As part of Cybersecurity Awareness Month, we explore actionable strategies to prevent data breaches and ensure long-term enterprise continuity. Learn from an expert how proactive incident response, disaster recovery, and understanding your security architecture are essential for protecting your organization from cyber threats. This episode is packed with practical insights for businesses of all sizes!
Guest: Sarah Armstrong-Smith, Chief Security Advisor, Microsoft
On LinkedIn | https://www.linkedin.com/in/sarah-armstrong-smith
On Twitter | https://twitter.com/sarahasmith75
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of Soulful CXO, host Dr. Rebecca Wynn speaks with Sarah Armstrong-Smith, Chief Security Advisor at Microsoft, about the critical steps organizations must take to prevent data breaches and maintain business continuity. Sarah dives into the interconnected nature of incident response, disaster recovery, and enterprise risk management, providing a holistic view of cybersecurity. She also debunks the myth of "black swan events" by showing how most major incidents have early warning signs. Sarah emphasizes the importance of understanding your security architecture, managing your data effectively, and having flexible, people-first response plans. Whether you're a small business or a large enterprise, this episode offers valuable strategies to enhance your cybersecurity defenses and ensure business continuity.
________________________________
Resources
National Cybersecurity Alliance Free Events and Programs
https://staysafeonline.org/events-programs/
CyberSecure My Business Program
https://staysafeonline.org/programs/cybersecure-my-business/
Effective Crisis Management: A Robust A-Z Guide for Demonstrating Resilience by Utilizing Best Practices, Case Studies, and Experiences
https://www.amazon.com/Effective-Crisis-Management-Demonstrating-Experiences/dp/9355512716
Understand the Cyber Attacker Mindset: Build a Strategic Security Programme to Counteract Threats
https://www.amazon.com/Understand-Cyber-Attacker-Mindset-Counteract/dp/1398614289
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Actionable Strategies to Prevent Data Breaches | A Conversation with Sarah Armstrong-Smith | The Soulful CXO Podcast with Dr. Rebecca Wynn
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have with us today, Sarah Armstrong Smith. Sarah is the Chief Security Advisor for Microsoft, working with strategic and major customers across Europe to help them enhance their security strategies and capabilities.
She has been on the frontline of many major incidents, including IT failures, data breaches, and fraud. She's a fellow of the British Computer Society recognizes one of the most influential, inspiring women in technology, a highly sought after speaker. Writes numerous articles and has written two books, "effective crisis management, a robust a through Z guide for demonstrating resilience by utilizing best practices, case studies and experiences."
And her latest book, "understanding the cyber attack mindset, build a strategic security program to counteract threats." Sarah, it's great seeing you again. Welcome to the show.
Sarah Armstrong-Smith: Oh, [00:01:00] thank you, Rebecca, for inviting me.
Dr. Rebecca Wynn: It's interesting when , we talk about incident response disaster recovery and business continuity and in companies, they always want to treat them separately. But I think they all tie in. Together. . How do you recommend companies to take a look at that?
Cause without business continuity, there is no true, , enterprise risk management, and there's no true, I would say long term recovery from incidents and disaster recovery. How should they be viewing that more holistically to. , get out of them quicker and, and actually be able to save your company a lot of instances.
Sarah Armstrong-Smith: Oh, I think the, uh, real key thing is that people seem surprised when we have major incidents. So I look at, so I remember to 9 11, um, people talk about black swan events. So these events are so big of such magnitude. They could never have been predicted. No, I don't believe that. I don't believe in black swan events whatsoever.
And actually one of the things that even when I was a kid. Um, I started reading public inquiry reports and the first one I got [00:02:00] interested in was when I was 12 years old and it was the public inquiry as a result of Piper Alpha. It's very similar to Deepwater Horizon, big oil rig in the North Sea. That exploded, killed people.
Um, the public inquiry report really was very interesting to me that, you know, these are major incidents don't just happen from nowhere. There's always a story. There's always a trajectory, miswarning signs, reports that have gone wrong. It's all kind of hinges on the culture of the organization. Um, and it kind of just really dawned on me.
Um, with regards to the fact that how bad does it have to get before we take proactive action? Um, my first book, Effective Crisis Management, it's really looking at that. So I picked some of the worst events in the last 20 years. So the 9 11, Colonial Pipeline, um, Deepwater Horizon, even the pandemic itself, um, and even the recent pandemic.
This is not the last, this is not the first pandemic we had. We had one 10 years [00:03:00] ago and that was the H1N1 pandemic. But we're always surprised. We're always surprised. Lessons get asked. How did we get here? And so that's really important to really think about, um, some of these major incidents, really learn lessons and what do we have to do to make a proactive change?
And that's a real bit that I'm truly trying to emphasize to people. Cause it keeps repeating the same problems. You're just going to have the same mistakes, the same incidents, but arguably they're going to escalate. They're just going to get bigger and bigger until we repeat the cycle. We're going to be here a few years down the road.
It's going to be another industrial accident, another cyber incident, another um, huge scale incident where we're going to be back to square one again, asking the same question.
Dr. Rebecca Wynn: So how do you suggest that people actually go about when you're creating an incident response team that you would create the team responsibly so that you can set them up for success?
Sarah Armstrong-Smith: I think the main thing to think about, I think some people have a plan. And they're so rigid to that plan. It starts at A and goes [00:04:00] through to Z. And when it goes off piste, they don't know what to do. They're so stuck because they're in this rigid plan and it must work to this plan. And I think that's one of the dangers is having a really regimented thing that doesn't really help anybody.
So it has to be a guideline first and foremost, it has to kind of be the real important thing. So the first thing I would say is you have to have people impact above everything first. And I've looked at so many business continuity, crisis management, incident response plan, but the impact to people is like halfway down.
You look at the technical impact, the operational impact, financial impact. Now inadvertently, um, that says we value profit over people. And people, whenever I say that to someone, it's like, Oh, absolutely no way. There's no way that we put profit above people, but when you put financial impact above people, it really does change the mindset.
So first and foremost, doesn't matter what incident, it's a cyber attack, fire, flood, [00:05:00] your power's gone out, whatever the case may be. I need to know what the people impact, whether that's our employees, whether that's our customers, our partners, whoever the case may be. So that's really important to have that mindset first and foremost.
The second thing is to really understand the critical actions that must happen. What I say to people, every action, Has a chain reaction, and it's a big difference between no action and inaction inaction is doing nothing and no action is a deliberate choice to do nothing. So whatever that is, whatever that action is that needs to happen.
Do you have the right information available to make that decision? If you don't, how are you going to get it? Because ultimately you can only make a decision based on what you know at the time. Now, it may be that in hindsight, when you look back, you do a post incident room, that was absolutely the worst decision you could have made.[00:06:00]
But again, there's, there's a lot of lessons to be learned there about who, who has the information? Are they aware of the information? So I'll give you a good example of ransomware attack. Um, you know, one of the kind of the key considerations we're not going to pay. We've got backup tapes. We're going to go to backup tapes.
So just saying we're going to go to backup tapes is only part of the equation. So I need to know what backups have I got? What does it cover? When was the last time it was tested? Is it successful? Does it enable me to do a full rebuild? Because a lot of backup tapes will just be the odd file or the odd system.
Can I recover end to end? Are those backups protected? Are they part of the ransom? And so all of these, these, what if these, a lot of these questions, I don't want to be figuring those questions out when I have a ransomware attack, the, um. threat actor is all over me. The media's on me, the regulators on me, I've got angry customers.
So I need to have done my due [00:07:00] diligence in advance. I need to kind of preempt what you're going to need to know, who needs to know and who is making the decision ultimately. So is this a hierarchical decision? Does it have to go all the way up to the top? Someone makes a decision and it goes all the way back down again.
Are we making it by committee? And therefore, who needs to kind of be involved in that? Now, as you said as well, if I take someone out of the equation, are they on holiday? Are they on leave? Are they sick? Who's empowered? To make that subsequent decision. And do they understand that? So when we think about those decisions, we're not just thinking about the first decision.
We need to know what the knock on effective. So if we're going to about to cause a chain reaction, not only do I need to know the second action, I also need to know the third and fourth, and that's really important, and there may be some things that cannot start until this. Other thing has finished and inadvertently what we're doing through there, if I understand this, I've done my due diligence.
I need to understand the critical path and that's really [00:08:00] key in decision making. So when I'm thinking about, you know, we're on the clock. Um, if I'm going to justify shutting the entirety of internet banking down, for example, The minute I pull the plug, everyone's going to know about it. I'm going to have social media.
I'm going to have people who are angry. The regulator is going to know it's going to be picked up by the media. So I then have to have all of my ducks in a row with, am I prepared? Have I got all of that into play? Because once you've made the decision, it's very hard to take it back. You started on this trajectory, you started on this plan.
And so the, the actual pre planning, as you were sort of saying, Rebecca as well, having those exercises. And taking people out of their comfort zone and kind of, kind of throwing some of these, um, weird and wonderful things at them. Because what I can definitely tell you from that experience is whatever you've planned for is never the incident that actually happens.
It's going to go so off piece that you're probably going to be relying on your plan [00:09:00] B, C, whatever the case. Um, and so we're going to have to kind of think about all of those different things combined and make sure that people are confident. Confident in their ability and they're empowered to make the decisions, ask the questions and don't just kind of go to this rigid plan, as I said.
Dr. Rebecca Wynn: Yeah, we see that quite a bit. And the one thing that, that always gets me with really, I say, we see a lot of startups. Middle sized companies is not even knowing your security architecture. It's hard to protect what you don't know. And I tell people, if you don't know your architecture, what ports, protocols, services are, are open, what should be allowed in your network, outside your network, it's really hard to really even to start on that plan.
And I see people put that off. Regularly, is that what you see too? What would be like the top three things that you think companies really need to have in place so you can be better prepared for this incident to even know who to even call, right?
Sarah Armstrong-Smith: Exactly. And I think there is, [00:10:00] there are so many lessons learned from other organizations who have been through this.
And I think it's easy to kind of say, Oh, why would they attack me? The answer is why wouldn't they attack you? So the first thing is to have that assumed compromise, that assumed failure mindset that we were talking about. So the best one in the world, the technology, you might have to outsource all the training.
You still have to assume a threat actor is going to be able to get in. And if they can get in, what can they do? So I always talk about the really, if I break it down to its lowest denominator, the strategy is really simple. No matter what company, what size, what sector, um, the strategy is stop the access in and the exit out.
So when I talk about the access in, it's that really every entry point into the organization and then really understanding the vulnerabilities of any of those access points, um, and then kind of being quite open and transparent about where's the priority, what, where do I need to kind of [00:11:00] have my investment?
Now that priority investment will be determined by the other thing, which is the data, the exit hours, how do I. Think about stopping the data exfiltration. And that comes back to what we were talking about, the critical, um, data, the sensitive data, the crown jewels. And it's really about understanding your business inside out, as well as outside in, and I kind of get frustrated when a lot of people say, now the attacker understands your business better than you do, how can that even be?
This is your organization, they're your process, it's your technology. It's, it's all of those things. And so you really then kind of have to have that kind of inside, internal reflection about, um, where you are today, where you need to be, where those gaps are, what are you going to do about it? Um, because we don't have an infinite pot of money and infinite resources, as much as we'd like to have this magic wand and [00:12:00] buy lots more cool technology.
That's not realistic. That's not how we work in the real world, but it is really important that if we assume we can get in. What is that, if you think about that center, the crown jewels, if you like, how do I work backwards, where is it? Who's got access to it? What are the controls that I need to have? And that's where we build that kind of layers of defense in essence.
Um, and you kind of always think about the Tower of London, if you like. Um, so the crown jewels are right in the middle. Um, but before you can get anywhere near that, you have to go through umpteen walls of defenses, there's parapets, there's high walls, low walls, you know, all of these things. And, and further you get to the core, um, arguably the more monitoring, the more defenses you need, because they get that to that point, they are going to steal whatever they come in for.
So there's so many opportunities to stop that access, to stop them laterally moving, gaining a [00:13:00] foothold, kind of doing all of those things. But I really went to the lowest level. Understand identity and data is the kind of the two core principles. ,
Dr. Rebecca Wynn: . One of the things I think that I come across, I do know that I come across way too often is that, you know, we do a lot of things in the cloud.
We partner with a lot of big companies, maybe it is Microsoft or someone like that, and they're just going to handle it for us. And I tell everybody there is a shared model, you know, you cannot rely just because you are working with a lot of other companies that you're going to be okay, because those other companies.
Also might have a cyber breach that takes them down and we've seen that over time when people have Facebook and stuff like that, they've gone down and that's how you, you handled all your customers. And now what, because now you can't get business in because they got attacked and they had to go offline.
How should people handle that more mindfully as people are. Less so running their own data centers and having other people manage them, but have the [00:14:00] attitude that, you know what, someone else is going to handle it. I think that's way dangerous today as well.
Sarah Armstrong-Smith: Well, I think the beauty, as you said, Rebecca, of the cloud is it is that shared responsibility model.
So you're moving away from being responsible from all infrastructure, all architecture, keeping it up to date. So when you move it into the cloud environment, the cloud service provider or the SAS service provider takes on a level. Level of responsibility. So the infrastructure level, the kind of patching goes away.
I mean, patching's still required, um, but that is done by the service provider. So yeah, as you kind of go further up the chain, so if you get into SaaS services, and obviously the application becomes the, uh, responsibility of the service provider in terms of coding and everything else like that. That being said, and it does come back to one of the things I said about what's really important.
Um, however, looking at those cloud services and the service agreements that you may have, two things to bear in mind. You're always responsible for [00:15:00] your data, and you're always responsible for what your users are doing with that data. So it really comes back to exactly what I just said. Identity and data is really core.
Now the cloud service provider. Um, the application service provider will no doubt have a number of inbuilt controls, um, but you can take advantage of, but it's really incumbent on you to understand how, how, um, they should be set how high, how low, and when something goes wrong, uh, as you sort of said, so if you're getting an alert or something's not working, right, something looks a bit strange again, you still have to be accountable for what your business is going to do about that.
So, yes, you know, you've got, you've got. Huge opportunities to take advantage of tech and emerging things that are coming out, AI, these cool new models and everything else, but you still cannot transfer that risk over your, as I say, you're still accountable ultimately for your people and your data, um, and having the right process around that.
So there's things you can take advantage of, but I think that's really core to [00:16:00] the conversation we're having today.
Dr. Rebecca Wynn: Well, unfortunately our time has totally run short. I want to thank everybody for joining us today. Please go ahead and make sure you like, subscribe and share this and give us your comments and tell me who else you might like to have on the show.
Also please subscribe to the Soulful CXO Insights newsletter that is out on LinkedIn. Read through the description of the show where you can have Sarah's contact information. You also have links to her books as well. Sarah, thank you so much for coming on the show. You're an inspiration. I love having strong, great women here in technology.
And thank you for being a role model for all of us women.
Sarah Armstrong-Smith: It's been an absolute pleasure. Thank you, Rebecca.