>> From our studios in the heart of Silicon Valley. HOLLOWAY ALTO, California It is a cube conversation. >> Welcome to the special. Keep conversation here in Palo Alto, California. I'm John for a co host of the Cube. Were Arsenal was a C I S O. C. So for Microsoft also corporate vice President, Chief information security. Thanks for joining me today. >> Thank you. >> Appreciate it. Thanks. So you have a really big job. You're a warrior in the industry, security is the hardest job on the planet. >> And hang in sight >> of every skirt. Officer is so hard. Tell us about the role of Microsoft. You have overlooked the entire thing. You report to the board, give us an overview of what >> happens. Yeah. I >> mean, it's you know, obviously we're pretty busy. Ah, in this world we have today with a lot of adversaries going on, an operational issues happening. And so I have responsibility. Accountability for obviously protecting Microsoft assets are customer assets. And then ah, And for me, with the trend also responsibility for business continuity Disaster recovery company >> on the sea. So job has been evolving. We're talking before the camera came on that it's coming to CEO CF roll years ago involved to a business leader. Where is the sea? So roll now in your industry is our is a formal title is it establishes their clear lines of reporting. How's it evolved? What's the current state of the market in terms of the sea? So it's roll? >> Yeah, the role is involved. A lot. Like you said, I think like the CIA or twenty years ago, you know, start from the back room of the front room and I think the, you know, one of things I look at in the role is it's really made it before things. There's technical architecture, there's business enablement. There's operational expert excellence. And then there's risk management and the older ah, what does find the right word? But the early see so model was really about the technical architecture. Today. It's really a blend of those four things. How do you enable your business to move forward? How do you take calculated risks or manage risks? And then how do you do it really effectively and efficiently, which is really a new suit and you look at them. You'LL see people evolving to those four functions. >> And who's your boss? Would you report to >> I report to a gentleman by the name of a curtain. Little Benny on DH. He is the chief digital officer, which would be a combination of Seo did officer and transformation as well as all of Microsoft corporate strategy >> and this broad board visibility, actually in security. >> Yeah, you >> guys, how is Microsoft evolved? You've been with the company for a long time >> in the >> old days ahead perimeters, and we talk about on the Cube all the time. When a criminalist environment. Now there's no perimeter. Yeah, the world's changed. How is Microsoft evolved? Its its view on security Has it evolved from central groups to decentralize? How is it how how was it managed? What's the what's the current state of the art for security organization? >> Well, I think that, you know, you raise a good point, though things have changed. And so in this idea, where there is this, you know, perimeter and you demanded everything through the network that was great. But in a client to cloak cloud world, we have today with mobile devices and proliferation or cloud services, and I ot the model just doesn't work anymore. So we sort of simplified it down into Well, we should go with this, you know, people calls your trust, I refer to It is just don't talk to strangers. But the idea being is this really so simplified, which is you've got to have a good identity, strong identity to participate. You have to have managed in healthy device to participate, to talk to, ah, Microsoft Asset. And then you have to have data in telemetry that surrounds that all the time. And so you basically have a trust, trust and then verify model between those three things. And that's really the fundamental. It's really that simple. >> David Lava as Pascal senior with twenty twelve when he was M. C before he was the C E O. V M. Where he said, You know his security do over and he was like, Yes, it's going to be a do over its opportunity. What's your thoughts on that perspective? Has there been a do over? Is it to do over our people looking at security and a whole new way? What's your thoughts? >> Yeah, I mean, I've been around security for a long time, and it's there's obviously changes in Massa nations that happened obviously, at Microsoft. At one point we had a security division. I was the CTO in that division, and we really thought the better way to do it was make security baked in all the products that we do. Everything has security baked in. And so we step back and really change the way we thought about it. To make it easier for developers for end users for admin, that is just a holistic part of the experience. So again, the technology really should disappear. If you really want to be affected, I think >> don't make it a happy thought. Make it baked in from Day one on new product development and new opportunity. >> Yeah, basically, shift the whole thing left. Put it right in from the beginning. And so then, therefore, it's a better experience for everyone using it. >> So one of things we've observed over the past ten years of doing the Cube when do first rolled up with scene, you know, big data role of date has been critical, and I think one of the things that's interesting is, as you get data into the system, you can use day that contextually and look at the contextual behavioral data. It's really is create some visibility into things you, Meyer may not have seen before. Your thoughts and reaction to the concept of leveraging data because you guys get a lot of data. How do you leverage the data? What's the view of data? New data will make things different. Different perspectives creates more visibility. Is that the right view? What's your thoughts on the role of Data World Data plays? >> Well, they're gonna say, You know, we had this idea. There's identity, there's device. And then there's the data telemetry. That platform becomes everything we do, what there's just security and are anomalous behavior like you were talking about. It is how do we improve the user experience all the way through? And so we use it to the service health indicator as well. I think the one thing we've learned, though, is I was building where the biggest data repositories your head for some time. Like we look at about a six point five trillion different security events a day in any given day, and so sort of. How do you filter through that? Manage? That's pretty amazing, says six point five trillion >> per day >> events per day as >> coming into Microsoft's >> that we run through the >> ecosystem your systems. Your computers? >> Yeah. About thirty five hundred people. Reason over that. So you can Certainly the math. You need us. Um, pretty good. Pretty good technology to make it work effectively for you and efficiently >> at RC A Heard a quote on the floor and on the q kind of echoing the same sentiment is you can't hire your way to success in this market is just not enough people qualified and jobs available to handle the volume and the velocity of the data coming in. Automation plays a critical role. Your reaction to that comment thoughts on? >> Well, I think I think the cure there, John, those when you talk about the volume of the data because there's what we used to call speeds and feeds, right? How big is it? And I used to get great network data so I can share a little because we've talked, like from the nineties or whatever period that were there. Like the network was everything, but it turns out much like a diverse workforce creates the best products. It turns out diverse data is more important than speeds and feeds. So, for example, authentication data map to, you know, email data map to end point data map. TEO SERVICE DATA Soon you're hosting, you know, the number of customers. We are like financial sector data vs Healthcare Data. And so it's the ability Teo actually do correlation across that diverse set of data that really differentiates it. So X is an example. We update one point two billion devices every single month. We do six hundred thirty billion authentications every single month. And so the ability to start correlating those things and movement give us a set of insights to protect people like we never had before. >> That's interesting telemetry you're getting in the marketplace. Plus, you have the systems to bring it in >> a pressure pressure coming just realized. And this all with this consent we don't do without consent, we would never do without consent. >> Of course, you guys have the terms of service. You guys do a good job on that, But I think the point that I'm seeing there is that you guys are Microsoft. Microsoft got a lot of access. Get a lot of stuff out there. How does an enterprise move to that divers model because they will have email, obviously. But they have devices. So you guys are kind of operating? I would say tear one of the level of that environment cause you're Microsoft. I'm sure the big scale players to that. I'm just an enterprising I'm a bank or I'm an insurance company or I'm in oil and gas, Whatever the vertical. Maybe. What do I do if I'm the sea? So they're So what does that mean, Diversity? How should they? >> Well, I think they have a diverse set of data as well. Also, if they participate, you know, even in our platform today, we you know, we have this thing called the security graph, which is an FBI people can tap into and tap into the same graph that I use and so they can use that same graph particular for them. They can use our security experts to help them with that if they don't have the all the resource and staff to go do that. So we provide both both models for that to happen, and I think that's why a unique perspective I should think should remind myself of which is we should have these three things. We have a really good security operations group we have. I think that makes us pretty unique that people can leverage. We build this stuff into the product, which I think is good. But then the partnership, the other partners who play in the graph, it's not just us. So there's lots of people who play on that as well. >> So like to ask you two lines of questions. Wanting on the internal complex is that organizations will have on the external complexity and realities of threats and coming in. How do they? How do you balance that out? What's your vision on that? Because, you know, actually, there's technology, his culture and people, you know in those gaps and capabilities on on all three. Yeah, internally just getting the culture right and then dealing with the external. How does a C so about his company's balance? Those realities? >> Well, I think you raised a really good point, which is how do you move the culture for? That's a big conversation We always have. And that was sort of, you know, it's interesting because the the one side we have thirty five hundred people who have security title in their job, But there's over one hundred thousand people who every day part of their job is doing security, making sure they'LL understand that and know that is a key part we should reinforce everyday on DSO. But I think balancing it is, is for me. It's actually simplifying just a set of priorities because there's no shortage of, you know, vendors who play in the space. There's no shortage of things you can read about. And so for us it was just simplifying it down and getting it. That simplifies simplified view of these are the three things we're going to go do we build onerous platform to prioritize relative to threat, and then and then we ensure we're building quality products. Those five things make it happen. >> I'd like to get your thoughts on common You have again Before I came on camera around how you guys view simplification terminal. You know, you guys have a lot of countries, the board level, and then also you made a common around trust of security and you an analogy around putting that drops in a bucket. So first talk about the simplification, how you guys simplifying it and why? Why is that important? >> You think we supply two things one was just supplying the message to people understood the identity of the device and making sure everything is emitting the right telemetry. The second part that was like for us but a Z to be illustrative security passwords like we started with this technology thing and we're going to do to FAA. We had cards and we had readers and oh, my God, we go talk to a user. We say we're going to put two FAA everywhere and you could just see recoil and please, >> no. And then >> just a simple change of being vision letters. And how about this? We're just going to get rid of passwords then People loved like they're super excited about it. And so, you know, we moved to this idea of, you know, we always said this know something, know something new, how something have something like a card And they said, What about just be something and be done with it? And so, you know, we built a lot of the capability natively into the product into windows, obviously, but I supported energies environment. So I you know, I support a lot of Mac clinics and IOS and Android as well So you've read it. Both models you could use by or you could use your device. >> That's that. That's that seems to be a trend. Actually, See that with phones as well as this. Who you are is the password and why is the support? Because Is it because of these abuses? Just easy to program? What's the thought process? >> I think there's two things that make it super helpful for us. One is when you do the biometric model. Well, first of all, to your point, the the user experience is so much better. Like we walk up to a device and it just comes on. So there's no typing this in No miss typing my password. And, you know, we talked earlier, and that was the most popular passwords in Seattle with Seahawks two thousand seventeen. You can guess why, but it would meet the complexity requirements. And so the idea is, just eliminate all that altogether. You walk up machine, recognize you, and you're often running s o. The user experience is great, but plus it's Actually the entropy is harder in the biometric, which makes it harder for people to break it, but also more importantly, it's bound locally to the device. You can't run it from somewhere else. And that's the big thing that I think people misunderstanding that scenario, which is you have to be local to that. To me, that's a >> great example of rethinking the security paradigm. Exactly. Let's talk about trust and security. You you have an opinion on this. I want to get your thoughts, the difference between trust and security so they go hand in hand at the same time. They could be confused. Your thoughts on this >> well being. You can have great trust. You can, so you can have great security. But you generally and you would hope that would equate like a direct correlation to trust. But it's not. You need to you build trust. I think our CEO said it best a long time ago. You put one bucket of water, one bucket. Sorry, one truffle water in the bucket every time. And that's how you build trust. Over time, my teenager will tell you that, and then you kick it over and you put it on the floor. So you have to. It's always this ratcheting up bar that builds trust. >> They doing great you got a bucket of water, you got a lot of trust, that one breach. It's over right, >> and you've got to go rebuild it and you've got to start all over again. And so key, obviously, is not to have that happen. But then, that's why we make sure you have operational rigor and >> great example that just totally is looking Facebook. Great. They have massive great security. What really went down this past week, but still the trust factor on just some of the other or societal questions? >> Yeah, >> and that something Do it. >> Security. Yeah, I think that's a large part of making sure you know you're being true. That's what I said before about, you know, we make sure we have consent. We're transparent about how we do the things we do, and that's probably the best ways to build trust. >> Okay, so you guys have been successful in Microsoft, just kind of tight the company for second to your role. It's pretty well documented that the stock prices at an all time high. So if Donatella Cube alumni, by the way, has been on the cue before he he took over and clear he didn't pivot. He just said we'd go in the cloud. And so the great moves, he don't eat a lot of great stuff. Open source from open compute to over the source. And this ship has turned and everything's going great. But that cheering the cloud has been great for the company. So I gotta ask you, as you guys move to the cloud, the impact to your businesses multi fold one products, ecosystem suppliers. All these things are changing. How has security role in the sea? So position been impact that what have you guys done? How does that impact security in general? Thoughts? >> Yeah, I think we obviously were like any other enterprise we had thousands of online are thousands of line of business applications, and we did a transformation, and we took a method logical approach with risk management. And we said, Okay, well, this thirty percent we should just get rid of and decommission these. We should, you know, optimize and just lifting shifting application. That cloud was okay, but it turns out there's massive benefit there, like for elasticity. Think of things that quarterly reporting or and you'll surveys or things like that where you could just dynamically grow and shrink your platform, which was awesome linear scale that we never had Cause those events I talk about would require re architectures. Separate function now becomes linear. And so I think there is a lot of things from a security perspective I could do in a much more efficient must wear a fish. In fact, they're then I had to have done it before, but also much more effective. I just have compute capability. Didn't have I have signal I didn't have. And so we had to wrap her head around that right and and figure out how to really leverage that. And to be honest, get the point. We're exploited because you were the MySpace. I have disaster and continent and business. This is processed stuff. And so, you know, everyone build dark fiber, big data centers, storage, active, active. And now when you use a platform is a service like on that kind of azure. You could just click a Bach and say, I want this thing to replicate. It also feeds your >> most diverse data and getting the data into the system that you throw a bunch of computer at that scale. So What diverse data? How does that impact the good guys and the bad guys? That doesn't tip the scales? Because if you have divers date and you have his ability, it's a race for who has the most data because more data diversity increases the aperture and our visibility into events. >> Yeah, I you >> know, I should be careful. I feel like I always This's a job. You always feel like you're treading water and trying to trying to stay ahead. But I think that, um, I think for the first time in my tenure do this. I feel there's an asymmetry that benefits. They're good guys in this case because of the fact that your ability to reason over large sets of data like that and is computed data intensive and it will be much harder for them like they could generally use encryption were effectively than some organization because the one the many relationship that happens in that scenario. But in the data center you can't. So at least for now, I feel like there's a tip This. The scales have tipped a bit for the >> guy that you're right on that one. I think it's good observation I think that industry inside look at the activity around, from new fund adventures to overall activity on the analytics side. Clearly, the data edge is going to be an advantage. I think that's a great point. Okay, that's how about the explosion of devices we're seeing now. An explosion of pipe enabled devices, Internet of things to the edge. Operational technologies are out there that in factory floors, everything being I P enables, kind of reminds me of the old days. Were Internet population you'd never uses on the Internet is growing, and >> that costs a lot >> of change in value, creation and opportunities devices. Air coming on both physical and software enabled at a massive rate is causing a lot of change in the industry. Certainly from a security posture standpoint, you have more surface area, but they're still in opportunity to either help on the do over, but also create value your thoughts on this exploding device a landscape, >> I think your Boston background. So Metcalfe's law was the value the net because the number of the nodes on the network squared right, and so it was a tense to still be true, and it continues to grow. I think there's a huge value and the device is there. I mean, if you look at the things we could do today, whether it's this watch or you know your smartphone or your smart home or whatever it is, it's just it's pretty unprecedented the capabilities and not just in those, but even in emerging markets where you see the things people are doing with, you know, with phones and Lauren phones that you just didn't have access to from information, you know, democratization of information and analysis. I think it's fantastic. I do think, though, on the devices there's a set of devices that don't have the same capabilities as some of the more markets, so they don't have encryption capability. They don't have some of those things. And, you know, one of Microsoft's responses to that was everything. Has an M see you in it, right? And so we, you know, without your spirit, we created our own emcee. That did give you the ability to update it, to secure, to run it and manage it. And I think that's one of the things we're doing to try to help, which is to start making these I, O. T or Smart devices, but at a very low cost point that still gives you the ability because the farm would not be healed Update, which we learn an O. T. Is that over time new techniques happen And you I can't update the system >> from That's getting down to the product level with security and also having the data great threats. So final final talk Tracking one today with you on this, your warrior in the industry, I said earlier. See, so is a hard job you're constantly dealing with compliance to, you know, current attacks, new vector, new strains of malware. And it's all over the map. You got it. You got got the inbound coming in and you got to deal with all that the blocking and tackling of the organization. >> What do you What do >> you finding as best practice? What's the what if some of the things on the cso's checklist that you're constantly worried about and or investing in what some of >> the yeah, >> the day to day take us through the day to day life >> of visited a lot? Yeah, it >> starts with not a Leslie. That's the first thing you have to get used to, but I think the you know again, like I said, there's risk Manager. Just prioritize your center. This is different for every company like for us. You know, hackers don't break and they just log in. And so identity still is one of the top things. People have to go work on him. You know, get rid of passwords is good for the user, but good for the system. We see a lot in supply chain going on right now. Obviously, you mentioned in the Cambridge Analytical Analytics where we had that issue. It's just down the supply chain. And when you look at not just third party but forthe party fifth party supply and just the time it takes to respond is longer. So that's something that we need to continue to work on. And then I think you know that those are some of the other big thing that was again about this. How do you become effective and efficient and how you managed that supply chain like, You know, I've been on a mission for three years to reduce my number of suppliers by about fifty percent, and there's still lots of work to do there, but it's just getting better leverage from the supplier I have, as well as taking on new capability or things that we maybe providing natively. But at the end of the day, if you have one system that could do what four systems going Teo going back to the war for talent, having people, no forces and versus one system, it's just way better for official use of talent. And and obviously, simplicity is the is the friend of security. Where is entropy is not, >> and also you mentioned quality data diversity it is you're into. But also there's also quality date of you have quality and diverse data. You could have a nice, nice mechanism to get machine learning going well, but that's kind of complex, because in the thie modes of security breaches, you got pre breached in breech post breach. All have different data characteristics all flowing together, so you can't just throw that answer across as a prism across the problem sets correct. This is super important, kind of fundamentally, >> yeah, but I think I >> would I would. The way I would characterize those is it's honestly, well, better lessons. I think I learned was living how to understand. Talk with CFO, and I really think we're just two things. There's technical debt that we're all working on. Everybody has. And then there's future proofing the company. And so we have a set of efforts that go onto like Red Team. Another actually think like bad people break them before they break you, you know, break it yourself and then go work on it. And so we're always balancing how much we're spending on the technical, that cleanup, you know, modernizing systems and things that are more capable. And then also the future proofing. If you're seeing things coming around the corner like cryptography and and other other element >> by chain blockchain, my supply chain is another good, great mechanism. So you constantly testing and R and D also practical mechanisms. >> And there in the red team's, which are the teams that attacking pen everything, which is again, break yourself first on this super super helpful for us >> well bred. You've seen a lot of ways of innovation have been involved in multiple ways computer industry client server all through the through the days, so feel. No, I feel good about this you know, because it reminds me and put me for broken the business together. But this is the interesting point I want to get to is there's a lot of younger Si SOS coming in, and a lot of young talent is being attractive. Security has kind of a game revived to it. You know, most people, my friends, at a security expert, they're all gamers. They love game, and now the thrill of it. It's exciting, but it's also challenging. Young people coming might not have experience. You have lessons you've learned. Share some thoughts over the years that scar either scar tissue or best practices share some advice. Some of the younger folks coming in breaking into the business of, you know, current situation. What you learned over the years it's Apple Apple. But now the industry. >> Yeah, sadly, I'd probably say it's no different than a lot of the general advice I would have in the space, which is there's you value experience. But it turns out I value enthusiasm and passion more here so you can teach about anybody whose passion enthusiastic and smart anything they want. So we get great data people and make them great security people, and we have people of a passion like you know, this person. It's his mission is to limit all passwords everywhere and like that passion. Take your passion and driver wherever you need to go do. And I >> think the nice >> thing about security is it is something that is technically complex. Human sociology complex, right? Like you said, changing culture. And it affects everything we do, whether it's enterprise, small, medium business, large international, it's actually a pretty It's a fasten, if you like hard problem. If you're a puzzle person, it's a great It's a great profession >> to me. I like how you said Puzzle. That's I think that's exactly it. They also bring up a good point. I want to get your thoughts on quickly. Is the talent gap is is really not about getting just computer science majors? It's bigger than that. In fact, I've heard many experts say, and you don't have to be a computer scientist. You could be a lot of cross disciplines. So is there a formula or industry or profession, a college degree? Or is it doesn't matter. It's just smart person >> again. It depends if your job's a hundred percent. Security is one thing, but like what we're trying to do is make not we don't have security for developers you want have developed to understand oppa security and what they build is an example on DSO. Same with administrators and other components. I do think again I would say the passion thing is a key piece for us, but But there's all aspects of the profession, like the risk managers air, you know, on the actuarial side. Then there's math people I had one of my favorite people was working on his phD and maladaptive behavior, and he was super valuable for helping us understand what actually makes things stick when you're trying to train their educate people. And what doesn't make that stick anthropologist or super helpful in this field like anthropologist, Really? Yeah, anthropologist are great in this field. So yeah, >> and sociology, too, you mentioned. That would think that's a big fact because you've got human aspect interests, human piece of it. You have society impact, so that's really not really one thing. It's really cross section, depending upon where you want to sit in the spectrum of opportunity, >> knowing it gives us a chance to really hire like we hire a big thing for us has been hard earlier in career and building time because it's just not all available. But then also you, well, you know, hire from military from law enforcement from people returning back. It's been actually, it's been a really fascinating thing from a management perspective that I didn't expect when I did. The role on has been fantastic. >> The mission. Personal question. Final question. What's getting you excited these days? I mean, honestly, you had a very challenging job and you have got attend all the big board meetings, but the risk management compliance. There's a lot of stuff going on, but it's a lot >> of >> technology fund in here to a lot of hard problems to solve. What's getting you excited? What what trends or things in the industry gets you excited? >> Well, I'm hopeful we're making progress on the bad guys, which I think is exciting. But honestly, this idea the you know, a long history of studying safety when I did this and I would love to see security become the air bags of the technology industry, right? It's just always there on new president. But you don't even know it's there until you need it. And I think that getting to that vision would be awesome. >> And then really kind of helping move the trust equation to a whole other level reputation. New data sets so data, bits of data business. >> It's total data business >> breath. Thanks for coming on the Q. Appreciate your insights, but also no see. So the chief information security officer at Microsoft, also corporate vice president here inside the Cuban Palo Alto. This is cute conversations. I'm John Career. Thanks for watching. >> Thank you.