Zoom CISO Michael Adams discusses cybersecurity threats, solutions, and the future

In this Help Net Security interview, we delve into the world of cybersecurity with Michael Adams, the CISO at Zoom. Adams analyzes how organizations grapple with the effects of workforce shortages and remote work complications, offering insights into best practices for safeguarding products and services in this challenging era.

As a result of the Great Resignation, many organizations are dealing with workforce shortages and the challenges of remote work. Can you elaborate on how these issues are impacting cybersecurity?

In today’s remote work setup, the challenge of securing products and services for customers is further complicated by the overall shortage of skilled cybersecurity personnel in the industry. While we’re fortunate to have a strong staff at Zoom, we’ve also invested in our bug bounty program, which has enabled us to expand our reach and work with some of the world’s best ethical hackers.

For companies seeking to address a workforce shortage, it’s crucial to invest in automated threat detection systems, adopt flexible yet secure technologies, and encourage continuous learning among existing staff.

The zero-trust security approach has been gaining traction. Can you share some best practices for companies seeking to implement this strategy?

When building a zero-trust security approach, it is important to begin by assessing existing security frameworks. A strategy companies should take when embarking on this process is to verify everything they can and “trust no one.” Solutions such as identity and access management (IAM) programs, as well as safeguards like multi-factor authentication (MFA), can help ensure that only authorized individuals gain access to the network and data.

In addition to adopting appropriate technologies, it’s important to provide a comprehensive security training program. Training should highlight the importance of strong password hygiene, secure access practices, and the potential risks associated with modern work.

The emergence of new technologies such as 5G and AI poses both opportunities and risks for cybersecurity. How should organizations prepare for these potential threats and leverage these technologies?

With the shift to more software-centric communication infrastructure in 5G, organizations should stay mindful in identifying and addressing potential weaknesses in their systems. When it comes to the evolving threat vectors in AI, we must remain vigilant and continuously enhance safeguards to mitigate risks. Additionally, ensuring the accuracy and reliability of AI systems is paramount. False positives and negatives can have significant implications for a security program. Striking the right balance between harnessing the power of AI and minimizing errors and false alarms is a key priority at Zoom.

OpenAI’s chatbot, ChatGPT, has been used to create and test phishing messages. In what ways can organizations protect themselves from these enhanced phishing threats?

As with any emerging threat vector, organizations need to have solid defenses in place, including anti-phishing software, MFA, and endpoint detection. To defend against these adversarial advancements, we need to focus on defense in depth and having the right pieces in place. Additionally, regularly educating employees about emerging risks and the sophisticated nature of AI-enabled phishing is essential.

Major regulatory changes are on the horizon in 2023, including the CPRA in the US, privacy regulations in China, and directives from the EU. How should organizations prepare for these changes and their potential impact on data security?

The global technology policy landscape is certainly dynamic. We strongly support policymakers’ objectives of ensuring the privacy and security of services like ours. We continue to partner with governments to inform policies that achieve those objectives and enable Zoom to deliver our innovative and secure products to all customers that choose to use our platform.

Lastly, considering the economic downturn, how can CISOs and security teams find more cost-effective ways to secure their businesses, particularly when budget constraints are becoming more pressing?

I’m focused on making sure we’re investing in the right areas that fit our company’s approach to security to protect our customers, products, and employees. Additionally, I think it’s important for security leaders to prioritize cost-effective strategies, such as exploring more affordable tools and investing in skill building with existing employees.