Addressing the Top Security Priorities of CISOs in IndiaMicrosoft's Terence Gomes on Dealing With Attacks, Zero Trust and the Skills Gap
The top priorities for CISOs in India are the same as those reported by CISOs in other parts of the world: Attackers are continually evolving their techniques, and ransomware attacks, phishing, botnets and nation-state attacks - including attacks on supply chains and critical infrastructure - are all on the rise.
"As Microsoft, we believe security should be holistic," says Terence Gomes, the country head of Microsoft Security in India. That's because attackers attack an organization from end to end, not just at one point, he says.
In this video interview with Information Security Media Group at ISMG's Cybersecurity Summit in Mumbai, Gomes discusses:
- Microsoft's three-pronged approach to holistic security, which starts with consolidating tools; continues with integrating to a platform that allows for use of artificial intelligence, machine learning and automation; and ends with improving response efficiency and the user experience.
- The importance of zero trust and how Microsoft Windows 11 helps establish trust;
- Microsoft's "big investment" in cybersecurity education.
Gomes, a 23-year veteran of the Indian IT industry, has spent most of his career advising organizations and partners on how to defend against cybersecurity threats and fraud. He has spoken about cybersecurity and fraud prevention best practices at a variety of events sponsored by the Indian Payment Risk Council, Institute for Development and Research in Banking Technology, Information Systems Audit and Control Association Mumbai Chapter and other organizations.
Suparna Goswami: Hello there. I'm Suparna Goswami. I'm associate editor with Information Security Media Group. And I have with me today Terence Gomes, who is country head, security with Microsoft, India, and he will talk about some of the pain points of cybersecurity practitioners in the region. Terence, always a pleasure to speak with you.
Terence Gomes: Likewise, Suparna. I'm so excited to spend some time with you and interact with your audience, really looking forward to this talk.
Goswami: So tell us, given the current macro environment that is going on, what are you hearing from the CISOs? What are their top priorities when it comes to security?
Gomes: A couple of things, and CISOs in India CISOs, globally, and, you know, just looking back at the recent Microsoft digital defense report we published last week - this is our annual edition, where we, you know, conduct research across the globe and more than 12 months of data. There are three things that really stand out. One is while organizations are investing and moving forward in security, attackers are adopting, attackers are also keeping up with the change in innovation, and we are hearing CISOs share that with us, where they've seen ransomware attacks growing significantly in their space, and many times, it's been too late for them to do anything, and then they've been held to ransom. Phishing continues to be a top of mind. Whether it is - would you say email phishing, business email fraud, different form factors and vectors. Phishing continues to be - at Microsoft, we probably saw 730 million phishing emails each week as a service provider. So that's the content of the threats and changes in the landscape. And then also, we're seeing the entire botnet ecosystem environment growing rapidly like the Microsoft digital crimes unit works in partnership with various agencies globally, locally, we track that. So we see all these kinds of trends and off late also, there's a lot of rise in the nation-state activity. You see they're going behind supply chain attacks, IT service providers, looking at critical infrastructure. So we think a lot of this happening, right? So, across ransomware, phishing, botnet, nation-state attack, a lot of these things happening in the environment. And a digital report also talks a lot about those things.
Goswami: So you mentioned about ransomware, you mentioned about phishing. So, what is Microsoft's roadmap when it comes to offering cybersecurity professionals to achieve more with less?
Gomes: Again, great question. We're looking at this problem holistically. Because when attackers attack organization, they don't attack endpoints, they don't attack, you know, email, they attack organizations end to end and not at a specific point in time. So we genuinely believe that organizations, security practitioners need to look at securing their organization holistically end to end, and not just focus on one or two specific areas of the security domain. And we build a three-pronged approach to help them do more with less. One, of course, is consolidation. Because with consolidation, you can do a lot of simplification. A lot of times, we've seen organizations have multiple point products, and there's a lot of overlap. So, they end up with a lot of redundant tools, which only makes it much more complex for the end user and the operator to use to maintain to manage. So, a core focus on when we work with organizations is one on simplification and consolidation. The second focus is also how do we get these integrated, so when you consolidate, when you move everything to a platform approach, each tool or sensor can talk to each other, because now they're part of the same platform, they are connected. With that interconnection, they can see, you know, threats, they can share signals, they can provide a much richer context about what's happening in the organization. And when you have that fabric, you can then leverage machine learning, because now each of these signals can be put together to look at the noise versus the true positives. And at the same time, you can also focus on automation. So our second focus is when you do consolidation, and when you do the integrated approach, you are able to leverage new age machine learning AI and automation to really detect threats faster, respond to them, remediate them, and sometimes just contain because you can't prevent everything, right? There's nothing such as 100% security. So you can do a lot of containment efforts as well. And then thirdly, the focus is on if you do these two things right, you can significantly improve your operations efficiency in terms of, you know, time to detect, time to respond, number of resources you're using to manage your entire security operations or new projects that you want to go deploy. So your entire operational efficiency around user experience, time to manage a number of resources, you save a lot of that as well. So in addressing these threats of today, where there is a constant demand on CISOs to do more, we come in and say you can actually do more with the Microsoft approach, and leverage these three things of simplification in advanced AI and automation, and operational efficiency using the platform approach.
Goswami: So, you mentioned about prediction, detection and automation. And this brings me to zero trust. So that is one principle and strategies that most of the organizations are now following, or at least trying to follow. So how is Microsoft helping organizations achieve this through endpoints in addition to software, especially with Chip, and Windows 11?
Gomes: Great question. This was asked during the keynote. I know off the top of the summit today, where one of the audience members said, "Everything is good, but what about hardware secure?"
Gomes: And at Microsoft, we believe that security should be holistic. In fact, in one of the surveys, one of the reports that was conducted, 80% of the decision makers are looking at, you know, security to be also enabled as part of hardware and not just rely on software. And as we are looking at Windows 11, we are working, you know, making sure that Windows 11 focuses not just on the software security aspects of it also, but leverages the hardware aspect of it. And again, on three things, the whole zero trust principle is based on trust, but verify or verify explicitly, and once you verify, then only give that individual or that device limited access and assume breach. So with Windows 11, we're focusing on those principles. So when we're working with the device manufacturers, the hardware requirements that one needs to meet to have Windows 11 run comes with a lot of security guidance. So we are going back and working with the silicon chip manufacturers, the device manufacturers, to make sure that those security requirements are built in as part of the hardware. This then enables Windows 11, as a platform, to leverage the hardware to really, you know, make the entire experience secure. So putting in all those things. And a simple example would be like, "trust, but verify," which is a core principle of zero trust. With Windows 11 device security features, the administrator can actually pinpoint and say, "Oh, is this device - can I trust this device? Is this devices attested?" And Windows 11 helps establish that trust so that only a healthy device is given access. Otherwise, it is not. So, tying back to the core principle of trust, but verify. So that's how we are trying to get that done and leverage the Windows 11 in partnership with the hardware manufacturers really roll out a secure operating system and advice experience.
Goswami: Fantastic. And I'm sure you would agree that an essential piece of this entire cybersecurity process is the people and we need to skill people. So what is Microsoft India doing to upskill cybersecurity professionals and prepare them for the future?
Gomes: Great question. This industry, in general, not just in India, but globally, there's severe shortage of cybersecurity skills and people. Microsoft India has initiated various initiatives, are taking steps, you know, different ways. For example, Cyber Shikshaa abhiyan is really reaching out to women engineers, graduates who are looking to embrace cybersecurity as a career aspiration. And we're reaching out proactively to this program, and not just Cyber Shikshaa abhiyan but Cyber Surakshit Bharat, which is focused on skilling and enabling people in the public sector in India. And there are many other initiatives, the enterprise skilling initiative. So to sum it up, this is the big focus area of investment for Microsoft. We've taken significant strides, but it is a journey and we will continue to invest and continue to get more and more people enabled in India on cybersecurity.
Goswami: Of course. Education is not a one-time process. It's a long, continuous journey that everyone has to do. Thank you so much, Terence. Thank you so much for sharing your thoughts.
Gomes: Thank you. It's been a pleasure talking to you.
Goswami: You were listening to Terence Gomes for ISMG. This is Suparna Goswami. Thank you so much for watching.