CISO Success Story: How Zoom Achieved Cybersecurity 2.0 With Cyber Risk Scoring
In the first of an ongoing series of one-on-one interviews with leading CISOs, Focal Point sits down with Zoom’s Michael Adams to discuss the moment when cyber risk scoring really paid off.
Think back to when the pandemic struck and seemingly overnight the whole world was adopting video conferencing. It was a godsend for connecting all kinds of people for all kinds of meetings, but the more businesses, schools, government agencies and, well, just about everyone relied on video conferencing and other collaborative software, the more vulnerable the platforms became. Users weren’t applying basic security practices like multifactor authentication, and spotty encryption deployment put privacy at risk. As video conferencing increased, so did cybersecurity risks.
For Michael Adams, chief information security officer (CISO) at Zoom, which pioneered the video-conference boom, the pandemic presented his company with an unexpected problem that didn’t seem like a problem: the sudden and exponential growth of its customer base. While CEOs may dream of such things, Adams understood that Zoom’s growth would require a new and different way of thinking about cybersecurity.
And a vital step in that new approach was to enhance their cyber risk scoring.
Pre-pandemic, Zoom maintained a small security team. “They did great work and set the foundations for the company,” says Adams, who joined Zoom in August 2020 as counsel to the Chief Operating Officer and CISO; he took over as CISO last year.
With the rise of remote work, the company moved forward into what he refers to as their 2.0 version of cybersecurity. It was a chance to build and improve on the security systems already in place, expanding Zoom’s existing security program to handle potential emerging risks. To do so meant knowing what the new risks were and then tailoring their program and approach to those risks, especially as they evolved (and continue to evolve) over time.
We have to take a comprehensive view of the threat landscape and risk landscape and then drill that down to [grasp] our specific obligations to our customers.
Specifically, risk scoring has made a difference in the company’s security posture in areas like vulnerability management, where they must adhere to certain compliance or customer obligations, and third-party risk management, a specific area that, for various reasons, wasn’t prioritized as much as some other areas during this time when video conferencing was on the rise. By using risk scores, Zoom was able to identify potential problems that otherwise would have fallen through the cracks and left the brand vulnerable to cyber gangs, prank-driven teenage hackers, and insider threats. Instead, Zoom shifted investments to build an even more comprehensive security program.
“I knew we needed to invest and put in the resources,” says Adams. They also had to dig deeper, he adds, to pinpoint the actual risk and decide how to focus key components to address that risk.
The results of this cyber-risk analysis became the basis for a new security posture and set of program priorities for the fiscal year 2020.
It’s a lesson that applies to enterprises across the board. Many organizations have a decent understanding of the risks they face, but too many have not established a formal system to spot and monitor those risks.
How to start a cyber risk scoring program
Risk scoring begins by identifying risk indicators that are relevant to your enterprise. There are many cyber risk indicators to consider (things like the number of successful or attempted cyberattacks, the speed and scheduling of patch management, cyber incident response times, and so on). Adams followed the NIST Cybersecurity Framework (CSF) and ISO 27001 to develop a set of risk indicators that helped the security team track the company’s risk posture against specific risks each quarter.
You need to know what you have to defend it.
For example, Adams explains, the CSF has five functions. Of those, the “identify” function helps organizations tally their physical and software assets to establish the basis of a comprehensive asset management solution.
“Asset management is a key component for any cybersecurity program,” says Adams. “You need to know what you have to defend it.” Breaking it down deeper, Adams set out to answer the following concerns:
- Do I have a meaningful asset inventory?
- Are there any gaps?
- What programs manage the software running on those assets?
- How do I think about vulnerability management to keep those things updated?
- What are my compliance obligations for that?
[Read also: Asset discovery and inventory—9 ways to make yours fast, complete, and accurate]
“That’s a single example, but we have to take a comprehensive view of the threat landscape and a comprehensive view of the risk landscape and then drill that down to tailor an understanding of our specific obligations to our customers,” he says. Both views are necessary as they provide insight into two different areas: threats, as in malicious events that occur through the exploit of vulnerabilities; and risk, the loss or damage that could happen in the event of a cyber incident.
Going forward, risk scoring benchmarks—measurements that compare an organization’s environment to that of its competitors—help Adams and his security team ensure they are covering all key areas, and assist in prioritizing resources. Key risk indicators provide the metrics needed to determine what assets are targeted and to detect any anomalies. The risk indicators are aligned by functional area and tracked.
[Read also: The value of benchmarking—it pays to know how your cybersecurity stacks up]
“We believe that a successful security strategy should leverage leading security frameworks and also leverage risk scoring tailored to the realities of the business,” said Adams. “It’s through this combination that we are able to best focus our resources, time, and energy and provide the security that our customers and company expect of Zoom.”
Adams also works closely with a three-person cybersecurity risk committee, made up of members of the company’s board of directors. The creation of such a committee goes a long way toward fulfilling the kinds of good governance strategies that the U.S. Securities and Exchange Commission (SEC) outlined in a new set of rules proposed last year and now being finalized. Zoom’s risk committee meets quarterly to discuss strategy for the upcoming fiscal year, and Adams uses this time to present the top priorities and objectives for the overall cybersecurity program, following NIST and ISO guidelines.
The most important (and unexpected) benefit of cyber risk scoring
Cyber risk scoring’s most significant benefit is arguably its most subtle: the ability to reveal the risks you didn’t realize were risks, says Adams, alerting you to problems you otherwise wouldn’t have known were there. Having that information at hand becomes the baseline of a more robust and effective cybersecurity strategy. In the case of Zoom, it allowed Adams and his security team to better prioritize their goals.
“I’m very fortunate to have a strong security team and people that are incredibly talented, committed, love what they do, and are exceptionally skilled at it,” says Adams. It helps, too, that senior leadership, including the board, listens; Zoom’s decision-makers are invested in cybersecurity, including making improvements and committing resources.
“Risk issues need to be addressed appropriately,” Adams adds. Doing so requires a strategic security program and the recognition of a simple truth: You can’t solve everything at once. Risk scoring provided direction for Adams and his team: It identified an unexpected problem posed by the pandemic, solved it by helping the organization look differently at its security issues, and has offered a customized strategy and roadmap for the future.
TO LEARN MORE
Check out other exclusive interviews with security leaders in our “Success Stories” series.
- CISO Success Story – Predicting Cyber Risk (Accurately) Is Easier With This Guy’s Formula
- CISO Success Story – How LA County Trains (and Retrains) Workers to Fight Phishing
- CISO Success Story – How to Build Trust With the Board? Don’t Talk Cybersecurity (Much)
- CIO Success Story – Looking At the Flip Side of Third-Party Risk