“CSOs must be rewarded on ensuring that no incident will have a significant impact on the organisation. It's an ongoing battle and in terms of preventing attacks, one the CSO will never win.
“It’s important to change the perception and ask, what is the core responsibility of the CSO? It is not to be the company’s perimeter defence and ensure there is no incident, this is impossible.
“I prefer the term CRO, Chief Resilient Officer because this is where the key responsibility lies, ensuring that no security breach results in long-term damage to the organisation.”
Why New Zealand?
In 4Q14, 9.4 percent of computers in New Zealand encountered malware, compared to the 4Q14 worldwide encounter rate of 15.9 percent.
In addition, the annual Microsoft Security Intelligence Report detected and removed malware from 2.8 of every 1,000 unique computers scanned in New Zealand in 4Q14, a CCM score of 2.8, compared to the 4Q14 worldwide CCM of 5.9.
“Why New Zealand? What would hackers want with my data?” Noel asks. “The truth is that Kiwi SMBs are a key third party to larger enterprises but also, we are in an era of greater innovation and if you’re a small start-up hoping to create the next Twitter in your garage on five computers, you’re an attractive prospect to hackers.
“In New Zealand, and across the world, our findings show that most businesses have been breached for an average of 245 days before they actually realise and act. Hackers are simply sat waiting for value.
“If you think about persistent threats, it’s really about hackers burrowing their way into a network, staying for a long period of time, waiting, watching and looking for value.”
Speaking at Microsoft HQ in Auckland, Noel - alongside colleagues Paul Nicholas, Senior Director of Microsoft’s Trustworthy Computing, and Kevin Sullivan, Principal Security Strategist of Microsoft’s Global Security Strategy and Diplomacy Team - believes that New Zealand government agencies, local government and businesses are increasingly find themselves considering the implications of cybersecurity issues have on operations.
Given the nature of this issue, Noel believes the need for shared understanding and connected global approaches “grows ever more important.”
“We came to New Zealand to talk to our Government customers, as well as policy makers, who are thinking about the future of New Zealand in terms of cyber security, and to document their experiences and challenges,” adds Noel, who is currently helping several nations in Asia to build cyber security infrastructure and framework from the ground up.
While in New Zealand, Noel and his team focussed on informing discussions about the future design of New Zealand’s regulatory, policy and institutional arrangements for cybersecurity, sharing knowledge and lessons learned from cybersecurity engagements with other governments.
By engaging in dialogue regarding the cybersecurity issues facing Kiwi sectors such as finance, healthcare and both central and local government, Noel shared how organisations in New Zealand can increase resilience in the face of the growing array of rapidly evolving cyber threats.
“What attracted Microsoft to New Zealand in particular was the positive cyber security future of the country,” Noel explains. “If you look at the numbers and growth that is going to take place here, such as 100 percent growth in broadband, 82 percent in science, technology etc - this is exciting.
“The conversations we’ve been having centre around resilience. That’s the conversation as opposed to ‘here’s your checklist with 317 items’, as it is about creating a culture that allows businesses to withstand the hit and innovate.”
Trust
But in 2015, as vendors with vested interests in spouting the perils of lax security strategies up the ante, and with cloud adoption in New Zealand on the rise, who should Kiwi businesses trust?
“Cloud,” says Noel, pausing to answer, “is not about security, it is about trust.
“Trust is the reason why businesses may intellectually consider cloud but may be resistant to actually using it. They require confidence that security will be managed in a proper way.
“So much so that I am willing to bet that the way we implement both security and privacy in the Microsoft cloud is better than any other company in New Zealand.
“But does this mean businesses should follow blindly because Microsoft’s Chief Security Officer said so? Absolutely not, it’s a journey.”
In the eyes of Noel, in taking a simplistic approach to the situation, businesses won’t use technology they don’t trust.
And it’s trust that for Noel, in heading the regional division of a tech giant responsible for managing over 200 online services, serving over 20 million businesses and more than a billion customers, is a topic not taken lightly at Microsoft.
In a bid to develop and safeguard the trust it has with its customers and users, Microsoft has reinforced its commitment to data privacy of its customers as well as the best practices put in place to ensure that the data is secure.
Likewise, the importance of adopting transparency in the processes around data storage and access is another crucial topic for Noel and his regional team, as well as Microsoft’s efforts to ensure compliance to regulatory standards across countries.
“We are one of the most adept organisations in the world,” he adds. “I’m not saying we are perfect, but we know what we’re doing in the cloud.”