Best spending value is on security awareness, says Microsoft official

Four basic actions will go a long way to improving any organization’s security posture, a Microsoft Canada official has told security and privacy security officers.

Making sure systems are running the latest software, have been patched, anti-virus software is turned on and employees are security-aware don’t cost much, John Weigelt, the vendor’s national technology officer, told a Canadian Institute privacy law and compliance conference in Toronto last week.

But, he added, the four steps will go far to meet many threats, allowing CISO and CPOs to focus most spending on hard-to-stop attacks.

“Often the security expert comes in and says we need this new widget or new service or this new control,” he said. “Are you really getting that reduction in probability of exploit?”

“Your best bang for your buck is education awareness,” he added. The simplest way is putting posters on walls with the headline ‘Resist the temptation to click.’

And you may have to get tough. Every Microsoft software engineer has to pass mandatory security training every year, said.” If you don’t pass you don’t get to do any coding.” Similarly, sales staff have mandatory training on Microsoft’s privacy policy.

At the same time, Weigelt also complained organizations he sees still aren’t earmarking enough money for privacy and security. But, he said, both have to be built into a firm’s business plan — for example, he said, not keeping sensitive data longer than necessary is a good security policy, but there has to be money to pay for data minimization.

In an interview Weigelt said it’s not that Canadian organizations don’t see security and privacy as a “top topic.”

But “they need to make sure it’s there in the budget process … It’s a matter of understanding where are those things that need to be done, where can they get the biggest impact. One of the things that always strikes me is there are things that are very straightforward that organizations can do to have a meaningful difference” — like patching and awareness training.

“Canada is a country of small and medium enterprises. In many cases we find that sole proprietors are following their passionate for their business and IT support supports their business, but that’s not where their first focus is. And I’ve always had a premise that we need to make it very, very simple for small businesses to understand what needs to be done, or how they can improve their environment. So how to be more plain language about things.”

There are three things to consider when implementing data governance and security, he told the conference: First, it’s a continual process. “We can’t stay still — not as privacy professionals, not as security professionals, not as business professionals. Second, there must be buy-in from the board and C-suite. And third, security and privacy professionals have to find ways not to say ‘no’ to tell the business side, but ‘yes if you do it this way.'”

Security controls are like brakes on a car, he said — they help the business go faster in a structured way. “As we look at security and privacy let’s look at how we can catalyze the business. These controls help them do more, go faster.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now