Skip to main content
Skip to main content
Microsoft Security

Security baselines should underpin efforts to manage cybersecurity risk across sectors

  • Microsoft Security Team

This post is authored by Angela McKay, Director of Cybersecurity Policy and Amanda Craig, Senior Cybersecurity Strategist, CELA. 

Organizations are leveraging technology to transform their operations, products, and services, and governments are increasingly focusing on how to enable such dynamic change while also managing risks to their critical infrastructure, economies, and societies. Across sectors and regions, they’re developing, updating, and gathering feedback on cybersecurity policies and legislation, aiming to build resiliency into their nations’ approaches to digital transformation.

Industry and governments must collaborate to build a more resilient ecosystem. In sharing lessons learned from operating across diverse environments, global companies can accelerate efforts to protect global infrastructure and technology. Similarly, by leveraging lessons learned through not only their own experiences but also those of industry, governments can ensure their efforts to enhance resiliency are both practicable and effective. This mutual collaboration through public-private partnerships can help to drive meaningful outcomes, which will continue to be critical to improving collective cybersecurity defense and responding to evolving threats.

On March 27, 2018, Microsoft demonstrated its commitment to this mission by joining with five other companies to launch the Coalition to Reduce Cyber Risk (CR2), a global, cross-sector group that will partner with governments to advance cyber risk management. Collaboration with leaders from other sectors and regions will highlight how cybersecurity impacts the global, interdependent economy. It will also provide unique insights as CR2 contributes to governments’ efforts.

Today, we are further pursuing this mission by publishing a whitepaper on the role of “security baselines,” a set of foundational activities through which organizations can advance cyber risk management. We advocate for baselines that engage executives and embed flexibility, enabling organizations’ security capabilities and investments to evolve with rapidly changing threats. We also advocate for baselines that are applicable across sectors and regions.

Cross-sector, globally relevant security baselines are increasingly essential because they address the reality that interdependencies between sectors and regions are significant and growing, fuelled by regional and global economic integration and by the “horizontal” growth of technology across previously unrelated “vertical” sectors. Today’s cybersecurity threats, risk mitigations, and infrastructure operations are unlikely to be confined to just one sector or region, creating a need for interoperability across sectoral approaches and jurisdictions.

There are some existing examples of cross-sector, globally relevant security baselines that engage executives and embed flexibility in risk management. In particular, the recently published ISO/IEC 27103 is relevant across sectors and geographies, based on risk management principles, and grounded in a flexible approach. Specifically, it integrates an outcomes-focused approach with controls-based ISO/IEC references that are supported globally and used by different sectors.

Governments that are cognizant of sectoral and geographic interdependencies while developing or updating security baselines could make progress in managing risk while supporting growth within their domestic infrastructure and economy. In addition, governments that engage technology providers, business leaders, critical infrastructure operators, and civil society organizations while developing or updating baselines will have more seamless implementation of cybersecurity policies.

Through CR2 and in direct engagements, we look forward to the opportunity to continue to partner with governments, others in industry, and other stakeholders to build or update security baselines. In our experience, around the world, cybersecurity policies built through partnerships are likely to operate more consistently and predictably, not only helping cybersecurity but also giving businesses, innovators, and citizens the confidence they need to make the most of technology and innovation.