top of page
Search

Transforming Cybersecurity Culture Amid Microsoft's Windows Recall Feature Update

Updated: Jun 26

by Scott Madenburg (CIA,CISA, CRMA) and Sanjay Vadlamani (CISA & CISM)


As a follow-up to our recent post, "Unpacking Microsoft's New AI Recall Feature: A Must-Know for Internal Audit," Microsoft has put out additional guidance to address the concerns many have expressed about privacy and data security related to the Windows Recall feature.

 

  1. Microsoft will utilize "just-in-time" protection to decrypt Windows Recall data only when the user logs in using Windows Hello.

  2. Microsoft will make Windows Recall opt-in, so Copilot+ PCs won't have it activated by default.

 

Given the rapid changes coming our way with AI and what we are seeing in the context of Microsoft's new Windows Recall feature, there is now more than ever a need for a strong cybersecurity culture within organizations.

 

As Internal Audit leaders focusing on cybersecurity, we recognize the critical importance of a robust cybersecurity culture in today's rapidly evolving tech landscape. Microsoft's recent updates addressing the backlash around its Windows Recall feature highlight the necessity of integrating strong security practices without stifling innovation. Certified by IIA and ISACA and adhering to NIST guidelines, we strive to uphold stringent standards to safeguard data and ensure compliance through effective internal audit cybersecurity practices.


 

Why Cybersecurity Culture Matters

  • Guiding Principle for Cyber Governance: Embedding a strong cybersecurity culture ensures every employee, from intern to CEO, prioritizes cybersecurity without hindering innovation. Be sure to know the Audit Committee's stance on cybersecurity culture.

  • Continuous Communication: Regular, clear discussions on cybersecurity are crucial for maintaining a strong cybersecurity culture. Internal audit should take a proactive approach using all channels to keep it top of mind—emails, meetings, newsletters, even fun "TikTok" like videos—to keep cybersecurity top of mind.

  • Embracing Openness: Creating an environment where mistakes are reported openly fosters continuous improvement in cybersecurity practices and strengthens the overall cybersecurity culture. Internal audit must play a role in promoting a culture where there's no fear of blame, just a focus on addressing and learning from errors. After all, we're all humans, something AI can't replicate today.


Cybersecurity Culture Framework: Guiding Principle, Continuous Communication, and Embracing Openness as key elements

 

Leadership and Board Alignment in Cybersecurity Culture

Effective cybersecurity governance requires strong leadership and board engagement aligned with IIA and ISACA standards. By prioritizing cybersecurity initiatives and fostering a robust cybersecurity culture, we mitigate risks and ensure regulatory compliance, all while supporting innovation and development. Consider presenting the board and leadership with an easy-to-understand IIA and ISACA cybersecurity infographic. Let them know why these matter for building a strong cybersecurity culture.


Steps to Foster a Strong Cybersecurity Culture

  • Start Small and Build: Identify key stakeholders and develop tailored strategies to cultivate a security-conscious culture, enhancing overall cybersecurity.

  • Consistent Communication: Use multiple platforms to regularly communicate cybersecurity best practices, following NIST recommendations and reinforcing the cybersecurity culture.

  • Positive Reinforcement: Encourage proactive security behaviors and recognize contributions, fostering cybersecurity resilience and strengthening the cybersecurity culture without stifling innovation.

  • Executive Involvement: Leadership must exemplify and champion cybersecurity efforts, fostering a culture of security awareness and compliance that supports innovation and reinforces the cybersecurity culture.


Steps to Foster a Strong Cybersecurity Culture: Identify Stakeholders, Communicate Best Practices, Reinforce Positive Behaviors, and Ensure Executive Involvement

 

Thoughtful Frameworks and Safety Guardrails

Microsoft’s response to the Windows Recall backlash underscores the critical need for robust data protection measures and regulatory compliance in cybersecurity. Privacy concerns and security vulnerabilities highlight the importance of adhering to regulatory frameworks and industry standards. By promoting a strong, innovation-supportive cybersecurity culture aligned with IIA and ISACA standards, internal audit leaders can effectively mitigate compliance and cybersecurity risks posed by evolving technologies.


Balancing Windows Recall feature concerns with cybersecurity culture: Microsoft's response to security vulnerabilities and privacy issues versus industry standards and regulatory compliance for data protection

 

Bonus

Click below to get your free copy of our Microsoft Recall Audit Work Program.





Comments


bottom of page