Microsoft Secure Score is increasingly becoming a central part of cloud security planning and engagement. Microsoft is putting a lot of effort into this simple, yet powerful tool and if you’re in the Microsoft cloud you should leverage it (it’s included in every Office 365 subscription).
This post is the first in a series of Secure Score related articles I’m writing where my goal is to inspire you to make cloud security a natural part of your management processes. In this particular article, I will start by focusing on the gamification aspects of implementing a scoring system when working with cyber security and how you can use it to drive your organizations security work forwards.
What is Microsoft Secure Score?
Microsoft Secure Score is a measuring tool for continuously measuring the security posture of your organization. Recommended actions generate points. Some actions are automatically validated and checked by Microsoft while others are checked manually once implemented. Secure Score does not focus on what licenses the organization holds, but instead tries to recommend the best way forward. Your score indicates how your security posture increases.
It is important to remember that security and usability must be balanced and that all security actions recommended do not suit all organizations.
The recommended actions are divided into the following five categories:
- Identity (includes Azure AD accounts & roles, Azure ATP coming soon)
- Data (includes Microsoft Information Protection)
- Device (includes Microsoft Endpoint Manager, Microsoft Defender ATP coming soon)
- Apps (includes email and cloud apps, including Office 365 and Microsoft Cloud App Security)
- Infrastructure (includes Azure resources)
Gamification is about introducing game elements at work or in everyday life in order to make use of people’s desires to perform, compete and master different types of activities. The aim is to encourage performance and constant improvement, which fits well with security work overall.
Microsoft Secure Score uses a scoring system to influence the organization to introduce the most relevant security measures in the right order and to move forward and constantly improve its security posture.
Secure Score makes it easy to prioritize and measure the progress and as a bonus it provides a very nice executive summary of the security work being done. I’ve seen Secure Score transform old and not so sexy security teams to rock stars by enabling them to visualize how valuable their work is. This is important since most people don’t care about security until it breaks. In reality security is about being proactive.
Gamification with Secure Score helps your organization to:
- Increase engagement around the security work.
- Clarify, measure and compare the organization’s security posture.
- Prioritize security work smartly and efficiently.
- Make security work an obvious part of the management process.
- Report security posture and KPI’s to senior leadership.
Warning! Please note that good security is the primary goal here, not getting the highest score. If you focus on just completing activities to collect points, you risk building false security. Points should always be substantiated by a complete security solution and should be approved before the activity is closed!
Suggested game elements that can drive engagement:
- Set up a target score with prizes for the involved team, such as a nice dinner, cinema tickets or the like (just remember the important warning above).
- Let your organization compete against other organizations, such as partners or customers. This is often a fun way of helping each other grow in the security field.
- Let the departments handling the different categories (Identity, Device, Apps Data and Infrastructure) compete against each other. The winner gets the golden cup for a month.
I hope this inspires you to start looking into Secure Score and how it can be used to increase your organizations security posture. In my next Secure Score article I will discuss how to establish a Secure Score forum/team and how its processes might look.
Please follow me here, on LinkedIn and on Twitter!