CyberWire Daily - Introducing Security Unlocked: CISO Series with Bret Arsenault–Leading an Inclusive Workforce: Emma Smith, Vodafone
Episode Date: June 27, 2021There’s truth in the sentiment, “teamwork makes the dream work.” When team members don’t feel included or heard in their environment, they’re not going to do their best work, so it’s�...�up to managers, supervisors, and even global security directors to foster a workplace and culture that doesn’t allow anyone to be silenced. On this episode, Microsoft’s CISO, Bret Arsenault, sits with his friend and peer, Emma Smith, Director of Global Cybersecurity for Vodafone. Throughout the conversation, they discuss returning to in-person work after over a year of being remote and some of the inherent difficulties that come with the change, especially as they relate to inclusivity. In This Episode You Will Learn: How focusing on digital society, inclusion for all, and the planet allows for practical actions. Why 5G is so important for a hybrid workforce. Why Emma and Bret support eliminating passwords. Some Questions We Ask: How does Emma look at inclusion initiatives from an industry perspective? What is ‘withstander’ training and why is it crucial for effective leadership? What are Emma’s three points of wisdom for security practitioners? Subscribe: https://SecurityUnlockedCISOSeries.com Resources: Emma Smith’s LinkedIn. https://www.linkedin.com/in/emma-smith-0388aa4b/ Brett Arsenault’s LinkedIn: https://www.linkedin.com/in/bret-arsenault-97593b60/ Related: Security Unlocked: The Microsoft Security Podcast https://SecurityUnlockedPodcast.com Security Unlocked: CISO Series with Bret Arsenault is produced by Microsoft and distributed as part of The CyberWire Network. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Hi, I'm Brett Arsenault, Chief Information Security Officer at a little company called Microsoft. Recently, I was approached by some customers who were really struggling with the complexities of the security threat landscape.
In particular, just looking for practical advice.
With the increase in threats, with the changing landscape and digital transformation that's going on,
people were really trying to understand from experts what could they do practically
that would actually help them in this new threat landscape we're living in today? I realized how fortunate I am to have met with some of the
sharpest minds on this topic, whether it's competitors, vendors, internal Microsoft people,
government people, who all share a vision for a mission on how to better protect ourselves.
This created an opportunity to take some of those learnings and share them in this podcast series.
Hopefully you'll find this interesting. I know I'll learn a lot from it.
This week's guest is Emma Smith, the Global Cybersecurity Director from Vodafone.
Welcome, Emma.
Thanks so much, Brett. Great to be here.
As I was getting ready for this, I was trying to remember where we actually first met.
I mean, I'm so lucky to know you. So many things I've learned. I was trying to go back
to where we first met. Do you recall where that was? Well, I seem to remember it was like a round
table, a CISO round table. I cannot remember what part of the world we were in, to be honest,
but I think there were other CISOs there and it was a general therapy session, wasn't it?
Yeah. Oh, yeah, yeah, yeah. And it was underground. I do remember that we went down these funky stairs in this small room.
Yeah. That was actually, the food was really good. Conversation was enlightening as usual.
I ended up learning more than, than anyone. So that's, uh, so I was appreciative of that fact.
And, uh, Sandra was there as well. Yeah, that's right. That's right. And then I think after that,
you and I usually bump into each other
whenever I'm in the States
or you're over here in Europe.
Yeah, no, it's been super fortunate,
actually, to get to know you
and watch the amazing things
that you've been doing at Vodafone
and helping Microsoft be better.
So I thank you for both of those.
Hey, just curious,
you have an interesting path
on where you are today
and in the role you're in.
I'd love to have a little bit of perspective on the path that really got you into security in the first place.
I started out when I was at school really wanting to be a policewoman, and I was too short.
So here I am, 20-odd years later.
And I actually studied economics at university, so I don't have necessarily the most traditional route into security.
While I was at uni, I wanted to go into politics, then realised that would be awful,
and moved, when I left university, moved into internal audit. So I basically learned about security by auditing technology, and spent the first 10, 12 years of my career basically doing
technology audits, starting on big ERP implementations, everything that was going.
And then just before the financial crisis, I was asked to help move into security in a bank
and was there for seven years as a CISO and then joined Vodafone six years ago as a CISO.
That's a pretty good tenure as a CISO, seven years and six years in running. That's awesome.
Congratulations. Yeah, thank you. I'm sure there's been a book running. Certainly when I was in my old company, I think there was a book running on how long I'd last.
Yeah, exactly. What is the CISO
career is so over. So I think that's obviously a great testament to your
persistence and obviously capabilities in the space. I actually think it's
really hard to make an impact if you've got a short tenure. To make security
stick in a company
needs quite a bit of time and effort.
Yeah, actually, it's a really good point.
I think that, you know, we always talk about it's a journey,
not a destination.
And in order to really get the things done that you do, they're hard.
They're just a really, really hard thing to work.
And I think, well, hopefully we'll talk a little bit today,
not just technologically difficult, but culturally hard to go do.
And I think it does take a long time to make those things happen.
Hey, just out of curiosity, and I think I like this about the mission statement,
you know, we have ours about empowering every person and organization to do more on the planet.
And with Vodafone, you know, around this idea that when working together, humanity and technology can find the answers and create a better future for all. That's quite an aspirational statement.
I really love that. What does that mean for you personally? And how do you think about that in your role as CISO at Vodafone?
We've got the luxury of being a global business, and it gives us a really unique opportunity to
drive positive impact. Because we're a connectivity business, it means we really
influence digital society, we can have an impact on how people live their digital lives. And so we've got a real focus
around inclusion, how we really focus on digital society, and then where technology and connectivity
can actually enhance people's lives, society, the futures that they have. And so being a part of a
purpose-driven company is really important for me. It's why you get out of bed every day, why do you
focus on what you do. And so we've got got a purpose it's all about connecting people for a better future and enabling inclusive and sustainable digital societies and that takes
you just beyond the day-to-day of everything we do and gives it greater purpose so within that we
tend to focus on three areas Brett we talk we think about digital society inclusion for all
and the planet and that's how we sort of distill down the mission statement into some some really clear practical actions we've got a strong view that tech you know we're all part of
a technology revolution and i think by bringing together the people and culture skills we can
make a really positive impact on the future and i was going to just talk a bit about so what does
it mean being a cso with that backdrop i I've always loved being in security because I think my role is all about protecting customers,
the company, employees, our data from cyber attacks.
It's kind of the altruistic side of our job that really appeals to me.
And so doing that in a company with a really strong cultural societal purpose is hugely
motivational, especially in a job, you know, that's pretty challenging.
So the culture is super important to me.
Well, it looks like you're getting to live some of the values that you wanted to
when you wanted to join law enforcement, whereas to protect and to serve.
So I think that's great that you're getting to do that.
One thing that'd be super interesting from my perspective,
being one of the largest telcos on the planet,
and I like this idea that it's not about the telco,
it's about the connectivity, right?
And how you can connect everything. I think that's a fantastic way to
think about it. When we think about the role of telcos over the years, and particularly the idea
of the network, like there was private networks, public networks, and now these massive, you know,
wireless infrastructure networks and the connectivity stuff that we do. The role of
security, which used to be very network bound, has changed over time. And how do you think about that? You're right in the heart of that change.
How do you think about that role for you in particular, how the network has changed and evolved over time?
And what does that mean for you in the role at Vodafone internally, but also for the customers you're serving?
So I'd say a traditional telco network, it's changed from being one that was really centered around
providing connectivity to customers and
enterprises to access the internet or for communication. So it was more about traversal
than a destination, I think, traditionally. And now you see telcos really moving to being
more value-adding on top of that connectivity service. We've seen introduction of hybrid
multi-cloud platforms, new connectivity requirements.
We've seen mobile edge compute with 5G.
So it changes the nature of the way we think about networks as a telco provider.
And then also as an internal enterprise, from an enterprise IT point of view,
it changes the way we think about our own networks as well.
So zero trust, as you said at the beginning, it's fundamental,
a really important part of our strategy.
We tend to think about it with two lenses, I'd say, at a really high level.
So we've got a workforce lens looking at the overarching, how does it affect our workforce?
How do we make sure the zero trust capabilities work for the end user, wherever they are, with strong authentication, but with a frictionless journey for them?
And then we've got more of an enterprise level view where we look at all the tenants of zero trust and putting them in a way that can
be applied to all the environments and implementing zero trust as you as you know in an existing
relatively complex technical environment is quite challenging so we're currently working on what's
the right level how do we orchestrate the centralization of some of the key controls
what analytics will we do how will we do the policy enforcement.
So I'd say we're on a journey
to really sort of change the way
our security architecture has evolved over the years.
Yeah, I think it's been fascinating.
I think even for us internally,
the idea of managing network infrastructure,
just the combinatrix of it
are so different than managing every endpoint,
whether it's a user endpoint or a cloud service endpoint.
And the control planes are so different now.
I think that's a pretty fascinating space,
which tends to lead you to one of the things
we think a lot about,
particularly around computing on mobile.
And in particular, in the last year,
with so many people working remotely
as part of a response to the pandemic,
is the whole aspect of 5G
and what we think about 5G doing from a,
it's great to have connectivity,
but I need connectivity with security.
And so how do you think about the role of 5G playing out
both for users and for enterprises in this space?
Yeah, and I think with the pandemic,
it's changed the way we think about working,
hasn't it, as well?
So I think layer those both together,
we've very much got a hybrid office and working environment.
We've still got about 95% of our people working remotely around the world.
But we've rewritten all of our remote working policies
really to bring out three worker types.
The ones who need to be on site, like network engineers, network operations,
certainly whether there's any physical work that needs to touch the network.
And then we've also got people who are already home-based.
So for those people, those categories of probably little change but then we've got what were traditionally our office workers who have been remote working for the last 15 or so 16 months
and we're moving to a far more flexible way of working for them so it'll be coming into the
office will all be about coming into the office because there's a reason to collaborate a reason
to be together or it's a more effective work environment for that person. So I think that flexibility will change. It's changed habits
already, but it's also meaning that we're looking at the security implications. So, you know, we're
all used to relying on the corporate network as a control plane for so many years and some of the
physical security controls that we had in place around offices. And so that's really changed
things also, as we talked about before, so has cloud. So that's really reinforced the strategy of zero trust.
It's also really focused our mind on what the digital experience is for employees,
not just the friction of having passwords and how they access the services, but what's the
experience and can you get the same culture remotely that you would get from people coming
into an office? So there's this idea like on the experience where is it a fulcrum based problem where there's on
one side users love it and on the other side IT trusts it or is it something where we can raise
the bar on both? I mean I think we can raise the bar on both and we've still got people who are
both extreme we've got some people who love it and some people are desperate to be back in an
office world seeing their colleagues again.
So I think we can push the balance and end up with a really great experience that's also great technically and from a security point of view.
And then you asked me about 5G.
I mean, 5G is a huge enabler for the flexibility and remote working that we've talked about and zero trust.
So if zero trust is about having an agnostic network, then why would we rely on
fixed connectivity when we've got the power of 5G? And I think we're at the tipping point of
really, you know, across the world of starting to really exploit 5G. But speed is massively
increased, a reduction in latency, and then the ability to do computing at the edge of the network.
Obviously, that has implications for the way we secure the networks and those services. But the opportunities are huge, you know, from manufacturing, the IoT
connectivity, the automotive businesses, medical health, etc. So huge opportunities across so many
sectors. And I think 5G will be a huge game changer for us all. I'm curious, you mentioned IoT.
I think every security person and every
business that I know, whether they're in high-tech manufacturing, services, transportation,
there's always the question about what about legacy? How do you think about the legacy
applications or infrastructure? Maybe you don't have any. I know I have some. And so if I think
about how do I think about legacy applications and infrastructure with the promise of what we can do
relative to that, how do you think about that balance for infrastructure with the promise of what we can do relative to,
how do you think about that balance for you inside of Vodafone?
One of the first things we did was actually write a lifecycle management policy.
So I think it sounds like a bit of a no-brainer,
but a lot of companies don't have them.
So first of all, writing that policy and making it a technology policy,
not a security policy, because this is about performance,
it's about cost management, efficiency, it's not just just about security and often I think lifecycle can get pointed at security when really
it's about you know modernizing and simplifying the infrastructure and the technologies we use
and then I think gathering the data about what really is the situation because actually if
there's not transparency in the company and it's not an overt decision then I think we're not really
facing into it and tackling the situation.
So for me, that means understanding
what legacy is there?
What is the situation?
Why can't we upgrade it, decommission it,
migrate it, whatever needs doing to it?
Why? What are the blockers?
Is it cost? Is it prioritisation?
Is it stability of service?
And really getting behind that.
And I think when you then have got that position,
it gives you a better footing to be able to challenge and say, well, why is that okay?
Can't we do anything about it? And then I think if you still end up in that sort of, well,
it's going to take us three years to decommission or to build new, then you can start to look into mitigations and how do we protect those assets and services, you know, segregation and access
control, hardening them as much as we can?
Can we put any endpoint protection or EDR?
Can we get extended support?
What extra monitoring?
So the strategy is to then mitigate the risk or reduce the risk if we can't fully mitigate
it for that legacy.
So to me, all of those decisions need to be made in a really collaborative way, in a very
overt way, so that everybody knows what risk is being signed up
to and the decisions are made consciously that's a brilliant way to think about it though because
most people have or most organizations i work with will have a policy on legacy and life expectancy
but it's usually around hardware infrastructure not usually about user experience or the other
things that really i think make a difference well. And particularly as you think about the modern, I think your angle on modernization is really key. Like what is
the idea of a chief experience officer? Like what is the experience that we expect our users or our
customers to have and how do we maintain that bar? That's a great way to think about it.
I love the comments around this idea of a lifecycle management policy that's not
about being based on security, but experience and overall modernization
approach. And I do think people have a much better way of thinking about looking forward than
thinking back. It's just like no one wants to be the sustained engineering person. They want to
work on the next product or the next coolest technology has been my experience in tech.
But how do you think about that relative to cloud? We're on this maturity curve with cloud,
but how has cloud impacted you
and the things you're doing at Vodafone?
Cloud, to me, is a massive enabler
from a security point of view.
And I think maybe, I don't know, give it 10 years ago,
we might have all been a bit apprehensive about cloud,
perhaps not in Microsoft,
but there was a lot of security practitioners
who were worried about it.
But for us, it's a huge enabler,
and done right can bring some huge security benefits.
So connecting back to legacy,
I think there's an opportunity
to even sometimes transform platforms
and migrate them across to a cloud environment
to allow you to put some of those extra layers of protection,
even if they're not fully modernized.
And there's some real incentives
with some of the cloud providers to do that.
So I think that there's an opportunity there.
But then more generally, the benefits of cloud,
obviously the scale and flexibility that it brings
from a security point
of view, for us, allows greater consistency, even using a hybrid cloud model where we use
multiple clouds for different purposes. It's allowing us to drive greater consistency and
standardization around certainly the infrastructure layers and some of the standards that are used for
development. We've got pre-built code and scripting ready for any
new environment. And we use one compliance tool that runs across all of our cloud environments,
for example. So enabling all of that is a lot quicker than it would be in a more traditional
sort of on-prem environment. For us, it's been a blend of using strong native cloud controls with
some additional layers that we aggregate ourselves. And then it's also brought opportunity
to partner with the cloud providers on different opportunities, whether it's big data or business intelligence. And then for the telcos,
network virtualization has been a huge, huge opportunity. So taking some of the traditional
hardware functions and virtualizing them has led to much greater efficiency. And then last,
I'd probably just, sorry, I just talk about DevSecOps. So we're really pushing DevSecOps
inside Vodafone where we really empower our developers to understand security we equip them with the tools
and the technology and the training so that security isn't done by security it's done by
by the developers and the more we can integrate the security controls so the developers get the
alerts before we get the alerts the more they'll more they'll get used to, get familiar and get confident and feel empowered to use the tooling that we give them.
Yeah, I think that's been a big push, I think, in the industry and for us as well, which is how do you help developers fall into the pit of success, right?
And so by moving it all, as we say, shift left with the things that you just talked about, I do think people need to understand that it's not a check you run at the end. It's something you just build into the design environment and actually,
like I said, help them be successful without having to become the security expert.
I think that's key.
And make it as easy as possible.
Building all the tools so that it's lift and shift,
and then they can focus on the functionality and the customer-facing value
means that they're happier as well.
I think that's a good example, though, where we think about,
we have this concept of making sure that a good example, though, where we think about, you know, we have this
concept of making sure that people are productive, secure, and healthy is sort of the three things,
you know, and I think we've really learned a lot about focusing on what health means,
both physical and mental health during the pandemic.
But I think that we often think of that as an information worker, and your comments around
the DevSecOps is another example of, you know, what does it mean to be productive as a developer?
What does it mean to be productive as a salesperson? What does it mean to be productive
in any role that you happen to have?
When you think about balancing off
that idea of secure and productive
and healthy, are there
tools you're thinking about? You mentioned
some things like this one compliance thing you mentioned is great,
but are there other tools you're thinking about how to help people
remain and be productive?
Yeah, we are. I think passwords are everybody the work of the devil, aren't they?
Security people hate passwords and all the workforce hate passwords and our customers hate passwords.
So a bit like you, we're on a journey around authentication to try and remove passwords from our environments
and make authentication both secure and simple for the workforce.
So that to me is really important.
And when you talk to people about negative sentiment around security,
passwords come up time and time again.
So I think there's something we can do there.
As we know, attackers love passwords.
So we need to get them out of the equation. Yeah, there's at least one group that likes passwords, right?
Exactly, exactly.
So we're all learning the hard way.
I think this idea about passwords is great, right?
Everybody hates them, except for one group.
Our enemies are cyber criminals who love them.
And they seem to work really well.
They collaborate very effectively and very well.
So what do we as security practitioners do to collaborate as effectively
as the people we're protecting ourselves from?
I think that's a great point, Brett, especially as we're all remote
and not bumping into each other physically
as much as we used to.
So for me, we've got to remember
to keep sharing learnings and threats.
I think threat intelligence teams
have always worked well to share.
We've got to keep pushing that
and keep promoting it
and then absolutely not compete
on the security controls
or the practices we're putting in place.
So the more we can share those cross-sector
with our colleagues
from other companies, the better. So I think fighting as one security community is far more
powerful than trying to do it on our own. I think that's super important. And I do think
we tend to be better at doing that under time of crisis as opposed to proactively doing that.
We reach out when we need to. And so I think we need to keep thinking about how do we do that sharing ahead of time before the crisis happens or the other components.
And hopefully talks like this or things that we go do or just, I know you and I have had a great
opportunity to do those things, but you are right. I think there's something we're going to have to
do that's not just crisis-based, but how do we continue to share, stay ahead of the people we're
protecting ourselves against? I think that's a great commentary, including working with both public and private sector.
Yeah, I totally agree.
And then reporting issues.
So trying to really reward good practice
around a culture that wants people to call out
things that look unusual or suspicious.
So not just phishing,
but just general reporting of bad practice.
But we've embedded things like the phishing reporting button
like a lot of companies have,
and then make very visible
the reporting that we get
when it leads to a good find.
I'll give a bit of a plug for AIP, shall I?
We worked hard on implementing AIP at Vodafone.
We worked hard both on the security controls,
but more so on the user journey.
So we really wanted,
I said to the team,
I want one-click encryption and classification.
So I want employees to, with one click,
be able to classify sensitive information.
And so with that target, we used Agile methodology
to go round and round and round and tailor the functionality to do that.
And it's meant a much better user experience
and greater adoption of AIP.
Yeah, and just for people who don't know,
AIP is our
Azure Information Protection.
But this is a really good example
where I'm going to,
I'll be the negative person
about AIP,
and I know this is going to
get me in trouble,
but there's a lot of security jobs,
just not a lot of job security.
So we'll think about
how that plays out.
I think the thing, though,
I don't mean to be negative,
but it is great
that we integrate that
so users label
and do other things.
And then the work that we're doing
using AI on artificial intelligence to auto-do that and auto-classify so that users just have to confirm.
Just like the thing you said with developers.
We have the corpus, and so we are working on it.
And I know other entities are.
But this idea that we auto-classify and we can get to a 99.9% confidence interval just like we can in natural language recognition.
We need to get that same confidence interval
relative to industries to auto-classify
so that we don't put that.
So it's great that we've automated it.
We need to go one more step
and then actually automate it and integrate it
as part of an artificial intelligence system.
Totally agree.
And then the next product roadmap item
that we'll give you is,
how do you integrate the who should have access and the sharing?
Because that's the hardest thing with any sort of information protection is the sharing and how you do that in a way that's simple, but also the right people.
So, yeah, I agree.
Yeah, I think that's a great, and that's the whole classic, do we overshare, undershare?
And that's a whole other topic we could do a podcast on if we wanted to, which would be fantastic.
Lots of companies have cultural inclusion perspectives, diversity inclusion perspectives.
The last year has sort of been, I would say, a transitional and transformative year for many people.
Because I think that while we, you know, you've done a lot of disaster planning and resiliency planning.
I know we all were doing, like, crisis management is in my remit, and I know that's been in yours.
We did all the planning for avian flu as an example, but it didn't come to reality the way
that pandemic did. And then you add to that the social injustice issues that have been going on
globally. And so you sort of have this, again, really marquee year in really helping people,
both personally as individuals, as families, as companies, as countries, as a global
environment, think about what are the implications of how we work and what does that mean and what
do we do? What are some of the things you've learned in the last year, either personally or
obviously, most importantly, in this conversation, the company around what the pandemic's taught you
around how people work and how to think about those things and and all the aspects regarding that i mean there are so many things so many things i wish i'd known
about about 16 months ago i think overall every day and every person's experience can be so
different even though it's the same because you're probably sitting at the same desk in front of the
same vc screen that you have been for the last 16 months and yet the way you feel and the experience
you have can be so different so i've definitely observed people going through highs and lows
more so than before and then be maybe a bit more visible when you normalize in an office
on video and then for sure teams affected by the weather and the seasons so you know we we both live
in seasonally affected parts of the world it was a really cold dark bleak wet winter and you know, we both live in seasonally affected parts of the world. It was a really cold, dark, bleak, wet winter.
And, you know, you could see people really experiencing that.
And typically employee surveys are more positive the closer people are to the equator anyway.
So I think for sure it's felt more extreme during the pandemic.
And then I think being on VC, it's harder to pick up and read emotions and sentiment
and takes body and eyes a lot more effort than it would do if you're in a meeting room.
Now, we were a company who already did a lot by video conference
because we have people all over the world.
It's been a bit of a leveler because there hasn't been groups of people
sat in headquarters in a meeting room with lots of people remote.
It's been everybody remote.
And so that's brought an opportunity to hear different voices
in meetings than might have been before and a real positive i think from from from doing things
in a different way it's definitely underpinned our strategy on zero trust and made it made it
the right thing to do and made us want to go faster and faster on that i think we've been
course correcting all the time so you know thinking about what would i have done differently
it's very difficult to pick out one thing because we've course corrected all the time. So, you know, thinking about what would I have done differently, it's very difficult to pick out one thing because we've course corrected all the time by running pulse surveys,
checking in with how people are doing, offering mental health support and advice. We've done
resiliency training for people. So I'd say it's the people impact that's been significant. The
technology impact has been, for us, touch wood, a lot smoother. And so how you support the team and
get the same culture and people feeling
in the same way they did before
in this environment is the big challenge.
Some people are loving working at home,
really want to keep the flexibility.
Other people are desperate to get back to the office.
So I think we've definitely seen that split far more so
than when everybody was in the office.
Yeah, it's interesting you say that.
In some ways, it's brought people together,
but in other cases,
it has created these more stark divides like this.
To the point you just brought up, I have people who are, I'd love never to come back in the office.
And I go, please let me back in the office.
And so some of it's cultural, like geographically cultural, equatorial, as you said.
And I think those are interesting perspectives.
That's one of those important things about inclusion.
How do we keep the benefits of that?
And then how do we think about inclusion in general?
I'd love your thoughts because you've always said
great topics on this.
We're going to do a little pilot at the end of June
where we're going to try and run one of my leadership team meetings
as we would have done before.
So providing the government rules allow us to do that.
Those based in the UK will be back in the office
and then our remote team will join.
And we're going to use it as an experiment and learn fast. So let's try and run the leadership
team meeting in the same way we have been doing, but with half of the team remote and half of the
team physically present. And does it work and does it change? And we're going to use that as a test
to say, right, how do we then need to adjust as we start moving back towards having meetings
physically present in the office? So I think there's some experimentation needed to then figure out what works, what doesn't.
And then we are consciously not going back into the office to all sit in lines of desks with
headsets on on video calls, because you may as well do that at home. So for us, it's definitely
about being more purpose-led in why you're in it, why do you need to be physically together,
and then really changing probably the office space so that it's more adaptable and more more use for collaboration
and creation events than it was before i'd love your view on the in from an industry perspective
on how we think about inclusion though i'd love to hear your views on that i think i mean it's a
topic that i think i always like to talk about when i'm being interviewed anywhere because it's
close to my heart and having joined i took over cO about 13 14 years ago and when I went to my first industry
event I think there were only six women out of 120 in the room so I I felt it quite quite pointedly
when I first moved into being CISO just before this I was just doing some training actually
called withstander training and it's all about how to be a withstander so if you witness
any kind of bad behavior any kind of microaggression what are the techniques that you can use to
intervene and there was a really good model that they shared around how to do that so you know you
could either do it by deflection so you kind of move the topic to talk about something else if
you didn't feel comfortable overtly saying something you can call it out and explain how it makes you feel or why you may feel it think that it's wrong
you can escalate you know if you don't feel comfortable dealing with something go and go
and tell a manager go and get some support in doing that but making sure that you actually do
tackle microaggressions when you see them even whether or not directed towards you in particular
tackle those microaggressions so we've got a big push in Vodafone to create this allyship
and withstand the mentality. And I think that to me is going to be a game changer because the
microaggressions are the things that just sit below the surface. They might not always be obvious,
but can really affect how people feel. So to me, having people who come to work, feel comfortable
being themselves are when people are at their best.
And that's what we're really striving for on inclusion.
I went to my training course earlier, so I'll be putting that into more practice.
And I think it's about training people on how to intervene comfortably is really important so they feel comfortable intervening.
just generally i we definitely do have a lot of focus on diversity and inclusion and how do we hire retain and progress people of different backgrounds different ethnicity different gender
different age and i think we've got a big focus on that now it's harder to measure some of that
data so in europe for example we have to have consent it's optional whether people want to
give their demographic information and their personal information.
And so we're doing a big push to say, please share it with us.
We'll keep it anonymous, but we need to know how well we're doing
on all these different topics.
And having that data is going to be really important
because it will tell us, are we doing well on recruitment?
Are we doing well on retention?
Or where are the hotspots and problems?
And are all teams doing well?
So I think a data-driven view that tells you
about how does your current company reflect the society
that you operate in is really important.
And then, yes, diversity and things like recruitment.
But for me, it's all about inclusion
and making people really feel valued,
being themselves and confident at work.
Yeah, no, I love that.
I think we've talked about recruitment and retention.
And I think it was most well said by someone I respect highly who said, people will always come where they're invited.
They stay where they belong.
And I think that we have to stay on that.
We have to stay on that path for sure.
We have a phrase which is, you can invite me to the dance, but did you actually ask
me to dance?
I do love the analogy.
I think it's actually a really, really good one.
Absolutely.
Absolutely.
So this is the part where in this podcast,
there's a couple of things you do. One is what book are you currently reading and what book
would you recommend? I have just started reading a book by Michael Lewis called The Premonition
and it's about the pandemic. Michael Lewis wrote The Big Short, if you remember. Yes. So I've just
started reading that. And the book I'd recommend is Why We Sleep by Matthew Walker.
I read it about two and a half, three years ago.
And I've always known that sleep is really important.
I think my granddad drilled it into me when I was young.
But this really made me prioritize my sleep.
I was traveling a huge amount at the time.
And it gave me data points to validate how important sleep is on health,
effectiveness, general well-being.
So I think it's a great read.
Hey, in priority, you've been doing this for almost 14 years and obviously in different
sectors and you have an amazing background.
What would be your practical advice, given all the experience you have?
I would ask this question, which would be in priority, what would be the three things you'd tell security practitioners to go do today?
And the one thing they should avoid.
Three things.
I might give you four in one.
Always focus on the security basics.
No matter how exciting other stuff is or how many new gadgets, tools, and things there
are out there, always focus on patching, hardening, vulnerability
management, access control, get those foundations in place and don't take your eye off the ball.
I'd say then the second one is great detection and response because we all need it. So practice
simulations, playbooks, have a team, be prepared, you know the drill. And then I'd say I am pretty
frugal. So really make the tools work for you the technologies
that you do have are they actually mitigating risk and you're really getting value for money
and if not decommission them because the simplicity of the security tool stack makes our lives a lot
easier and if they're not really adding a control layer then why have we got them and then I have to
have a people one which I'd say as security leaders it's really important we talk to the
rest of the company and make security relevant to your company, whatever that culture,
purpose, mission is, adjusting security to be relevant. And then the one thing, always avoid,
never over-report your security posture or program progress. I call it watermelon reporting. Do not
do watermelon reporting. And what areons reporting for people who aren't
familiar with the term? It's green on the outside, so everything looks good. But when you dig deeper
and cut it in half, it's bright red. Yeah, exactly. Brilliant. That's such a great way to finish. And
I love that you took four because I think they're actually completely accurate and perfect. I love
the basics, the focus on the idea of response and resilience and detection, not just the protection side because we see a lot of people do that.
Leverage what you have and simplify.
And I think that's totally true.
I 100% agree.
And simplification is the best way to get there.
I think people, myself included, can be overly complex.
And that's the enemy of what we're trying to do.
And then the leadership point is so spot on.
And depending on what part of the org you're in, it's always important to simplify
and make that story relevant
to the people you're talking to.
So that's awesome.
And I won't forget the watermelon scorecard.
So I will make sure I keep that in mind.
Emma, thank you so much for your time
and sharing your insights.
I was so lucky to have you on the call today.
Appreciate it.
My pleasure, Brett.
Thank you so much.
Appreciate it.
Enjoyed talking to you.
Yeah, thanks so much.
Thanks for listening. I look forward to our next episode.
And remember, stay safe and stay secure. This week on the Microsoft Threat Intelligence Podcast,
join us for an update on threat actor Seashell Blizzard.
Be sure to listen in and follow us at msthreatintellpodcast.com
or wherever you get your favorite podcasts.