集団防衛の強化

0:00:03.8 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation company. Today I'm joined by Ann Johnson, Corporate Vice President, Security Business Development at Microsoft. A 22-year cybersecurity industry veteran with tenure at RSA Security, Qualys and Microsoft, Ann is a recognized global speaker, an author and an outspoken advocate for diversity and belonging in tech and throughout the world. Additionally, Ann advises and serves on the Board of Directors for many organizations, including the Seattle Humane Society, Human Security, and the Executive Women's Forum. Today, Ann joins us to discuss AI, everyday Zero Trust conversations, cyber resilience best practices, and so much more. We're so honored to have you on our podcast, on The Segment. As a way of introduction, can you tell us a little bit about your background in cyber and what your current role at Microsoft entails?  

0:01:12.3 Ann Johnson: Yeah. Thank you Raghu. It's wonderful to be a guest. I lead, today at Microsoft, our strategic partnerships and M&A for cybersecurity. So it's a wonderful job. I think I have one of the best jobs in cybersecurity because I get to see everything in the industry, the newest stuff, the things that are nascent, and then think about how we partner with everyone to really build a security ecosystem because we fundamentally believe security is a team sport. I've been in cyber for 23 years since I started with this little company called RSA Security. I am.. all cyber people have domains of expertise. I'm actually an identity and fraud person, so that's the place that I came from for cybersecurity for a very long time. And I've been at Microsoft for about seven years and I've done a few different jobs here but it's just been this extraordinarily fun run and really exceeded our expectations with our ability to bring customer solutions that will simplify their security and help them be more secure ultimately.

0:02:11.1 Raghu Nandakumara: That's incredible. So you've had such a storied career in cyber. What continues to keep you interested and motivated to stay in this domain?  

0:02:21.5 Ann Johnson: It changes every day. I'm one of those people that your brain never shuts off and you're looking for constructive things for it to focus on, and what I find is the dimensions with cyber are dynamic and the actors who are the bad actors change and the threads change and the landscape changes. And as companies now are modernizing, that made a huge change of cyber and now we have this thing called artificial intelligence, the natural language models and ChatGPT that are becoming real. So it's so dynamic and fun and ever-evolving. It just continually keeps me interested.

0:02:53.5 Raghu Nandakumara: You kind of brought up AI and those natural language models and ChatGPT. So in your opinion, the potential threat they pose and how they could be leveraged by malicious actors, is that very much real or at the moment is it just more hype than reality? What's your opinion on that?  

0:03:13.3 Ann Johnson: Yeah. So I don't know that it's real today. I think that as we continue to think about artificial intelligence and natural language models, they obviously are going to be abused by bad actors and I think in two ways. The first way is they're going to leverage the technology to launch some of their attacks. They're going to figure out how to leverage the technology to make it easier or faster for them to launch attacks. The second thing, though, is that we need to secure the models themselves. We need to secure the data. We need to secure against data poisoning. We need to secure against model poisoning. Because if you think about AI, such as for cyber, the world's data is going to sit there in some way or another in the future and that is a great target rich environment for any bad actor.

0:03:56.0 Raghu Nandakumara: Absolutely, and I think that's always been the challenge with machine learning initially and now as AI, that form of intelligence is really being expressed, is ultimately it is based on whatever data you feed into it and compromising that in some way or tainting that impacts what is output. But if we look at it from a positive perspective, you've touched on how bad actors could leverage AI models. But do you see that also as a potential there for essentially the blue teams, the defensive folks like ourselves, to get ahead of the bad actors, leveraging these models? Do you see the potential for that as well?  

0:04:36.1 Ann Johnson: Yeah, I think that there's absolutely huge potential for our blue teams, for our red teams, but also for us internally to learn from what we think the actors are going to do. Our job in this industry, I've always believed, is to stay a step ahead of them and that's why I'm optimistic constantly and I do think our blue teams and our red teams can take a lot of learnings from these natural language models. The thing it does is it makes it more egalitarian. So if you're not a coder, let's say you're not somebody who's written a lot of code, you actually have the ability now to really send a prompt into a system and have it execute something for you, which means it opens up this world that whether you're doing investigations or red or blue teaming, you suddenly open the world to a much broader audience.

0:05:19.6 Raghu Nandakumara: I think the way you describe that is so wonderful, egalitarian, because cybersecurity can often seem to be something that is the domain of a very select few and that classic example of, let's say, like a Mr. Robot with a hoodie on hunched over a keyboard. But I think as we think about security today and we hear about terms like democratization of security, it's so important that the entire organization is brought along for the ride. Is that something that you are very much onboard with?  

0:05:52.3 Ann Johnson: I am completely onboard with it. And it has two dimensions for me. One, I've been quoted as saying in the past that, “We know cybersecurity has matured as an industry when there are no longer is a cybersecurity group.” Now, that's an extreme statement and obviously I make it as a way of just poking at it a little bit. Cybersecurity is everyone's job and the more we can make the tools easier for people to use and we can truly make it everyone's job, the more secure we are ultimately going to be. The second thing, is that we have this cyber poverty line globally. There are going to be countries that don't have the ability to protect themselves from nation-state attacks. And as cyber war continues to be one of the elements of a kinetic war, it's truly an element of war as we've seen recently, we're going to have to find a way to give these countries the skills that they need so that they can defend themselves. These folks that just don't have cyber skills or they don't have the money to have cyber skills. And we do call that the cyber poverty line. So I think it's both those dimensions. I really think that AI, as much as it's going to help our SOC and our defenders and [make] those folks’ job easier, that democratization of it is going to actually be a real change for the industry.

0:07:00.1 Raghu Nandakumara: Ann I think that's fascinating. And I think also some part of that is also just, what I see, is the leveling up of individual countries and obviously groups of countries. For example, here in the EU where countries act more as a collective to bring that leveling up of general cybersecurity stance driven by legislation at the national level, which can only be a positive thing. Tied into all what you describe with that more democratization. Is that how you see it?  

0:07:30.0 Ann Johnson: It is how I see it and I think that democratization has to exist as well and there has to be global standards and there has to be global regulation. But there also has to be global cooperation, right? Cooperation, private sector, private-public sector, public to public sector. We're seeing an increase in collaboration and cooperation, but we're not where we need to be and the only way we actually defeat the bad enemy is with collective defense. And we need to get a lot better about collective defense, and AI should just be one tool in the arsenal.

0:08:00.0 Raghu Nandakumara: I like that. I like that term, collective defense. Okay. I think we've spent the early part almost looking forward to what the future holds, so I'd like to go back a bit and just ask you: how in your time in cyber have you seen the priorities and the approaches to cyber evolve over time? because I was listening to your podcast, I think it was the episode with Sounil Yu, where he described the various eras of cybersecurity. How do you think about those eras?  

0:08:31.3 Ann Johnson: I think the first era of cybersecurity is you had some people stand up a few firewalls, maybe they used tokens for authentication, they had some routers, and they had some antivirus software. And it was like, "Okay. We're all good here." It was a, "Keep everything out of the environment." It was very much a, "Our employees are all coming to the office. They're working on devices we issue them." Maybe not even laptops, maybe some of them are green screen. And the biggest concern that the CIO had was somebody plugging in a rogue server on the data center, right? And then we've evolved to this world where, okay, we've suddenly become more mobile and people are working on various devices and there's this Bring Your Own Device concept. And by the way, we started assuming breach somewhere around... And it's probably been about 10 years now, we've started assuming breach. We assume somebody is in your environment. So how do we contain them? How do we minimize the damage? How do we find them? And how do we evict them? So the tools started changing. No longer could you keep everyone out. You actually had to give people access because people wanted to work from anywhere on any device. How do you securely do that?  

0:09:33.1 Ann Johnson: So that was like the second era. This third wave we're going into now, it really was largely accelerated by the pandemic when we saw 87 or 90 percent of global employees went and worked from home. And suddenly we had these hybrid environments that were not necessarily secure, and we had people working on kiosks or working on the same device that their child was essentially doing their school work on and we introduced this whole other vector. We've swung back a little to where now you have more people in the office, some people still at home, or they're in the office or at home part of the time, and you're truly hybrid but then you also have this new tooling of AI. So again, it's how did the... The biggest problem CISOs still tell me today is visibility. So how do you see that something truly bad is happening in your environment, detect it super quickly and stop it from doing damage? And that is like the third wave of tooling and it's all about the data. People don't come into your environment just to hang around. It truly is all about the data.

0:10:33.8 Raghu Nandakumara: That's really interesting. And just picking up on that last thing you said, it's all about visibility. When I think about this, I almost feel that visibility should be the first thing that you put in place when you deploy a new technology to get complete understanding of what is happening around it. Why is that still a significant gap for so many organizations? Why do they not have enough visibility in the right places?  

0:11:01.1 Ann Johnson: Because it's super hard. If you think about technical debt and legacy systems and disparate systems and rogue cloud environments and people signing up for SaaS apps and people working on their own devices and the need to balance productivity with security, it becomes really hard to get complete visibility across your environment. We have people that are still running on Windows NT or Windows 95 systems. How are you going to get visibility for those if they're not talking to the cloud type environments? You have manufacturing lines that don't have cloud connectivity. You have oil companies that have offshore production systems, mining companies around the world that their automated mining trucks are 3,000 miles away from their corporate office yet they have 800 sensors on them. It is really hard to get visibility and it's what people struggle with, and it's the greatest thing that the security industry can do is to continue to improve visibility so that our CISOs know at least what their attack surface looks like and they can put the right controls in place.

0:12:00.0 Raghu Nandakumara: So when you talk to, in your role, when you talk to cyber leaders across the multitude of industries and nations, etc, what do they say is their biggest concern? Do they also align with, "I'm concerned that I just don't know what's going on," or do they sort of up-level that a bit?  

0:12:19.1 Ann Johnson: They generally, and this is a really blanket statement, they generally feel pretty good about the things they know about. The threats they are aware of, the devices they can see, they generally feel like they have good security controls. It is the old we don't know what we don't know. And the concern is that someone could have been in their environment for 18 months in some type of rogue system or somebody brought a new SaaS app online and didn't tell corporate and how they're sharing data with it. ChatGPT goes into that category. A lot of questions we get are, "We don't have the visibility of what potentially confidential data our employees are putting in a system like that." So they have hyper-concern over this. We need to have maximum productivity for our organization but we don't have visibility to what folks are doing. And if we don't have visibility to what they're doing, we can't secure it.

0:13:05.0 Raghu Nandakumara: Right. It's kind of like, that sort of, the catch-22 then. I need productivity but then, in order to secure that, I need better visibility. I don't have visibility so I don't know how to secure that, so I don't know how to support your need for better productivity. And you get into that cycle. So I kinda want to go back to something that you said and you talked about, about a decade ago that the assume breach mentality coming up and it not being just sufficient to recover or restore but really be able to survive. So I'd like to use that as a segue into talking about Zero Trust. I guess the first question to you is, when did you first come across the term Zero Trust? What does it mean to you and how do you feel about it?  

0:13:51.4 Ann Johnson: So, a few things. One, I think the concept of Zero Trust is a wonderful concept. When did I first come... I don't remember when I first came across Zero Trust but let's say it's five to seven years ago, let's just put it in that time frame. I think the problem is it has become this amorphous term that nobody really understands. And it was a marketing term for a while that people just say, "Hey, we're Zero Trust," with no grounding in principles. So we have really explicit principles around it. The first thing is you verify explicitly. Anything that happens in a session needs to be verified. Anything, whether it's a single piece of data passing through the environment, authentication, anomalies, etc. The second thing is you use least privilege access. You have to use least privilege access for all of your users. Most end users do not need admin rights on the laptop. You need to have some type of secure admin work stations. And these policies need to be adaptive so people just have the just-in-time privilege they need, when they need it, and then it goes away and it needs to be logged and audited.

0:14:50.6 Ann Johnson: The third thing is that assume breach. Always assume that someone is in your environment, assume you don't have complete visibility, and that's where you get into encryption and data protection and DLP and having a really mature program around that. And that is super hard because people don't know where all their data is and it's really hard to secure stuff that you don't know where it is. So Zero Trust to me is fundamental to cybersecurity. And most customers, by the way, whether they know it or not, they're on a Zero Trust journey. They're doing some pieces of this already and it's just really having the program maturity. And there are some programs that are more mature than others, it's the typical early adopters that are more mature than others. But people often ask me, "Where do I start? What do I do?" And one of the things I tell them is least privilege access is a really good place to start and multi-factor authentication, for 100% of the people who access your environment 100% of the time, is the other really good place to start.

0:15:43.3 Raghu Nandakumara: I agree. And I think just listening to the way you laid that out and if I think back to my undergraduate computer science course and I took a couple of modules on security, a lot of what Zero Trust really talks about and preaches are the axioms of computer security, of information security, like least privilege. And to me, it's almost like, why is it that those best practices haven't been followed from the get-go and now we're almost reverse engineering what we have in order to accommodate something that we should have been doing in the first place? Why has that gap developed?  

0:16:18.6 Ann Johnson: Yeah I think that people over-privilege access because they don't want any of their employees to run to productivity issues. I know that, by the way. So access is over-privileged just, literally, for productivity reasons and you really have to be scientific about how you think about access. We are at the place in the industry that everyone talks assume breach, I think that one is very well known, but the verify explicitly everything that happens in the session is the harder thing. Because it used to be, and you know this, if someone was concerned about the security, they would strongly authenticate however they strongly authenticated, and then there was some type of role-based access control and then that was good enough, right? Now we're saying, no, that's not good enough. Actually, every single transaction that happens in someone's session has to be interrogated because you could have malicious malware that's impacting the software. You could have malicious malware that's impacting the data. Somebody could have hijacked the session. Somebody could have followed them into the session. And so we're saying this "explicitly verify everything that happens in a session" is hard and it's new but in order to have ultimate security it's the place you really want to be.

0:17:25.9 Raghu Nandakumara: And so what does that then translate into what customers are asking for and then what they're executing on? What is that typical conversation that you would have? And I guess in your role, it's very much at that exec level. Does the conversation start from organization XYZ, "We want to build out a Zero Trust program. How do I do it?" or is it more around, "Here is a sort of a transformation that we're about to undertake. How should I ensure that security is best of breed to support that transformation?" What is the nature of that conversation that leads ultimately to "you need to adopt Zero Trust"?  

0:18:06.5 Ann Johnson: That would be ideal, the latter of what you said would be ideal. “The company is going to have some type of major transformation, let's bring security in early” would just be ideal. It doesn't happen as often as you'd like. We're getting better. By the way, security is now a board-level conversation. Lines of business are getting more comfortable that their security peers aren't trying to block them, they're just trying to enable secure business. And security should be an enabler, right? So ideally it happens when the business is trying to do something new and then you think practically how they're going to do that. The good news about having a Zero Trust architecture is that you can snap a lot of it into that. If the architecture already exists, then even bringing in other lines of business doesn't mean you have to do anything different.

0:18:48.4 Ann Johnson: And running things, I'll give an example, running things like Microsoft Conditional Access, which looks at every transaction that happens in the session from a user standpoint, is one of the underpinnings of having a really good Zero Trust strategy. Things that look at your devices, the health of your device, what is your device doing in this session, technology that looks at that. Then if you can enable the business that they don't have to come back to security every time. They just have to follow the principles of Zero Trust whenever they're rolling out something good. And it really truly does become both a business enabler and it makes security more effective and security more simple. Those are the ultimate measures of having a good Zero Trust program.

0:19:27.6 Raghu Nandakumara: And I think, I mean, that really is the ideal state where there is that consistency is built under the business or the application developers, etc, know that as long as they adhere to the security requirements and they build according to those, then they're going to be getting the best of breed security, it's going to be least privilege access and that transformation is not going to be in any way impeded. So from a Microsoft perspective, what do you see are the key technology enablers that you have that you're delivering to customers to support this?  

0:20:05.8 Ann Johnson: Yeah. Our Zero Trust strategy, and everybody comes at it in a different way, starts with our identity. Because we are very strong in identity and we have our Microsoft Entra Suite, our Zero Trust starts there. And it starts with strong authentication, Windows Hello for Business or the Azure Authenticator, we have third parties we're integrated with. So it starts with strongly authenticating the user and then it goes to using conditional access, so making sure that all of your app access, all of your apps are attached to Conditional Access and we're looking at the health of everything that's happening within the session from that standpoint. Then, as you know, we do a lot of partnering. We do a tremendous amount of partnering. And in the spaces where we don't have a discrete or explicit technology, whether it's the network controls or those type of controls, secure web gateways, those type of controls, and we are moving further into saying we need to have a very robust Zero Trust offering that's powered with our partner ecosystem and with some Microsoft first-party solutions. So you'll see, over the next 12, 18, 24 months us moving even further in that direction.

0:21:07.1 Raghu Nandakumara: And do you see it... If I think back to the NIST Zero Trust architecture and there's this concept of this unified control plane that is then enabled, enforced via those individual policy enforcement points, whatever they need to be. Do you see it as being realistic that at some point in the future we will see true single policy sort of control planes that are able to go and deliver that Zero Trust enforcement across all of the pillars? Let's say if we refer back to Forrester’s original Zero Trust definition and the pillars that they talk about, do you see that as being something realistic?  

0:21:50.9 Ann Johnson: We have been trying to get the things that are single panes of glass for a ton of controls for decades. Ideally, we have very few controls, where someone has to interact or we obfuscate the complexity from the end user even if there are... For Microsoft, even if there's partner solutions under the hood, we obfuscate the complexity for the end user and for the admin so that they can do all of their control management in one place. We're not there. As an industry, we're not there. I know you all are doing your piece of a lot of work with Zero Trust but the simpler we can make the solutions and the more aligned we can make the controls and the ability for the admins to work on a single console, the better the industry is going to be. So it's an ambition.

0:22:34.2 Raghu Nandakumara: And do you see the... In order to get closer and closer to that and if it is a couple of different control planes that are able to in some way interact with each other, that may be good enough. But the key thing there saying essentially... Zero Trust, the modern definition of Zero Trust, talks, among other things, about a risk-based, context-based ability to define policy. So is it important? I guess it's essential that those control planes share the same context and the same view of risk in order to be able to do that consistently. Is that, I guess, the first step?  

0:23:19.7 Ann Johnson: つまり、セグメンテーションプラットフォームをユーザーが実際にすべてのワークロードとデバイスを可視化できるユーザーコントロールの場として考えると、ゼロトラストコントロールプランで行っていることの下または並行で実行できる範囲で、きめ細かなセグメンテーションポリシーを設定できます。そうすれば、ワンクリックでユーザーをイルミオに誘導できます。しかし、私の理想的なシナリオは、このようなエコシステムがあり、Microsoftが当社のプラットフォームとEntraプラットフォームでエコシステムの最前線に立ち、すべてのデータが私たちのところに来て、それが条件付きアクセスを経て活用しているということです。100％ソリューションになるわけではなく、Illumioのような場所を活用して特定の作業を行うことになりますが、エンドユーザーがまったく異なるものを開発しなければならないという複雑さをわかりにくくしています。その作業を行うにはコンソールが必要です。それが理想です。

0:24:10.3 ラグー・ナンダクマラ: はい、絶対に。しかし、これが興味深いのは、あなたの表現方法は非常に正確で、最終的には理想的なシナリオがあると思いますが、最高のソリューションを統合することで今日可能なことと、その一貫性をどのように構築できるかということです。なぜなら、今日、顧客は基本的に市場に行って、「ねえ、すべてを網羅するゼロトラストソリューションを購入します。クリック、完了。私にはゼロトラストがあります。」今日は誰もそんなことはしていません。

0:24:42.5 アン・ジョンソン: いいえ。しかし、だからこそ、私たちの目標はプラットフォームになることであり、他の人がその上に構築するプラットフォームになることです。当社のプラットフォーム上でソリューションを構築すると、トラフィックが当社に届き、条件付きアクセスを経由して、ゼロトラストエコシステムに取り入れようとしているさまざまなパートナーすべてにフィードできます。私たちの野望はまさにここでお話ししたとおりですが、まだ実現しておらず、実現までにはおそらく18、24か月かかるでしょう。

0:25:08.4 ラグー・ナンダクマラ: 承知しました。それはエキサイティングな18、24か月です。それはそれほど遠くない話です。そこで、少し話を変えて、ゼロトラストの採用を促進または加速させると感じている法律や規制の観点から、米国だけでなく世界中で起きていることについてお話ししたいと思います。誰もがバイデンの委任命令やその背景にあるフォローアップについて話していますが、EU、NIS2、DORAのようなものも見ています。また、アジア太平洋地域などでも同様の規制が出ています。この法律や規制は、より優れたセキュリティ慣行の採用を実際に加速させるのにどの程度役立つと思いますか？大きなポジティブな結果が得られると思いますか？

0:25:55.2 アン・ジョンソン: ある程度は思う...ほら、欧州連合（EU）は、サイバー・ドームをほとんど持ち、EU内で集団防衛を行うというコンセプトで、非常に興味深いことをしました。そして、この種の規制、そのような要件、そして今後進むこの種の枠組みは、本当に影響力が大きく、有意義です。グローバルな環境で働くお客様が抱える課題の 1 つは、規制に一貫性が欠けていることです。そして、例を挙げてみましょう。GDPR の優れた点の 1 つは、一貫性を促進したことです。気に入ったか気に入らなかったかは、話題にはなりません。会話では、プライバシーの観点から、EUにいる場合の要件を理解しているということです。ですから、より整合性のとれた一貫性のある規制を実現でき、業界が規制当局の教育を支援し、規制当局が専門家と話し合うことができれば、そこには途方もない価値があると思います。私はそう思います。

0:26:47.6 アン・ジョンソン: また、AIを含むテクノロジーのあらゆる分野にわたる規制について建設的な議論を行う機会を歓迎します。なぜなら、それが必要だからです。しかし、難しいのは、規制がある場合です。その数は250前後だと思います。マイクロソフトは、コンプライアンスが必要かどうかを確認するために、世界中の約 250 の固有の規制を毎日調べています。地域内ではもっと一貫性を持たせる必要があります。グローバルスタンダードを増やす必要があります。というのも、結局のところ、組織がそのペースでコンプライアンスに取り組み、セキュリティプログラムを実行して事業を運営することは非常に難しいからです。

0:27:24.0 ラグー・ナンダクマラ: DORAのようなものを思い浮かべて、サイバー・レジリエンスとそれに向けた動きについて話すことに非常に情熱を注いでいるとしたら、そのようなことは特定の業界に一貫性をもたらすものだと思いますか？それとも、まだ課題は国レベルで制定されなければならず、それがどれだけ早く採用されるかなどの複雑さをもたらすような問題なのでしょうか？

0:27:51.8 アン・ジョンソン: ええ、そうだと思います。国内の独自性が、思いもよらなかった複雑さを後押しすると思います。攻撃から立ち直る能力は、あなたが持っている最も重要なものです。攻撃後に中核となるビジネスシステムをオンラインに戻す能力は、最も重要なことの 1 つであり、組織が大量のオーバーヘッドを追加せずにそれを実現するのに役立つ規制はどれも素晴らしいと思いますが、国ごと、ビジネスレベルでの実際の導入は、非常に複雑になります。

0:28:27.0 ラグー・ナンダクマラ: では、これを組織の観点から少し変えるとしたら、サイバー・レジリエンスについて考えるとき、彼らは何を考えるべきでしょうか？取締役会が満足するレベルのサイバー・レジリエンスを実現し、一定の最低限の生産性を保証するために、適切な統制を構築することについて、組織はどのように考えるべきでしょうか？

0:28:48.9 アン・ジョンソン: うん。そして、ラグー、これは私のポッドキャストを時々聴いてくれるので、たくさん話したり、書いたりして、私が情熱を注いでいることです。企業がまず知っておく必要があるのは、中核となるビジネスシステムがどこにあるかということです。ビジネスを運営するために絶対にオンラインにしておく必要があるシステムを 3 ～ 5、10 など、何に挙げてください。それらは何ですか?給与計算から顧客まで、すべてです。何がビジネスを継続させているのでしょうか？それが一番です。そのためのデータはどこにあるのか、二番目です。いったんそれを特定できれば、何がわかるかは...セキュリティプログラムの多くは、すべてを保護するためのリソースや人材を持っていないかもしれないが、それらを保護する必要があるため、それを最高の宝石と見なしています。では、どのようなフェイルオーバー計画があるのでしょうか。これらのシステムがすべてダウンしたとしましょう。それらのシステムの冗長性はどこにあるのでしょうか。

0:29:33.7 アン・ジョンソン: クラウド環境はありますか?オフショアに冗長性はありますか?それらのシステムを別の国で冗長化していますか?どのようにコミュニケーションをとるつもりですか？メールシステムが侵害され、そのためにメッセージングシステムも侵害された可能性がある場合、イベントが発生した場合に組織内でどのように連絡すればよいでしょうか。これから何が起きるのでしょう？必ずあるはずだ。誰が規制当局に話しかけるのか、そして彼らはどのように規制当局に話しかけるのか？誰が人前で発言するのか、またどのように公に発言するのか。あなたの弁護士と連絡を取るのは誰ですか？従業員に話しかけているのは誰ですか。また、従業員にどのように話しかけているのでしょうか。インシデント対応を行うリテーナーについて、何らかの契約を結んでいる第三者がすでに契約を結んでいますか?システムを再構築する第三者がリテーナー契約を結んでいますか?本当に戦術的に聞こえるかもしれませんが、バックアップはどこにありますか? また、バックアップから復旧できることを実際にテストしましたか?

0:30:26.3 アン・ジョンソン: また、セキュリティが侵害される恐れがあるため、バックアップは整列されていますか?ランサムウェア攻撃者が行うことの 1 つは、実際にバックアップを壊したいので、まずバックアップを探すことです。つまり、これらすべてが...つまり、技術的な側面だけでなく、ビジネス面にも関係しているのです。そして、実際にテーブルトップエクササイズをして、このようなイベントがあったと仮定して、実際に計画を立てる必要があります。その計画を数回実行する必要があります。私たちは皆レッドチーム、ブルーチーム、パープルチームをやっていますが、「あなたの環境は完全にダウンしています」というようなテーブルトップエクササイズはしますか？さてどうする？」そして、それを年に2、3回行う必要があります。業務担当者だけでなく、経営幹部、場合によっては取締役会とも少なくとも年に1回は行う必要があります。こうしたことをすべてベストプラクティスとして推奨しています。

0:31:05.0 ラグー・ナンダクマラ: 私が気に入っているのは、最後に触れたことですが、サイバーコンプライアンスが何を意味するのかという方向への動きです。... から遠ざかるそして、あなたがほのめかしているけれど私が口に出したくないのは、チェックボックスエクササイズから、本当に脅威主導の、攻撃的なセキュリティ主導のエクササイズに移行するということです。パープルチームエクササイズ、本物のパープルチームエクササイズ、または実際のコントロールをテストするテーブルトップエクササイズでも、「オーケー」というセットに対して実際のコントロールをテストするテーブルトップエクササイズでも。X を実行するように設定されていますか?Y を実行するように設定されていますか?」などなど。

0:31:45.6 アン・ジョンソン: そのとおりだ。言っておきますが、あなたが言ったように、開梱すべきことはたくさんあります。最初の質問は、「誰の仕事なの？組織のサイバー・レジリエンスの担い手は誰か？そして、サイバー・レジリエンスの計画は、考えられるすべての組織、すべての大規模組織に自然災害対策があります。お住まいの地域で自然災害が発生した場合、ビジネスをオンラインに戻す方法、従業員の安全を守る方法などについて計画を立てていますが、サイバーについてもまったく同じ計画が必要です。そして、それは誰の仕事なのでしょうか？レジリエンスを働かせているのは人々なの？あなたのサイバーチームですか？これらの決定はすべて、イベントの後ではなく、今すぐ行う必要があります。

0:32:24.2 ラグー・ナンダクマラ: 続いて、セキュリティプログラムがビジネス目標とどのように関連しているかを取締役会やCEOに明確に示すために、CISOが必ず取締役会に報告すべき重要なことは何ですか？たとえば、これらの 3 つの重要なことは何ですか?

0:32:45.9 アン・ジョンソン: うん。まず言いたいのは、取締役会は警備員ではないことを理解しておくことです。彼らはテクノロジー担当者でもないかもしれません。まずそれを理解してください。なぜなら、取締役会に話す内容は何であれ、相手が理解できる言葉で伝える必要があるからです。取締役会が理解できる言葉はリスクです。ですから、あなたが話すことはすべてビジネスリスクに関連するものでなければなりません。これは本当に基本的な例に過ぎません。「多要素認証を組織に導入しなければ、最大の攻撃ベクトルは依然としてフィッシングと脆弱なパスワードを使用している人々であることが分かっているため、リスクが大幅に高まります。」つまり、特にそのための予算を組もうとしているときには、このリスクを企業が理解できるはずです。しかし、取締役会レベルでは、非常にシンプルなものにして、おそらくトップ10のリスクについて調べ、そのリスクに関する言葉で伝え、「ねえ、エンドツーエンドの暗号化戦略について話したい」とは話さないようにしたいと思うでしょう。暗号化戦略を採用する理由と、それによって達成できること、そしてそれがビジネスのリスクをどのように軽減するのかについて話してください。これこそ私がCISOに奨励したいことです。そして、CISOはかつて本当に技術的な役割を担っていました。今や、CISOは、テクノロジーとビジネスへのテクノロジーの応用を理解している本当に優秀なビジネスマンでなければならない状況になりつつあります。

0:33:58.9 ラグー・ナンダクマラ: それは本当に面白いです。絶対に。CISOは、非常に技術的に内向きで、ほとんどテクノロジーに面していたものから、今でははるかにビジネスと連携し、ビジネスと向き合い、この2つを組み合わせることができるようになったのです。しかし、あなたは取締役会へのコミュニケーションの観点から話しましたが、ほとんどあなたが言ったことは、テクノロジーについて話し、たとえば暗号化について話し、これがどのようにビジネス上のメリットをもたらすかについて話しているようなものです。私には、それはまだ取締役会にとって非常に低いレベルに持ち込んでいるように感じられ、彼らが理解できないような用語や概念になる可能性があります。では、そのことについてもう少し話していただけますか？

0:34:42.3 アン・ジョンソン: うん。私が言ったことをはっきりさせておこう。いいえ、取締役会に暗号化について話しているとは思いません。どんなテクノロジーについて話すにしても、ビジネスリスクだけについて話すべきだと思います。御社のデータセキュリティプログラムはどのようなもので、ビジネスリスクをどのように軽減しているのでしょうか。話す内容はすべてビジネスリスクであるべきです。しかし、いいえ、取締役会に暗号化について話すべきではないと思います。それが私が言いたかったことです。テクノロジーの話はやめましょう。ビジネスリスクと、プログラムによってビジネスリスクがどのように軽減されるかについて話してください。

0:35:08.4 ラグー・ナンダクマラ: うん。いいえ、わかりました。オッケー。はっきりしているし、あいまいさもない。つまり、サイバーリーダーについて話しているのですが、サイバー業界での経験で見てきたCISOの進化についてはすでに話されていますね。その進化は、今後数年間にどこへ向かうと思いますか？CISO の役割は今後もどのように進化していくと思いますか?

0:35:31.9 アン・ジョンソン: CISOの役割は今後も進化し続け、明らかにはるかに厳しいものになると思います。マイクロソフトにはブレット・アルセノーという素晴らしいCISOがいます。素晴らしいCISOです。私が知っているCISOのほとんどは、正しいことをしたいと思っている素晴らしい人で、ありがたい仕事に就いています。なぜなら、あなたはすべてのことで非難され、何も感謝されないからです。しかし、その役割は、このビジネスレベルの複雑さまで進化し続けるでしょう。規制を理解する必要があります。統制が規制にどのように適用されるかを理解する必要があります。SOC の最前線にいる人々と話すことができる必要があります。取締役会と話すことができる必要があります。本当に大変な仕事です。しかし、ブレットのように、CISOが自分の優先事項をビジネスの優先事項に合わせることができれば、その役割をより効果的に果たせるようになります。

0:36:13.9 ラグー・ナンダクマラ: アン個人的には、テクノロジーの進化であれ、人材の進化であれ、法律の進化であれ、サイバー業界で楽しみにしていることや楽しみにしていることは何ですか？今後数年間、本当にワクワクしていることは何ですか？

0:36:33.2 アン・ジョンソン: 言っておくが、私は流行語ではない...こんなに長くやってるから、あまりワクワクしないよ。実は、AI と自然言語モデルには本当にワクワクしています。サイバー機能を、実際に業界に貢献できるはるかに幅広い人材に拡大できれば、現在の人材不足を減らすのに役立つだけでなく、人々が自分の環境で見る何百万、何兆ものシグナルを推論し、実際に何が問題なのかを伝えるためのテクノロジーそのものの応用も可能になります。これにより、より迅速に可視化できるようになります。これら 2 つのことだけが解決され、可視性が大幅に向上し、人材プールが大きくなるために人材不足の解決に役立てれば、私の考えではその期待に応えることができます。

0:37:13.5 ラグー・ナンダクマラ: ああ、絶対に。そして、あなたが言ったことを繰り返して、あなたが強調した大きな問題、つまり可視性の欠如に結び付けているだけだと思います。可視性を向上させることができれば、そこからより良い意思決定とより良いセキュリティにつながると思います。それが最終的に私たちが望む結果です。

0:37:32.7 アン・ジョンソン: 正しい。まさにそのとおりだ。

0:37:34.9 ラグー・ナンダクマラ: 素晴らしい。アン、今日お話しできて光栄でした。そしてもちろん、リスナーの皆さんにとって、トレンドについてもっと知りたい、絶対に聴かなければならないセキュリティリーダーシップのポッドキャストを1つ選びたいなら、アンのポッドキャスト「アフタヌーン・サイバー・ティー・ウィズ・アン・ジョンソン」を視聴してください。CyberWireで公開されていて、通常のポッドキャスティング・プラットフォームなら何でも使えます。そして、そこには素晴らしいコンテンツがたくさんあるので、以前のエディションをすべて聴いてください。アン、時間を割いてくれてありがとう。本当に感謝しています。そして、あなたとの会話は素晴らしかったです。

0:38:10.9 アン・ジョンソン: ラグー、どうもありがとう。感謝しています。素晴らしい会話ができました。素敵な一日を。

0:38:15.0 ラグー・ナンダクマラ: ありがとうございます。今週のザ・セグメントのエピソードを視聴していただきありがとうございます。さらに詳しい情報とゼロトラストのリソースについては、当社のウェブサイト illumio.com をご覧ください。LinkedIn やツイッター @illumio で私たちとつながることもできます。そして、今日の会話が気に入ったら、ポッドキャストを入手できるところならどこでも他のエピソードを見つけることができます。私はあなたのホスト、ラグー・ナンダクマラです。すぐに戻ってきます。

‍