WEBVTT 1 00:00:00.210 --> 00:00:02.370 Tom Field: Hi there. I'm Tom Field. I'm a senior vice 2 00:00:02.370 --> 00:00:04.890 president of editorial with Information Security Media 3 00:00:04.890 --> 00:00:07.590 Group. Delighted today to be speaking with Michael Adams. 4 00:00:07.590 --> 00:00:10.560 He's the chief information security officer with Zoom. And 5 00:00:10.560 --> 00:00:14.010 we're talking about his predictions for 2023. First of 6 00:00:14.010 --> 00:00:16.110 all, Michael, would you have predicted that you'd be CISO in 7 00:00:16.110 --> 00:00:16.890 2022? 8 00:00:17.580 --> 00:00:20.130 Michael Adams: No, never would have, but thrilled to have the 9 00:00:20.130 --> 00:00:20.820 opportunity. 10 00:00:21.660 --> 00:00:23.280 Tom Field: Michael, tell me a little bit about yourself, your 11 00:00:23.280 --> 00:00:26.550 background and your mission now as Zoom CISO. 12 00:00:27.300 --> 00:00:30.121 Michael Adams: Sure, absolutely. You know, just upfront for me, 13 00:00:30.180 --> 00:00:33.942 everything begins and ends with my family. My wife, children and 14 00:00:34.000 --> 00:00:37.174 I live in Charlotte, North Carolina, which we moved to 15 00:00:37.233 --> 00:00:40.584 after a couple of decades plus in the federal government, 16 00:00:40.642 --> 00:00:43.934 started off my career as an engineer, 22 years old, with 17 00:00:41.370 --> 00:01:24.660 Tom Field: Well, at Zoom, you're at the center of everything we 18 00:00:43.993 --> 00:00:47.755 close to 100 people working for me, didn't know anything, except 19 00:00:47.813 --> 00:00:51.340 that it didn't know anything. But in securing operations now 20 00:00:51.399 --> 00:00:54.926 for about 30 years, been an adviser to Chairman of the Joint 21 00:00:54.984 --> 00:00:57.923 Chiefs of Staff, a national security lawyer, ships 22 00:00:57.982 --> 00:01:01.685 navigator, an adviser to major corporations, and executive at a 23 00:01:01.744 --> 00:01:04.742 software company. Most importantly, today, I joined 24 00:01:04.800 --> 00:01:08.562 Zoom in mid 2020, and moved over to the CISO role this year. Our 25 00:01:08.621 --> 00:01:12.207 security team mission, if I give you the short version, is to 26 00:01:12.265 --> 00:01:15.792 reduce security risks to our company and customers. And that 27 00:01:15.851 --> 00:01:19.084 supports our vision for a secure, trusted and resilient 28 00:01:19.142 --> 00:01:20.730 Zoom products and services. 29 00:01:24.660 --> 00:01:27.720 do in life today. From your perspective, how would you 30 00:01:27.720 --> 00:01:31.560 describe the state of security as we wrap up 2022? 31 00:01:32.380 --> 00:01:34.180 Michael Adams: Yeah, I mean, security is going to continue to 32 00:01:34.180 --> 00:01:36.940 evolve and become more complicated and challenging in 33 00:01:36.940 --> 00:01:40.540 many ways. At Zoom, I have the good fortune to lead an 34 00:01:40.540 --> 00:01:44.710 exceptionally skilled and experienced and diverse, really 35 00:01:44.710 --> 00:01:48.370 impactful team of security professionals. But over the past 36 00:01:48.370 --> 00:01:51.190 year, we've continued to see a large number of attacks targeted 37 00:01:51.190 --> 00:01:54.280 at companies and data breaches, some through third-party 38 00:01:54.280 --> 00:01:57.220 vendors. What's interesting about the threat landscape, 39 00:01:57.220 --> 00:02:00.820 though, is how it is constantly evolving with these new 40 00:02:00.820 --> 00:02:03.730 vulnerabilities and threats that do continue to increase in 41 00:02:03.730 --> 00:02:07.960 complexity. I also think we're starting to see, at this point, 42 00:02:07.960 --> 00:02:11.740 more emphasis because of this on zero trust security models, 43 00:02:12.490 --> 00:02:15.490 effective identity access management across dispersed 44 00:02:15.490 --> 00:02:19.150 networks. And, of course, cyber resilience is really critical. 45 00:02:19.840 --> 00:02:23.950 And then I think the key point for us as the state of security 46 00:02:23.950 --> 00:02:26.950 evolves for us is at Zoom, we've also taken the approach of 47 00:02:26.950 --> 00:02:29.860 investing heavily in our people - we believe that continues to 48 00:02:29.860 --> 00:02:31.630 be our first and best defense. 49 00:02:32.350 --> 00:02:33.760 Tom Field: What would you say are the threats and the threat 50 00:02:33.760 --> 00:02:35.380 actors that concern you the most today? 51 00:02:35.000 --> 00:02:37.971 Michael Adams: So I want to focus a little bit on hybrid and 52 00:02:38.037 --> 00:02:41.867 remote work models, because obviously, that's important to 53 00:02:41.933 --> 00:02:46.027 us at Zoom. And so it's an area we keep an eye on, we realized 54 00:02:46.093 --> 00:02:50.055 that the approaches of hybrid and remote work models present 55 00:02:50.121 --> 00:02:54.083 new and complicated challenges for security leaders. And so, 56 00:02:54.149 --> 00:02:58.111 that's an area we really double click on. So I think for us, 57 00:02:58.177 --> 00:03:02.271 exposure points are increasing as employees work from offices, 58 00:03:02.337 --> 00:03:05.968 homes, coffee shops, and that requires us to secure and 59 00:03:06.035 --> 00:03:10.062 control a more diverse set of environments and surface areas, 60 00:03:10.128 --> 00:03:13.958 if you will. We're also paying close attention to criminal 61 00:03:14.024 --> 00:03:17.590 actors who are, in our assessment, beginning to obtain 62 00:03:17.656 --> 00:03:21.948 resources that were historically only really available to APTs or 63 00:03:22.014 --> 00:03:25.778 advanced persistent threat groups. And so what we see now 64 00:03:25.844 --> 00:03:29.938 is that more attack tools and techniques are widely available. 65 00:03:30.004 --> 00:03:33.900 And we see them being shared among groups, which makes them 66 00:03:33.966 --> 00:03:37.070 increasingly difficult to detect and attribute. 67 00:03:37.900 --> 00:03:39.760 Tom Field: I know you've had some significant initiatives 68 00:03:39.760 --> 00:03:42.640 over this past year. How would you say a Zoom is more secure 69 00:03:42.640 --> 00:03:44.770 today than it was even a year ago? 70 00:03:45.650 --> 00:03:48.050 Michael Adams: It's a great and important question, because I 71 00:03:48.050 --> 00:03:53.660 think for us, we've really seen a strong evolution in the 72 00:03:53.660 --> 00:03:57.110 culture at Zoom, right? Security has become instilled in our 73 00:03:57.110 --> 00:04:00.770 culture. To me, the biggest advancement we've made on this 74 00:04:00.770 --> 00:04:04.670 front has been our investment in our security program and team 75 00:04:04.910 --> 00:04:10.400 really since 2020. We've done a lot of building out that program 76 00:04:10.430 --> 00:04:13.940 in a more comprehensive fashion. And then I think what we've 77 00:04:13.940 --> 00:04:17.150 pivoted to now is really an optimization paradigm where 78 00:04:17.150 --> 00:04:19.430 we're taking the foundation elements that we built, the 79 00:04:19.430 --> 00:04:22.550 growth we've had in teams and tools and really more 80 00:04:22.550 --> 00:04:26.120 sophisticated advancements. And we're dialing that in. And we're 81 00:04:26.120 --> 00:04:29.840 focused on the biggest risks, biggest impact areas. I'll say 82 00:04:29.840 --> 00:04:33.260 as a company, we've also kind of stepped up by continuing to grow 83 00:04:33.260 --> 00:04:36.500 the security features that we offer to our customers. At 84 00:04:36.500 --> 00:04:39.350 Zoomtopia, this past November, for example, we announced a 85 00:04:39.350 --> 00:04:42.830 series of new offerings and they include things like end-to-end 86 00:04:42.830 --> 00:04:48.080 encrypted feature for Zoom mail service, enterprise auto update. 87 00:04:48.110 --> 00:04:51.950 This is significant. In the last year, we rolled out automatic 88 00:04:51.950 --> 00:04:56.450 updates to our broader consumer base but last month, we've now 89 00:04:56.450 --> 00:04:58.730 introduced automatic updates for enterprise customers and we 90 00:04:58.730 --> 00:05:02.150 think that's a significant accomplishment. And then there 91 00:05:02.150 --> 00:05:04.880 are others that are not insignificant either such as 92 00:05:04.880 --> 00:05:07.280 advanced encryption for Zoom phone voicemail, so I'd say our 93 00:05:07.280 --> 00:05:10.970 program or people, and then also some of what we're offering 94 00:05:11.210 --> 00:05:13.370 through the technology to our customers themselves. 95 00:05:13.580 --> 00:05:15.500 Tom Field: Very good. Alright, I want to talk about your 96 00:05:15.500 --> 00:05:18.170 predictions, you've got four of them. First one, security 97 00:05:18.170 --> 00:05:21.050 leaders are going to increase their focus on cyber resilience. 98 00:05:22.710 --> 00:05:25.170 Michael Adams: So I think on this one, what's important for 99 00:05:25.170 --> 00:05:30.030 us is to recognize that a lot of the threat actors are trying to 100 00:05:30.030 --> 00:05:36.930 disrupt services or control data in a way that will force 101 00:05:36.930 --> 00:05:39.690 companies to not have kind of that single point of failure, 102 00:05:39.840 --> 00:05:44.250 right? I think, for us, we need to emphasize improving 103 00:05:44.490 --> 00:05:48.300 understanding of the customer and the operating environment. 104 00:05:48.300 --> 00:05:53.130 You can't have sort of a retroactive look back once 105 00:05:53.130 --> 00:05:58.110 you're at a point that the event has occurred, right? And so we 106 00:05:58.110 --> 00:06:01.050 need to get beyond protection and get to the point of 107 00:06:01.050 --> 00:06:03.210 including recovery and continuity in the event of a 108 00:06:03.210 --> 00:06:06.870 major cyber incident. And for us, that's not only investing 109 00:06:06.870 --> 00:06:10.650 resources in protecting against, it's investing in the people, 110 00:06:10.680 --> 00:06:14.730 processes and technology to mitigate that impact and ensure 111 00:06:14.730 --> 00:06:16.920 that we're continuing operations in the event of a cyber 112 00:06:16.920 --> 00:06:17.310 incident. 113 00:06:18.200 --> 00:06:20.600 Tom Field: Michael, your second prediction: security teams need 114 00:06:20.600 --> 00:06:24.260 to protect against increasingly sophisticated spear phishing and 115 00:06:24.260 --> 00:06:25.670 social engineering attacks. 116 00:06:26.470 --> 00:06:30.760 Michael Adams: Yeah, I think we've all seen just how 117 00:06:30.790 --> 00:06:35.290 sophisticated the evolution of these techniques has become. And 118 00:06:35.290 --> 00:06:39.820 it's become more and more difficult for employees, or any 119 00:06:39.820 --> 00:06:43.330 of our customers, to recognize the spear phishing and social 120 00:06:43.330 --> 00:06:47.020 engineering as being just that. As we're encountering more data, 121 00:06:47.230 --> 00:06:51.070 as we're doing more things all at the same time, it becomes 122 00:06:51.100 --> 00:06:55.660 easier for individuals to fall victim to these types of 123 00:06:55.660 --> 00:06:58.780 attacks. And that makes it more challenging for organizations to 124 00:06:58.780 --> 00:07:01.990 properly defend against them. So next year, I think what we 125 00:07:01.990 --> 00:07:05.680 expect to see are more sophisticated attacks that 126 00:07:05.680 --> 00:07:09.010 utilize emerging deep fake and AI technology. So even 127 00:07:09.160 --> 00:07:13.120 next-level stuff. They are moving toward deep fakes, in 128 00:07:13.120 --> 00:07:16.840 particular, moving toward real-time deployment, which is 129 00:07:16.840 --> 00:07:19.480 going to make it harder. And what makes them especially 130 00:07:19.480 --> 00:07:23.410 concerning is really, I'd say the rate and efficacy in which 131 00:07:23.410 --> 00:07:28.840 they were passed identity verification measures. And, of 132 00:07:28.840 --> 00:07:31.480 course, the negative impact that that can have. We think training 133 00:07:31.480 --> 00:07:33.820 can cure some of this, we think there's some telltale signs for 134 00:07:33.820 --> 00:07:38.500 deep fakes currently, but as that technology or those attacks 135 00:07:39.730 --> 00:07:43.090 increase in sophistication and precision, we're going to have 136 00:07:43.090 --> 00:07:44.290 to get out in front of them. 137 00:07:45.130 --> 00:07:46.990 Tom Field: Just as concerning is your third prediction: 138 00:07:47.140 --> 00:07:50.740 continuing instability across the software supply chain will 139 00:07:50.740 --> 00:07:54.100 provide a rich environment for large-scale attacks. 140 00:07:54.930 --> 00:07:57.750 Michael Adams: So I think here like the world has focused an 141 00:07:57.750 --> 00:08:01.500 awful lot on some of the supply chain challenges generally in 142 00:08:01.500 --> 00:08:04.980 the past few years through the pandemic, but we've really seen 143 00:08:04.980 --> 00:08:09.030 major supply chain attacks in the cybersecurity domain over 144 00:08:09.030 --> 00:08:14.070 the past years. Software supply chain has become more and more 145 00:08:14.070 --> 00:08:18.240 important and prominent in the security discussion. You've 146 00:08:18.240 --> 00:08:20.640 probably seen the recent executive order on the security 147 00:08:20.640 --> 00:08:23.160 of software supply chain for government vendors, we think 148 00:08:23.160 --> 00:08:27.000 that's a step in the right direction. But we do want to 149 00:08:27.000 --> 00:08:29.610 encourage more companies to focus on strengthening their 150 00:08:29.610 --> 00:08:33.330 security practices, everything from considering a zero trust 151 00:08:33.330 --> 00:08:37.350 approach to further securing infrastructure services. Things 152 00:08:37.350 --> 00:08:41.310 like code signing PKI, hardening the release process are ways we 153 00:08:41.310 --> 00:08:42.210 can move the needle here. 154 00:08:42.870 --> 00:08:44.790 Tom Field: Now the huge topic, your fourth prediction: 155 00:08:44.820 --> 00:08:48.330 increasing reliance on cloud vendors could expand company's 156 00:08:48.330 --> 00:08:49.440 attack surfaces. 157 00:08:50.970 --> 00:08:54.660 Michael Adams: I think here it's important to recognize that more 158 00:08:54.660 --> 00:08:59.100 organizations are layering cloud technology into new places, 159 00:08:59.100 --> 00:09:01.170 right? There's just a certain amount of flexibility, it's 160 00:09:01.170 --> 00:09:06.030 offered by the cloud that that is enticing. And that creates 161 00:09:06.030 --> 00:09:09.000 certain other risks that we have to be mindful of. Because what's 162 00:09:09.000 --> 00:09:11.610 happening is there's an expansion of attack surfaces, 163 00:09:12.060 --> 00:09:15.270 you have to have new strategies to deploy cloud security 164 00:09:15.270 --> 00:09:19.740 technologies and protection strategies. I met with a number 165 00:09:19.740 --> 00:09:23.670 of chief information officers and information security 166 00:09:23.670 --> 00:09:27.360 officers recently and we talked about some of our focus areas 167 00:09:27.360 --> 00:09:31.620 for cloud vendor security, and tried to prescribe some things 168 00:09:31.620 --> 00:09:34.560 that you just really need to check every single time and 169 00:09:34.560 --> 00:09:38.700 there's a certain level of rigor and focus that has to be brought 170 00:09:38.700 --> 00:09:40.770 to bear and I think it's especially important for the 171 00:09:40.770 --> 00:09:43.440 community of interest to come together and share lessons 172 00:09:43.440 --> 00:09:44.700 learned throughout this process. 173 00:09:45.170 --> 00:09:46.820 Tom Field: So it's one thing to predict things, it's another 174 00:09:46.820 --> 00:09:49.550 thing to deal with as a CISO. So how are you addressing these 175 00:09:49.550 --> 00:09:50.000 issues? 176 00:09:50.710 --> 00:09:54.670 Michael Adams: Look, by our nature at Zoom, we are designing 177 00:09:54.670 --> 00:09:58.060 for a flexible future, right? We want to equip our customers with 178 00:09:58.060 --> 00:10:02.110 the tools they need. Really to embrace their preferred working 179 00:10:02.110 --> 00:10:05.410 story, their preferred approach. And we want to help customer 180 00:10:05.410 --> 00:10:08.950 choose the kind of technology they need to effectively protect 181 00:10:08.950 --> 00:10:13.780 their infrastructure. We also are striving to complement new 182 00:10:13.780 --> 00:10:17.230 security innovation with relevant education. So customers 183 00:10:17.230 --> 00:10:20.920 know how to use our platform to secure their communications 184 00:10:20.920 --> 00:10:22.990 effectively. And then, of course, we look internally 185 00:10:22.990 --> 00:10:24.790 within our own information security program, our 186 00:10:24.790 --> 00:10:27.910 comprehensive information security program, and some of 187 00:10:27.910 --> 00:10:32.020 those really strong skill sets that our team is bringing to 188 00:10:32.020 --> 00:10:33.250 bear, as I mentioned previously. 189 00:10:33.670 --> 00:10:35.290 Tom Field: Michael, as we go into the new year, what are some 190 00:10:35.290 --> 00:10:36.430 of your key initiatives? 191 00:10:37.530 --> 00:10:40.260 Michael Adams: So, of course, I can't tell you everything at the 192 00:10:40.260 --> 00:10:44.190 granular level. But there are a couple points that I offer here. 193 00:10:45.390 --> 00:10:48.660 I can tell you we're focused on continuing to build out our 194 00:10:48.660 --> 00:10:52.140 platform, while maintaining our customers' trust. This is 195 00:10:52.140 --> 00:10:55.110 absolutely critical for us. Security has never been more 196 00:10:55.110 --> 00:10:58.860 important at Zoom than it is today, it has never been more 197 00:10:58.860 --> 00:11:03.000 embedded both into our culture, our people, our training and the 198 00:11:03.000 --> 00:11:07.140 platform itself than it is today. So, toward that end, 199 00:11:07.140 --> 00:11:11.520 we're working to earn several new third-party certifications 200 00:11:11.610 --> 00:11:15.300 to continue to demonstrate that trust to our customers. We'll 201 00:11:15.300 --> 00:11:17.730 have more details to share on that in the upcoming months. But 202 00:11:17.730 --> 00:11:21.210 that's a critical component of what we do, it's to go out and 203 00:11:21.210 --> 00:11:23.550 not just talk about how we're going to do but go out and prove 204 00:11:23.550 --> 00:11:27.390 it and have others come in and certify that we've actually 205 00:11:27.480 --> 00:11:30.720 lived up to the standards that we're striving to meet. We're 206 00:11:30.720 --> 00:11:34.260 also tapping into the power of the security community. I have 207 00:11:34.260 --> 00:11:39.960 the good fortune to lead a CISO council, composed of CISOs from 208 00:11:40.200 --> 00:11:43.950 some of our customers. And in that forum, we talk about key 209 00:11:43.950 --> 00:11:46.440 issues for Zoom, but also key issues for the broader 210 00:11:46.440 --> 00:11:50.760 community. We're seeking feedback from those CISOs. And 211 00:11:50.760 --> 00:11:56.280 we really do take that input in a way that we believe is 212 00:11:56.280 --> 00:12:00.210 constructive and moves the needle for us, both within that 213 00:12:00.210 --> 00:12:02.640 customer base, but at Zoom and for our broader customer 214 00:12:02.640 --> 00:12:07.650 community. I'll give you another example. We continue to circle 215 00:12:07.710 --> 00:12:10.890 or double down on some of the things that we're finding the 216 00:12:10.890 --> 00:12:13.740 most impact through. And an example of that is our bug 217 00:12:13.740 --> 00:12:17.580 bounty program. It's been very successful. We held a live 218 00:12:17.580 --> 00:12:20.670 hacking event in Las Vegas earlier this year with the help 219 00:12:20.670 --> 00:12:23.370 of HackerOne. HackerOne has been instrumental to our success 220 00:12:23.370 --> 00:12:27.540 here. And we continue to build meaningful, constructive, 221 00:12:27.570 --> 00:12:30.570 impactful relationships with ethical hackers. 222 00:12:31.560 --> 00:12:34.500 Tom Field: Michael, as we go into 2023, organizations 223 00:12:34.500 --> 00:12:37.140 everywhere got similar challenges. They can't find the 224 00:12:37.140 --> 00:12:40.260 human resources they need and financial resources may be 225 00:12:40.260 --> 00:12:42.570 limited as well because of economic conditions. 226 00:12:43.020 --> 00:12:46.890 Understanding that, what's your advice to other CISOs trying to 227 00:12:46.890 --> 00:12:49.200 tackle these very challenges we've discussed here today? 228 00:12:49.000 --> 00:12:51.784 Michael Adams: I think it's tempting in tougher environments 229 00:12:51.846 --> 00:12:55.188 at times to lose sight of the things that make us most 230 00:12:55.250 --> 00:12:59.210 successful. And in the security community, there's an old saying 231 00:12:59.272 --> 00:13:02.861 of "intelligence to drive operations." I really think that 232 00:13:02.923 --> 00:13:06.636 we have to stay up to date on the latest threats, we have to 233 00:13:06.698 --> 00:13:10.349 understand the threat landscape and how it's applied to our 234 00:13:10.410 --> 00:13:14.123 specific circumstances. If you don't do that, you're wasting 235 00:13:14.185 --> 00:13:18.207 your time in a lot of instances. So I think staying up to date on 236 00:13:18.269 --> 00:13:21.920 latest threats, understanding that environment and building 237 00:13:21.982 --> 00:13:25.448 your security operations and broader business operations 238 00:13:25.509 --> 00:13:29.470 around that threat landscape is absolutely critical. I think the 239 00:13:29.532 --> 00:13:33.121 second piece is to invest in your people, skills building, 240 00:13:33.183 --> 00:13:37.081 training opportunities, making time to walk the halls in person 241 00:13:37.143 --> 00:13:40.918 or remote. I'm very proud of the security team we've built at 242 00:13:40.980 --> 00:13:44.754 Zoom. As you may have already figured out, we have incredible 243 00:13:44.816 --> 00:13:48.467 talent across many security disciplines. And I'm excited to 244 00:13:48.529 --> 00:13:52.304 see our people continue to grow in their careers. That's more 245 00:13:52.366 --> 00:13:56.264 important now than ever. Just to be very clear on this. We talk 246 00:13:56.326 --> 00:13:59.792 an awful lot within our team about the concept of people 247 00:13:59.853 --> 00:14:03.566 first and mission focus. And I deeply believe that if we get 248 00:14:03.628 --> 00:14:07.341 the people part right, that gives us the ability to focus on 249 00:14:07.403 --> 00:14:11.178 the mission to feel the purpose behind our work and the value 250 00:14:11.240 --> 00:14:15.262 and the impact we're having. And so it's absolutely critical. And 251 00:14:15.324 --> 00:14:19.284 then I think closely related to that is communication. It's just 252 00:14:19.346 --> 00:14:22.750 fundamental in the security space, whether it's sharing 253 00:14:22.811 --> 00:14:26.586 updates across different teams, communicating with a board of 254 00:14:26.648 --> 00:14:29.680 directors or executive leadership, working across 255 00:14:29.742 --> 00:14:33.084 functional or cross functionally across groups, strong 256 00:14:33.146 --> 00:14:36.920 communication skills and the willingness to over communicate. 257 00:14:36.982 --> 00:14:40.695 It's just fundamental to what we do. You can't overstate the 258 00:14:40.757 --> 00:14:41.500 value there. 259 00:14:42.190 --> 00:14:44.770 Tom Field: Well said. 2023. It's going to be an adventure I look 260 00:14:44.770 --> 00:14:46.720 forward to and I look forward to having further conversations 261 00:14:46.720 --> 00:14:48.100 with you, Michael. Thank you so much. 262 00:14:48.340 --> 00:14:49.000 Michael Adams: Thank you, Tom. 263 00:14:49.810 --> 00:14:51.460 Tom Field: Again, we just heard from Michael Adams. He's the 264 00:14:51.460 --> 00:14:53.830 chief information security officer for Zoom. For 265 00:14:53.830 --> 00:14:56.740 Information Security Media Group, I'm Tom Field. Thank you 266 00:14:56.830 --> 00:14:58.180 for giving us your time and attention.