Just in time for everyone gathering at the RSA Conference in San Francisco this week, Microsoft has announced plans to rate the effectiveness of customers’ cybersecurity efforts—and at least one insurance company will start using that score to set prices for its cyber-insurance policies.
That move is possible thanks to Office 365, the cloud-based version of Microsoft desktop software that millions of businesses use. Each Office 365 customer can configure its security settings however it likes, but Microsoft can (and now will) compare those individual configurations against 77 factors that Microsoft defines as an ideal configuration. The result will be your “Secure Score.”
The concept isn’t new. Microsoft launched a Secure Score pilot program last summer, where it compared customers’ security settings to a configuration of only 27 factors. The new Secure Score program is more comprehensive; and will show customers how they can change their individual settings to achieve a better score, through techniques such as two-factor authentication.
And according to a post on one of Microsoft’s many Office blogs, Hartford Financial Services will start including that score in its calculations as it estimates the price of clients’ cybersecurity insurance policies. Exactly how much weight will Secure Score carry, relative to other factors that Hartford considers? Hartford isn’t saying.
Compliance Role in Security Controls
Put aside any Big Brother unease you might have about IT giants controlling your life; this is a good idea. Microsoft and other cloud-based software providers are better data protection than most companies’ IT departments. They shoulder the burden of maintaining security against the latest threats, while employees still get to use the standard desktop software they already know. It’s a smart arrangement, and your IT security officer will be the first to say so.
The mechanics of how to implement Office 365 and Secure Score are the purview of the IT department. Compliance officers need to know this: your company gets a set number of possible security controls, depending on what version of Office 365 you use. Secure Score assesses the number of security controls your organization actually uses, and calculates a score—say, 93 out of a maximum possible score of 250. Then Secure Score shows what controls and policies you could change to raise your score, and provides tools to let the security team measure progress along the way.
That part about controls and policies that should be changed is where the compliance function can play a crucial supporting role. Compliance officers can lend their expertise to help inventory all the company’s data, compliance obligations, security controls, and business practices. Then, as Secure Score recommends improvements your company could make to its security posture, you can help ensure that fewer details are overlooked, and fewer good ideas slam into the walls of bureaucracy and employee indifference.
For example, one change that the security industry wants to see is more use of multi-factor authentication—say, employees enter a preliminary password that sends a second password to their phone or key fob, before they can access a data system.
Multi-factor authentication is a great idea. It can also be a hassle for employees. So if Secure Score (or similar services from rival software providers) leads your IT department to recommend multi-factor authentication, that brings along a flock of policy management challenges. You, the compliance officer, get the raw thrill of solving those challenges.
I could also foresee the need for new policies—not so much about how data is handled (you should already have those), but rather about how new data or computing devices can join your company’s IT landscape.
For example, if a few people in sales start collecting data on European Union citizens but don’t tell anyone, that’s a set of security policies you don’t know that your company needs to adopt. Or if someone tries to bring a mobile wireless access point into the office to visit websites you normally prohibit, that’s another standoff that needs to be resolved. It can’t be resolved if compliance and IT security don’t know about it.
Embrace the Future Wisely
Understand what Microsoft is trying to do here: bring the power of artificial intelligence to the challenge of optimizing your cybersecurity. That’s a good thing. But our automated IT overlords won’t be able to dominate us humans effectively unless we provide a complete picture of the data, devices, and transactions that happen on our networks.
And once our overlords show us the way to security enlightenment, the compliance officer will be crucial in guiding employees along the One True Path. Under penalty of disciplinary action or loss of access privileges.
This is going to be the security strategy of the future: one part AI, with a big dose of analytics; one part risk assessment to determine your compliance obligations; and one part astute policy management and training to get employees to follow along with best practices. Compliance officers will be involved in at least two of those three things.
We shouldn’t overlook the Hartford’s use of Secure Score, either. Insurance is always going to be part of a company’s cyber-risk management plans. Breaches happen, the company gets saddled with costs, and insurance bails you out. It’s not surprising that as artificial intelligence and analytics start churning out courses of action, insurance firms start offering incentives to take those actions.
The future is coming. We might as well be prepared for it.