The idea of “first principles” – the breakdown of complicated problems into basic elements – has been around since Aristotle. It has been echoed by notable philosophers like Rene Descartes and more recently is the mantra of business magnate Elon Musk who tossed out all previous assumptions about electrical cars, solar, and space flights to start from the ground floor.
Kevin Magee, Chief Security and Compliance Officer at Microsoft Canada, sees a return to first principles in cybersecurity as being the only way forward in the new world.
“We live in a world without any real boundaries between personal and work life,” he said. “Throughout human history, from the earliest civilizations, security has been about establishing and then holding a perimeter position. But in the modern digital world this is no longer relevant or viable, and business leaders really have no choice but to adapt.”
The pandemic has given thought leaders and decision-makers an extraordinarily compelling event, and with it an opportunity to step back and think about what the next generation paradigm of security should or will look like.
From the ground up
“Getting back to those basic first principles – what you want your organization to accomplish from a security strategy standpoint – is the very first discussion,” said Magee. “The first step is a Zero Trust implementation. It’s initially a passive security model, but it sets up those guidelines and rules on which you can build out your entire security posture for the future.”
The Zero Trust concept, which is grounded on the realization that in traditional security anything inside an organization’s network should not be trusted. It can be traced back to John Kindervag, during his tenure as VP and Principal Analyst on Forrester Research’s Security and Risk team. Magee not only recommends the full adoption of Zero Trust, but says that without doing so, a company’s successful march into the future is simply not possible.
“You look at our world, at this fork in human history where we currently stand, and you realize how much has changed, and what is now necessary for businesses to move into what’s coming,” he said. “Unless you fully embrace first principles and Zero Trust when it comes to security, digital transformation won’t be possible. You won’t be able to compete. Nor will you be able to effectively serve your customers and employees going forward.”
Time to rethink
Even among cynics, there has been talk of a return to the post-COVID normal. But Magee is clear that “normal” never existed. The pandemic hasn’t moved the business world away from its “usual place;” rather, it has served to expose many of the weaknesses in how security was being done. But old assumptions have died quickly. Business leaders have been pushed into a wholesale rethink of almost everything they once thought they knew about keeping their data safe and secure.
“A basic rethink, asking basic questions of how to improve security, goes without saying. But they’re also going to have to rethink things from a policy perspective. What are the laws? What cybersecurity norms are in force between entities: between nations, between businesses. How do we interact with each other, as companies, between companies, and to employees and partners? All these relationships are changing swiftly and simultaneously.”
The smaller things
Is there a “good enough” when it comes to security? Magee thinks there is, but achieving it demands not noise and flash but the completion of quiet but effective tasks.
There’s always going to be a lot of conversation around acquiring fancy security tools – one product or another that’s going to solve everything, he said. But companies should be focusing on doing the basics. The same thing applies with home security. A homeowner might buy a fancy alarm system, but it will be money wasted if all the doors are left open.
“It’s the less interesting things that have the biggest impact,” he said. “That’s our approach at Microsoft. We have our Zero Trust Assessment Tool, our Azure Security Center tool, and other key pieces. Altogether it gives companies a checklist of where they are against a proven standard; from there they can change or modify to meet their needs.”
Tone from the top
Magee sees two important pieces for companies looking to shore up their security for the future. “You get the basics down, like enabling MFA or implementing basic cloud controls, that’s great. Change is not easy, and it calls for two things: first, tone from the top, with priorities and guidance, and second, the skills and the willingness to assess, to determine both a starting and a desired end point, and then, finally just actually doing the work. It’s not that glamorous, especially in the early stages, but more often than not it brings back a great return.”