3rd Party Risk Management , Application Security , Business Continuity Management / Disaster Recovery
Zoom CISO's 2023 Cybersecurity PredictionsMichael Adams Says Build New Resilience Over Larger Attack Surface
Phishing and other socially-engineered schemes are going to get bolder, the attack surface is only going to get bigger, and enterprises everywhere are going to have to focus more on building cyber resilience. These are among the New Year's predictions from Zoom's new CISO, Michael Adams.
See Also: Webinar | How the SASE Architecture Enables Remote Work
In a video interview with Information Security Media Group, Adams discusses:
- The State of Security as we wrap 2022;
- His cybersecurity predictions for 2023;
- Ways in which Zoom is more secure today than even a year ago.
Adams brings nearly 30 years of security and leadership experience as Zoom’s Chief Information Security Officer. He joined Zoom in August 2020 and served as Chief Counsel to the COO and CISO while building the company’s insider risk, global intelligence, operations assurance, and security legal programs. A graduate of the U.S. Naval Academy who began his career as an engineer, he was previously an advisor to two Chairmen of the Joint Chiefs of Staff, numerous prominent publicly traded and privately held companies, and the highest levels of the U.S. Government. He enjoyed success as an executive at Palantir and as a partner in a major international law firm. He and his wife, two children, and Chesapeake Bay retriever live in Charlotte, North Carolina where they are active members of the community and longtime, die hard Baltimore Orioles fans.
Tom Field: Hi there. I'm Tom Field. I'm a senior vice president of editorial with Information Security Media Group. Delighted today to be speaking with Michael Adams. He's the chief information security officer with Zoom. And we're talking about his predictions for 2023. First of all, Michael, would you have predicted that you'd be CISO in 2022?
Michael Adams: No, never would have, but thrilled to have the opportunity.
Field: Michael, tell me a little bit about yourself, your background and your mission now as Zoom CISO.
Adams: Sure, absolutely. You know, just upfront for me, everything begins and ends with my family. My wife, children and I live in Charlotte, North Carolina, which we moved to after a couple of decades plus in the federal government, started off my career as an engineer, 22 years old, with close to 100 people working for me, didn't know anything, except that it didn't know anything. But in securing operations now for about 30 years, been an adviser to Chairman of the Joint Chiefs of Staff, a national security lawyer, ships navigator, an adviser to major corporations, and executive at a software company. Most importantly, today, I joined Zoom in mid-2020, and moved over to the CISO role this year. Our security team mission, if I give you the short version, is to reduce security risks to our company and customers. And that supports our vision for a secure, trusted and resilient Zoom products and services.
Field: Well, at Zoom, you're at the center of everything we do in life today. From your perspective, how would you describe the state of security as we wrap up 2022?
Adams: Yeah, I mean, security is going to continue to evolve and become more complicated and challenging in many ways. At Zoom, I have the good fortune to lead an exceptionally skilled and experienced and diverse, really impactful team of security professionals. But over the past year, we've continued to see a large number of attacks targeted at companies and data breaches, some through third-party vendors. What's interesting about the threat landscape, though, is how it is constantly evolving with these new vulnerabilities and threats that do continue to increase in complexity. I also think we're starting to see, at this point, more emphasis because of this on zero trust security models, effective identity access management across dispersed networks. And, of course, cyber resilience is really critical. And then I think the key point for us as the state of security evolves for us is at Zoom, we've also taken the approach of investing heavily in our people - we believe that continues to be our first and best defense.
Field: What would you say are the threats and the threat actors that concern you the most today?
Adams: So I want to focus a little bit on hybrid and remote work models, because obviously, that's important to us at Zoom. And so it's an area we keep an eye on, we realized that the approaches of hybrid and remote work models present new and complicated challenges for security leaders. And so, that's an area we really double click on. So I think for us, exposure points are increasing as employees work from offices, homes, coffee shops, and that requires us to secure and control a more diverse set of environments and surface areas, if you will. We're also paying close attention to criminal actors who are, in our assessment, beginning to obtain resources that were historically only really available to APTs or advanced persistent threat groups. And so what we see now is that more attack tools and techniques are widely available. And we see them being shared among groups, which makes them increasingly difficult to detect and attribute.
Field: I know you've had some significant initiatives over this past year. How would you say a Zoom is more secure today than it was even a year ago?
Adams: It's a great and important question, because I think for us, we've really seen a strong evolution in the culture at Zoom, right? Security has become instilled in our culture. To me, the biggest advancement we've made on this front has been our investment in our security program and team really since 2020. We've done a lot of building out that program in a more comprehensive fashion. And then I think what we've pivoted to now is really an optimization paradigm where we're taking the foundation elements that we built, the growth we've had in teams and tools and really more sophisticated advancements. And we're dialing that in. And we're focused on the biggest risks, biggest impact areas. I'll say as a company, we've also kind of stepped up by continuing to grow the security features that we offer to our customers. At Zoomtopia, this past November, for example, we announced a series of new offerings and they include things like end-to-end encrypted feature for Zoom mail service, enterprise auto update. This is significant. In the last year, we rolled out automatic updates to our broader consumer base but last month, we've now introduced automatic updates for enterprise customers and we think that's a significant accomplishment. And then there are others that are not insignificant either such as advanced encryption for Zoom phone voicemail, so I'd say our program or people, and then also some of what we're offering through the technology to our customers themselves.
Field:Very good. Alright, I want to talk about your predictions, you've got four of them. First one, security leaders are going to increase their focus on cyber resilience.
Adams: So I think on this one, what's important for us is to recognize that a lot of the threat actors are trying to disrupt services or control data in a way that will force companies to not have kind of that single point of failure, right? I think, for us, we need to emphasize improving understanding of the customer and the operating environment. You can't have sort of a retroactive look back once you're at a point that the event has occurred, right? And so we need to get beyond protection and get to the point of including recovery and continuity in the event of a major cyber incident. And for us, that's not only investing resources in protecting against, it's investing in the people, processes and technology to mitigate that impact and ensure that we're continuing operations in the event of a cyber incident.
Field: Michael, your second prediction: security teams need to protect against increasingly sophisticated spear phishing and social engineering attacks.
Adams: Yeah, I think we've all seen just how sophisticated the evolution of these techniques has become. And it's become more and more difficult for employees, or any of our customers, to recognize the spear phishing and social engineering as being just that. As we're encountering more data, as we're doing more things all at the same time, it becomes easier for individuals to fall victim to these types of attacks. And that makes it more challenging for organizations to properly defend against them. So next year, I think what we expect to see are more sophisticated attacks that utilize emerging deep fake and AI technology. So even next-level stuff. They are moving toward deep fakes, in particular, moving toward real-time deployment, which is going to make it harder. And what makes them especially concerning is really, I'd say the rate and efficacy in which they were passed identity verification measures. And, of course, the negative impact that that can have. We think training can cure some of this, we think there's some telltale signs for deep fakes currently, but as that technology or those attacks increase in sophistication and precision, we're going to have to get out in front of them.
Field: Just as concerning is your third prediction: continuing instability across the software supply chain will provide a rich environment for large-scale attacks.
Adams: So I think here like the world has focused an awful lot on some of the supply chain challenges generally in the past few years through the pandemic, but we've really seen major supply chain attacks in the cybersecurity domain over the past years. Software supply chain has become more and more important and prominent in the security discussion. You've probably seen the recent executive order on the security of software supply chain for government vendors, we think that's a step in the right direction. But we do want to encourage more companies to focus on strengthening their security practices, everything from considering a zero trust approach to further securing infrastructure services. Things like code signing PKI, hardening the release process are ways we can move the needle here.
Field: Now the huge topic, your fourth prediction: increasing reliance on cloud vendors could expand company's attack surfaces.
Adams: I think here it's important to recognize that more organizations are layering cloud technology into new places, right? There's just a certain amount of flexibility, it's offered by the cloud that that is enticing. And that creates certain other risks that we have to be mindful of. Because what's happening is there's an expansion of attack surfaces, you have to have new strategies to deploy cloud security technologies and protection strategies. I met with a number of chief information officers and information security officers recently and we talked about some of our focus areas for cloud vendor security, and tried to prescribe some things that you just really need to check every single time and there's a certain level of rigor and focus that has to be brought to bear and I think it's especially important for the community of interest to come together and share lessons learned throughout this process.
Field: So it's one thing to predict things, it's another thing to deal with as a CISO. So how are you addressing these issues?
Adams: Look, by our nature at Zoom, we are designing for a flexible future, right? We want to equip our customers with the tools they need. Really to embrace their preferred working story, their preferred approach. And we want to help customer choose the kind of technology they need to effectively protect their infrastructure. We also are striving to complement new security innovation with relevant education. So customers know how to use our platform to secure their communications effectively. And then, of course, we look internally within our own information security program, our comprehensive information security program, and some of those really strong skill sets that our team is bringing to bear, as I mentioned previously.
Field: Michael, as we go into the new year, what are some of your key initiatives?
Adams: So, of course, I can't tell you everything at the granular level. But there are a couple points that I offer here. I can tell you we're focused on continuing to build out our platform, while maintaining our customers' trust. This is absolutely critical for us. Security has never been more important at Zoom than it is today, it has never been more embedded both into our culture, our people, our training and the platform itself than it is today. So, toward that end, we're working to earn several new third-party certifications to continue to demonstrate that trust to our customers. We'll have more details to share on that in the upcoming months. But that's a critical component of what we do, it's to go out and not just talk about how we're going to do but go out and prove it and have others come in and certify that we've actually lived up to the standards that we're striving to meet. We're also tapping into the power of the security community. I have the good fortune to lead a CISO council, composed of CISOs from some of our customers. And in that forum, we talk about key issues for Zoom, but also key issues for the broader community. We're seeking feedback from those CISOs. And we really do take that input in a way that we believe is constructive and moves the needle for us, both within that customer base, but at Zoom and for our broader customer community. I'll give you another example. We continue to circle or double down on some of the things that we're finding the most impact through. And an example of that is our bug bounty program. It's been very successful. We held a live hacking event in Las Vegas earlier this year with the help of HackerOne. HackerOne has been instrumental to our success here. And we continue to build meaningful, constructive, impactful relationships with ethical hackers.
Field: Michael, as we go into 2023, organizations everywhere got similar challenges. They can't find the human resources they need and financial resources may be limited as well because of economic conditions. Understanding that, what's your advice to other CISOs trying to tackle these very challenges we've discussed here today?
Adams: I think it's tempting in tougher environments at times to lose sight of the things that make us most successful. And in the security community, there's an old saying of "intelligence to drive operations." I really think that we have to stay up to date on the latest threats, we have to understand the threat landscape and how it's applied to our specific circumstances. If you don't do that, you're wasting your time in a lot of instances. So I think staying up to date on latest threats, understanding that environment and building your security operations and broader business operations around that threat landscape is absolutely critical. I think the second piece is to invest in your people, skills building, training opportunities, making time to walk the halls in person or remote. I'm very proud of the security team we've built at Zoom. As you may have already figured out, we have incredible talent across many security disciplines. And I'm excited to see our people continue to grow in their careers. That's more important now than ever. Just to be very clear on this. We talk an awful lot within our team about the concept of people first and mission focus. And I deeply believe that if we get the people part right, that gives us the ability to focus on the mission to feel the purpose behind our work and the value and the impact we're having. And so it's absolutely critical. And then I think closely related to that is communication. It's just fundamental in the security space, whether it's sharing updates across different teams, communicating with a board of directors or executive leadership, working across functional or cross functionally across groups, strong communication skills and the willingness to over communicate. It's just fundamental to what we do. You can't overstate the value there.
Field: Well said. 2023. It's going to be an adventure I look forward to and I look forward to having further conversations with you, Michael. Thank you so much.
Adams: Thank you, Tom.
Field: Again, we just heard from Michael Adams. He's the chief information security officer for Zoom. For Information Security Media Group, I'm Tom Field. Thank you for giving us your time and attention.