigate the easiest and most effective attack vectors. This includes securing all endpoints which is a rather easier thing to achieve than educating users on the importance of maintaining strict access controls and your permissions model. Keep this an ongoing conversation that feeds their desire to want to keep your organization off the front page of the news.
5. Ruthless prioritization is a survival skill.
Understanding risk involves assessing both the likelihood of a threat and its potential impact. This dual approach prioritizes security efforts and allocate resources effectively. By focusing on high-likelihood, high-impact threats, you can better protect your organization from significant harm. From an OCM perspective, do users at your organization know what these high-likelihood, high-impact threats are? It’s often the easiest place to start in building up their willingness to support your security priorities.
6. Cybersecurity is a team sport.
Cybersecurity is not just a SecOps responsibility; it requires collaboration across the entire organization. From the longest serving employee to the one who just started last week, everyone must be aware of their role in maintaining security. Regular training and clear communication are key to fostering a security-conscious culture within your organization.
7. Your network isn’t as trustworthy as you think it is.
Too many security strategies are outdated for the current era where a plethora of tools exist to compromise the systems you feel are adequately secure. The principles of Zero Trust need to be communicated to your organization’s users so they understand the importance of verify explicitly, use least privilege, and assume breach. Security organizations are sometimes great at implementing these principles and terrible at communicating to users on why they sometimes have to take an extra step (I’m sure you’re aware of the unfair perception it’s because you gleefully want to make them miserable when they’re just ‘trying to do their jobs’).
8. Isolated networks aren’t automatically secure.
Yes, perhaps the air-gapped network you run in tandem with your production environment is secure from a network security standpoint, but even in this type of organization there is likely to be scenarios of concern. One example could be that information from your isolated network is moved into your production environment by users wanting to use a specific app or tool that’s not available to them on the isolated network. If the specific point of that isolated network is to maintain that information there at all times, here’s the gaping hole in your security strategy. Educating your users on acceptable use is important, but so too is taking into consideration what modern information workers need to faithfully complete the jobs expected of them.
9. Encryption alone isn’t a data protection solution.
I had a conversation with a ‘hardcore’ security admin who wanted to implement encryption on almost all of their Microsoft Purview Information Protection sensitivity labels to mitigate the risk of data leakage. Leaving aside the impracticality of this in real world business contexts, a far better approach is educating your users on how to work with the information in your digital landscape in accordance with your information handling protocols. A well informed user base is often a better security measure compared to what will inevitably happen when your users find innovative ways to circumvent hardcore security protocols that frustrate them.
10. Technology doesn’t solve people and process problems.
Amen to that! While technology is a critical component of cybersecurity, all too often I find organizations are attempting to dull the pain of dated business processes by slapping on technology that they hope will ‘automagically’ resolve. This is also true when implementing security tools. Effective security requires strong policies, user education, and a culture of vigilance. By combining technological solutions with human factors, you create a more resilient security posture.
If I could add a bonus based on my observations advising security leaders in complex organizations, it would be:
11. Complexity is the enemy of security.
It’s ok for your business to be complex, but your technologies need not be. Complex systems are harder to secure, so there should be a strategic imperative to streamline your IT environment. This helps reduce vulnerabilities and makes it easier to manage overall security. This also means producing risk analysis-backed recommendations on which tools and platforms to retain and which ones to sunset. These recommendations should prioritize well-integrated ones (and natively integrated where possible).
Implementing the 10 11 Laws in Your Organization
To effectively implement these laws, you should think about:
- Conducting risk assessments: Identify your most valuable assets and the threats they face. Use this information to prioritize your security efforts.
- Developing a security roadmap: Create a plan that outlines your security goals, strategies, and timelines. Ensure it aligns with your organization’s overall objectives and that it receives broad stakeholder input and endorsement. This will be critical if (or when) there is any friction to prioritize a productivity gain at the cost of sacrificing security parameters.
- Leveraging technology that’s well integrated: Use advanced security tools and technologies to protect your information assets. Ensure they are as integrated and easy to manage as the ones available in the Microsoft security tool stack.
- Monitoring and adapting: Continuously monitor your security environment and be ready to adapt to new threats. Regularly review and update your security policies and procedures.
- Investing in OCM because it’s the biggest predictor of success: Regularly communicate with your users and ensure they are appropriately trained on security best practices, the latest threats to your organization, and the tools you have implemented to protect against them. Ensure the right reinforcement is in place to continue encouraging participation. This helps build a security-conscious culture that has the desire to participate.
I found the 10 Laws of cybersecurity risk provide a valuable framework for understanding and managing the complex security landscape CISOs at large complex organizations are responsible for. By following these principles through an user-focused OCM lens, I believe you can better protect your organizations from evolving threats. If you would like to refer to the original article on Microsoft’s website, you can access it here.
Thanks for reading, and please reach out if you have a question or just want to chat more!
