Supply chain attacks were ‘a big wake-up call for organisations’

15 Apr 2022

Sandra McLeod. Image: Zoom

Zoom’s head of security assurance talks about the growing risks associated with third-party breaches and why security needs to be baked in from the beginning.

Click here to view the full Infosec Week series.

Sandra McLeod is the head of security assurance for Zoom, leading security teams focused on offensive security, product security incident response, as well as enterprise security assurance.

She began her career in software development, where she spent 12 years creating secure tech for networking, financial and medical companies. She then moved into the security space as a penetration tester at Cisco, where she spent the next 10 years in the company’s security and trust organisation

Now at video conferencing giant Zoom, a key element of her role involves reviewing the security features, procedures and system architecture that are in place.

‘No business wants to be the weak link in the chain’

What are some of the biggest challenges you’re facing in the current IT landscape?

The key thing to remember when it comes to security is that the threat landscape is always evolving. Attacks are becoming more sophisticated, meaning we constantly have to be aware of what’s happening in the wider landscape to ensure that Zoom and its customers are protected.

Right now, one of the biggest challenges we currently face involves supply chain attacks and the risks associated with third parties. We’ve previously seen the widespread, negative impact a third-party breach can have on all parties involved.

The 2020 breach of SolarWinds, for example, acted as a big wake-up call for organisations, showing that it’s not only your product that has to be secure and protected, but also any external companies you do business with.

We will see more organisations putting their energy into protecting against third-party risk. At Zoom, we are extremely aware of the risk of third-party software running on our networks and take stringent measures to ensure we understand exactly what is on our network and in our product.

We are constantly looking for new ways to keep our networks fully updated, patched and monitored. We also continue to prioritise our bug bounty programme, which has seen huge success so far. By bringing in the wider expertise of the Zoom community to help identify and report bugs and vulnerabilities, we are able to ensure our products are adequately protected.

What are your thoughts on digital transformation in a broad sense within your industry?

It’s an exciting time for digital transformation within the video communications industry. The sector and the people it serves has changed drastically over the past two years, with video becoming a central pillar in how the world remains connected.

At Zoom, we are extremely humbled by the role we have played and the positive impact the platform has had on people’s everyday lives. Even throughout the pandemic, we continued to innovate to ensure we were meeting the changing needs of our customers.

Through the introduction of products and features like Smart Gallery, Zoom Apps and auto-generated captions, we are able to provide a far more equitable meeting experience, expand the accessibility of users’ workspace solutions, and empower employees to get more value out of their interactions on the platform.

As we look to the future, the video communications industry is very much planning to build upon shared experiences and, with a greater understanding of what people need from video communications, drive innovation to deliver the next phase of digital transformation.

This will centre around two crucial aspects: customer experience and hybrid work. As employees return to the office on a hybrid basis, we will continue to see technologies such as AI and machine learning being incorporated into the industry to facilitate deeper connections between a dispersed workforce, defying the limits of distance and location.

What are your thoughts on how sustainability can be addressed from an IT perspective?

Sustainability is increasingly becoming a discussion topic in boardrooms across the world, and rightly so. As a determining ESG factor, businesses are starting to take sustainability more seriously and putting initiatives in place to ensure how they operate doesn’t negatively impact the environment.

If we look at IT specifically, there are many ways in which it can support businesses to become more sustainable. One of the most obvious ways is the increase in use of video communication tools that reduce the need for people to travel for meetings or in-person events.

As the future of work lies in hybrid, video will continue to play a role in helping businesses become more sustainable. This has been evident throughout the pandemic, with UK household greenhouse gas emissions dropping by 10pc as we remained at home, unable to travel. While this indicates what can be achieved when sustainability is taken seriously, we still have a long way to go.

What big tech trends do you believe are changing the world?

One of the biggest tech trends right now is the proliferation of emerging technologies and how these will help to forge the future of work. Businesses are recognising how these technologies can improve the way they operate and most importantly, the experience of hybrid working.

The likes of AI, machine learning and virtual and augmented reality enable greater inter-functionality and deliver better, more meaningful experiences between in-person and remote participants, where those joining a meeting virtually will be able to see and experience the meeting as if they were in the room. This all plays into the bigger idea of the metaverse, as we strengthen our hybrid connections and build upon these emerging technologies.

What are your thoughts on how we can address the security challenges currently facing your industry?

As the number and scale of emerging technologies increases, so does their complexity, opening up the potential for vulnerabilities to be exploited. As businesses look to expand and innovate to better meet customer expectations, they have to ensure security remains a top priority at every stage.

It’s important to remember that this also applies to any external companies a business works with, be it a supply chain or third-party partner. Malicious actors and their attacks are becoming more sophisticated, and no business wants to be the weak link in the chain.

To directly address security challenges, the industry needs to go back to basics and get better at seeking opportunities to integrate security into the product life cycle. Too often we see products developed and security not baked in from the beginning, and going back to try and retrofit security is a time-consuming and often impossible task.

In the long term, the industry can address security issues by plugging the current skills gap and training the next generation of security talent so they are industry-ready. This training has to form part of all avenues into the field, as sometimes security can be neglected.

For example, a young person looking to forge a career in the IT industry could undertake an engineering degree without going through any security training when, in reality, security and an understanding of how to protect the business will be a central part of their job.

As an industry, this is a foundational point that needs to be addressed and a key area that needs more work if we are to remain ahead of the threat landscape.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.