Screaming in the Cloud - The Latest on Microsoft Security with Ann Johnson
Episode Date: May 1, 2025Microsoft has its fingers in a lot of pots, but just how secure are said pots? On this episode, Corey is joined by Ann Johnson, Corporate Vice President and Deputy CISO of Microsoft's Custome...r Security Management Office. Ann talks about her 40-year professional journey and how it's culminated in her current role. Corey is known to “punch up” at the big guys in the tech industry, but he and Ann talk about the challenges of corporate leadership and being a public face in such a prominent company. Since it’s 2025, of course, they’re going to talk about AI’s pros and cons (and why it shouldn’t be used to make art).Show Highlights(0:00) Intro(0:51) The Duckbill Group sponsor read(1:25) What Ann's been up to since she and Corey last spoke (2:29) The makeup of Microsoft Security(4:28) The unique company culture at Microsoft(8:42) What's going on with Microsoft Azure(10:31) How Ann handles the immense pressure of working in Microsoft Security(14:13) The toxic nature of online criticism(19:57) The Duckbill Group sponsor read(20:24) The value of telling your leaders the truth(23:31) Ann's thoughts on the current state of AI(28:44) Properly defining what AI can and can't do(30:54) Why Ann helps fund multiple STEM scholarships(32:16) The need for the humanities alongside tech(33:38) Where you can find more from Ann JohnsonAbout Ann JohnsonAnn Johnson is Corporate Vice President and Deputy CISO at Microsoft. In this role, Ann drives all external engagement for the Microsoft Office of the CISO. She is a long-tenured, recognized thought leader on cybersecurity, published author, and a sought-after global speaker and digital author specializing in cyber resilience, online fraud, cyberattacks, compliance, and security. Ann challenges traditional schools of thought and cyber-norms–from the way the tech industry tackles cyber threats to the language it uses to communicate–and encourages the industry to get outside its comfort zones and expand how it addresses the evolving threat landscape with the power of technology and people. As a global cybersecurity leader and strategist, she is looking ahead at how today’s cybersecurity investments will impact tomorrow’s cybersecurity reality. Ann currently serves on the Board of Directors of N-Able, Human Security, Datavant, and is Member of the Board of Advisors for Cybersecurity Center of Excellence, WA and the Signal Cyber Museum Society. Ann is also an Executive Sponsor of the Microsoft Women in Cybersecurity Group.LinksAnn Johnson’s LinkedIn: https://www.linkedin.com/in/ann-johnsons/Microsoft Security: https://www.microsoft.com/en-us/securityAfternoon Cyber Tea: afternooncybertea.comSponsorThe Duckbill Group: duckbillgroup.com
Transcript
Discussion (0)
Because I never want to be that person that you can't give feedback to.
And I find that a lot of the communication we're talking about here,
why people struggle is because people don't give leaders feedback.
They tell them what they want to hear.
There's so many leaders I know in industry that they don't have anyone
who is brave enough that immediately surrounds them,
that's willing to tell them the truth.
And that's the problem.
That's why companies fail, by the way.
That's why leaders fail, because you have to have that one or two people
in your circle that are willing to tell you the truth.
Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is Ann Johnson, who's
a corporate vice president and deputy CISO of the Customer Security Management Office
at presumably a large company with a title like that,
Microsoft.
And thank you for joining me.
Thank you for having me.
This episode is sponsored in part by my day job,
the Duck Bill Group.
Do you have a horrifying AWS bill?
That can mean a lot of things.
Predicting what it's going to be,
determining what it should be,
negotiating your next long- term contract with AWS, or just figuring out why it increasingly resembles
a phone number, but nobody seems to quite know why that is.
To learn more, visit DuckBillGroup.com.
Remember, you can't duck the duck bill bill.
And my CEO informs me that is absolutely not our slogan.
You and I have talked for a while about various things throughout the industry. We were Twitter mutuals for a while. We've rediscovered each other on Blue Sky as after the great diaspora.
And then there's a recombining now in social media. What have you been up to the last couple
of years? Oh, nothing.
It's just, you know, that's what's going on with computers these days.
What could it possibly be?
What have I been up to?
Let's see.
I took a new job at Microsoft in May, which is to Igor Sygansky, who's our CISO recruited
me.
And he said, look, I need my security people to be focused on securing Microsoft.
He said, and we get a lot of customer demand to talk about how do we secure Microsoft?
Come meet with us, tell us what your experts are doing.
Come do this podcast or come write this blog
or come do this interview.
And he said, so I'd really like you to build a small team
that does those things,
that actually can be subject matter experts
on how we secure Microsoft, can write blogs,
can go do podcasts and do interviews.
So the security, the core security team
is actually focused on security Microsoft.
It is probably the funnest job I've had
in a very long time.
Forgive me, the taxonomy of large companies
is something that is tricky to ascertain from the outside.
And I'm told the inside as well in some cases.
So Microsoft security is its own organization.
How does that interrelate with the, frankly, sprawling at, I guess, various business units
that you folks have?
There's Xbox, there's Azure, there's LinkedIn, there's GitHub or Jithub, as I insist on pronouncing
it.
Where do you start and where do you stop as a security org?
I'm a hard G person, you know that, because we've had this debate.
I also like pineapple and pizza, which is a whole nother debate. So Charlie Bell leads all of Microsoft security. Microsoft security
is a peer organization to those other organizations you name. So Charlie has peers who lead Microsoft
365, Azure, LinkedIn, gaming, AI, et cetera, et cetera, et cetera. Within Charlie's organization
is where the office of the CISO sits and we do call it the
office of the CISO. So Igor Syganski, my boss, works for Charlie Bell. The other parts of Charlie's
organization are focused on the engineering and product management efforts of our Microsoft
Security Solutions portfolio. So the actual security products that we sell to our customers.
So on some level you are not part of those other those other orgs you appear to them but presumably you also dive deeply into those other orgs. Do they have their own internal security
apparatus, apparatus, apparatus as well? Well we are the security apparatus. Now we are the
security apparatus not just for internal Microsoft employees but also for Microsoft products. So
now that being said as you know these big huge companies have a lot of matrixes.
So there are people within those organizations
that will be a deputy CISO that will report directly
into the senior engineering leader like Charlie
or Scott Guthrie or Rajesh Jha,
but they have a matrix reporting to Igor
and that matrix is related to risk and improvements
we need to make in the products
to make them more secure.
I forgot, that's right, Scott does run Azure.
He was a guest on the show years ago and I was impressed the fact that he still wore
the white, sorry, the red shirt when he showed up.
Wow, okay, this is not just something he does when he's on stage.
This is actually how the man dresses, which awesome.
I love the branding.
You know what else I love about the guy and I'm sorry, I'm not here to be the president of the
Scott Guthrie Fan Club, but you get on a phone call with him, Rajesh, Charlie Bell, any of those
folks that are Saudi's leadership team, Saudi himself, they understand at a micro level that
I've never seen senior executives understand how the products are wired. They understand the coding. They understand a deep, deep technical depth
and can coach and move their teams along.
It is unbelievably impressive to watch a Scott Guthrie
be able to scale across the business, right?
You would expect him to understand the cloud business,
but also the deep, deep technical depth that he has.
I think the common thread among all of the,
I guess tech titans to use the framing, the one that
really separates those companies from others, is that the executive leadership team deeply
and profoundly cares.
They sweat the details across the board.
When you have other companies that like to style themselves as being one of these, but
they never quite seem to break through, and you look at their executive suite and there's
basically it's a revolving door and they wind up bringing in a bunch of outsiders,
because, okay, this is generic company,
so we're gonna call down to Central Casting
and get generic CTO to come in for 18 months.
It does not have that same ethos.
I mean, you've joked that you're still the new kid
at Microsoft, but you've been there for nine years.
Yeah, and I've been in tech almost 40, just so you know.
So I've been in tech my entire professional career since I graduated from college.
And Microsoft does have a very, very unique culture compared to other companies.
And that's not a good or bad statement.
It's just a very different culture.
But the thing we have that is awesome is we do have a very senior leadership team that
is deeply in the details, that cares passionately about the business
and cares passionately about what product we're putting out there. So I sit on these calls
sometimes and these big calls where the senior executives will start to get into a conversation
about something. And I'm always amazed at the way they scale up and down. They scale at the super
high level. Let's talk strategy at this 20,000 foot view. All right. Let me talk specifically about how we're skewering a specific mailbox
within a specific tenant with it. I'm like, wow, really?
It's the fractal complexity that always blows me away by so many of these things. One of
my old favorite repos on GitHub was entirely devoted to exhaustively answering the question. You type www.google.com into your browser and press enter.
What happens?
And people have gone into stupendous detail on the nature of the keyboard,
the bouncer in the switch that winds up it goes beyond the level of insane complexity.
And we still haven't finished it.
It's still not done because there's always more to learn and more to know
Well, there is and look I'm not an I'm not a coder. I'm not an engineer
I grew up as an architect actually I was a network architect early in my career with token ring even before we got to ethernet
Which was a blessing but that all aside
So I look at problems differently like everything to me is an architecture problem
These folks look at it and I think it was Bill Gates that said, anybody that could code can solve any problems because you're talking about putting a bunch of
strings and characters together and making something happen and it's the most awesome
thing in the world. I can't even imagine having the skills to do that, right?
I was much the same way. My only programming languages that work are brute force and enthusiasm
and with the advent of AI doing what it can do, apparently I can bully the
LLM into eventually building something that least reasonably with inhaling distance of
working.
It may be psychotic, but it also works.
It's starting to unlock that for folks who don't have that classical, I'm going to sit
down and write code for the next 10 years mentality.
Yeah.
I mean, I built in college, I took a computer class, computer science class, and I built a Pong game in basic.
That is the last time I wrote a line of code.
So I have deep appreciation for the profession.
Oh, they were teaching C++ when I went to school,
and I think I filed a complaint with the university
that I thought you'd outlawed hazing.
What is this?
Exactly.
So I do want to ask,
but Azure had a couple of, I guess about a year or so of interesting security revelations.
You folks did a blog post on it.
It's been a couple of years since then.
So, I am curious, what is going on?
What's changed?
How are you viewing this?
Yeah.
And Cory, again, I didn't come on your podcast to sound like a Microsoft commercial, but
I will tell you what's changed. Saudia and Charlie Bell last May, you know, really kicked off the Secure Futures Initiative, which is this wholesale across the company, 34,000 full-time equivalent people who are working on security every day and making sure that we're closing any gaps.
You know, like a lot of companies, Microsoft's going to turn 50 years old, by the way, next week.
Okay, that's an old company. Okay, Microsoft's going to turn 50 years old, by the way, next week. OK, that's an old company.
OK, it's going to turn 50.
That's that's older than most technology people's life span.
But anyway, so we had a lot of technical debt.
We had a lot of stuff that we had to go back and clean up.
And it's just like our customers.
Our customers suffer from having too much technical debt.
They suffer from, hey, we're going to bring something new to market
and we're going to rush and move really fast.
And oh, by the way, we didn't go clean up these other 10 things that already exist.
Right. So we've spent almost a year now.
We're publishing reports twice a year.
The next one will come out in April.
But we have this wholesale effort and Saudi has sent out this memo that we call the security above all else memo.
And it is really true.
We have transformed the culture of the company, but we've also really, really hardened the environment and we'll continue to do that. The attackers
are not any less persistent than they were. We are a target-rich environment, just like
the other hyperscalers are a target-rich environment. So they find unique and innovative ways, and
if you have one hole, they find it. So we're going to continue to harden the environment,
but we've done so much just in a year. It's a really, it's a testament to the breadth
and depth of Microsoft that if you want to be,
if we want to put an effort around something,
we will get it done.
Something I didn't appreciate fully at the time is that
unlike any other company on the planet,
Microsoft does business and has contracts
with modulo every entity on the planet.
Virtually every government, except some on a very small restricted list, every enterprise for
certainty, etc. And so much of that curtails inherently what you can say about anything that
even comes with inhaling distance of security. For me, the longer I've had to think about this, the more surprised I am that you can say anything at all,
just based upon the fact that basically all of humanity
on some level has a view, position, stake,
and will take any issue they can
with anything you folks say.
How do you do it?
It can be tough.
Look, I'll give you a perspective.
I had a couple small startups right before
I came to Microsoft, but I spent a lot of years at EMC and I thought EMC was a huge
company until I came to Microsoft. And the one thing I've learned about Microsoft and
it you can, my LinkedIn feed and my LinkedIn inbox and my in-mails will tell you this is
that I get the most amazing, I'm going to use the word amazing,
mails from people. I had a problem with this and I'm like, I don't even know what that is,
some consumer piece and I want to be empathetic and sensitive to people.
But we get challenged. It's like people throw a lot of rocks at us because we are a very large
organization. We have a consumer email presence. We are a very large organization. We have a consumer
email presence. We have an enterprise email presence. We have a cloud presence. We do gaming.
We have LinkedIn. We have GitHub. You name it. There's a lot of rocks that get thrown.
And sometimes it can be really difficult. One of my roles as a leader here is to keep my team from
being demoralized. If they pick up the paper every day and people are saying horrible things
about Microsoft, it's really hard to get up, put your shoes on and go to work.
And I wish that people, I understand,
like we were deserved of criticism, right?
We had some work we had to do.
We had to clean house a bit.
We had to clean up the environment a bit.
But understand the human,
and I know that social media right now,
we don't understand the human aspect of anything.
As a matter of fact, it's fun to target people
in some aspects, you know, people like, it's a sport, but understand the demoralizing understand the human aspect of anything. As a matter of fact, it's fun to target people in some aspects, you know, people like it's a sport,
but understand the demoralizing and the human aspect
and understand that Microsoft security professionals
get up every day and want to do the right thing.
We come to work trying to do the right team.
People work exceptionally hard here,
and it can be really demoralizing to folks
if all they're doing is being criticized.
Something that I have had to relearn again and again and again, and it's so easy to view
it as a multi-trillion dollar behemoth.
Like any type of criticism I give is of course going to punch up everything that I can say.
It's a faceless giant entity that you just can't even wrap your head around completely.
But these things are comprised of people.
It's not a million people working on a particular initiative.
It's generally a smallish team.
And it doesn't feel great when people like me
are running our mouths about some of the missing features
or approaches to things that haven't gone super well.
I mean, at some point, you sort of have to take the licks.
That's a consequence of sheer scale.
But I endeavor not to make it personal.
And the challenge of course is not everyone takes that view.
I've talked to a lot of people at all of the hyperscalers,
none of them feel great when effectively people
start throwing rocks.
Yeah, look, you have to learn not to take it personally,
right, and that's what I coach my people.
I also have this expression, it's a little rough, but I say, look, if you can't run with the
big dogs, get off the porch. Because at the end of the day, we are working for this very large
company. There are a lot of advantages and benefits for working for this very large company. You're
learning, you're experienced, the people you're surrounded with, the talent, your opportunities
are amazing. And unfortunately, the downside that does come with the fact that people are going to call us out as they should.
They should, people make us better. But what I would ask is try not to make it personal. Try
not to say, Hey, Ann Johnson, she really sucks because this happened. Say, Hey, this happened
and it wasn't great. And we're like, yeah, you know what? You're right. That's, that's all I ask.
But you don't, you know, like I said, social media at times was such a bad invention because it lets people hide and throw rocks, things they would
never do if they had to have a more personal interaction. People say things to me on the
internet they would never in a million years say in person because you don't talk to people like
that. It is wild seeing, I guess, the way that it shades human interaction. And I've met almost my entire social circle
on the internet.
I met my wife on a dating site.
I met my business partner on IRC many, many years ago.
It has changed the course of my life.
But even so, I still find myself inclined
to say things to people on the internet
that I would not say to them
directly.
And I recently had the unfortunate discovery that I really hope I never talk to humans
the way that I talk to LLMs when they get things wrong because I am reactionary and
angry about it and I don't like that person that I become, though it can admittedly be
somewhat hilarious when you realize this is just a stochastic parrot and I'm a sarcastic
parrot and we compete with each other and it's great. But yeah, I would never talk to
humans like that. I hope. Yeah, I hope not too. I worry other people don't have that boundary.
No, they don't. And sometimes I make mistakes, right? And then I, you know, I'll make a mistake
in a response to some internet trying to be funny and I reread it and I'm like, oh, that wasn't
actually funny. And that was a little bit too snarky, right? It wasn't funny snarky. It was
actually kind of mean snarky. But I also joke that, just so you know, that
there is one place we could all be snarky. And if someone could please program my GPS,
because I am directionally challenged to say, you idiot, I told you to turn back there.
I would accept that type of snarkiness from a computer.
Yeah. No, Jack, hold your other left. Yeah, exactly.
Yeah, exactly. Yeah. I would accept that kind of snarkiness
from a computer, but no, people have to realize
that there are real live human beings
and they're getting up every day and trying to do their best.
And yes, human beings make mistakes
and yes, companies make mistakes,
but that doesn't mean we all suck.
It just means that we need the feedback to get better.
One of the wisest things I've ever heard
was from John Scalzi, who fortunately is very
prolific and shitposty himself on Blue Sky.
But I've been quoting it for years where I learned that he was the one that said it.
And ever since then, I have quote attributed every time, the failure mode of clever is
asshole.
And he's right.
I love that, by the way.
I've seen when I do the live tweeting now live skeeting of various corporate keynotes very often other people try to join in and do the
emulation approach they're mean about it and I look back at my very early days I
was too it's a it's sort of the evolution of it but I didn't have anything
of a following back then and the blast radius was very contained and I'm still
atoning for some of those sins and it's don't do it like that. That's not
gonna work. I worry that I'm the worst kind of role model. No, I look at maybe but I think you
do it with the best intent. I can you know I'm old enough now we talk about my age but I am old
enough now that I can tell intent. People will say and I'm just gonna give you an example say well
that you know that person was kind of sexist. I'm like yeah I don't think they actually were being
I don't think they I think if you told them they were being sexist,
they'd be horrified
because I don't think there was intent behind it.
I think it was subconscious.
They need a little education and let's give them some grace.
Let's just say, hey, this didn't land well
because you said it like this.
If you had said it like this,
you would have been constructive
without anybody reading negative things into it.
I think most people, and I'm going to stick to this
because it's the reason I get up every morning.
I think most people have good intent. I have
a communications degree, Corey. I have an advantage, right? I understand communication
is all about the receiver and even I make mistakes. Most people don't have a communications
degree so they don't get up thinking about the receiver and the communication. They don't
have that level of training. So I really try to cut people grace unless that can tell they're
deliberately being a jerk. I also, it's easy for me just because all I have to do is more or less
repeat the same thing that corporate marketing departments put out after there's been so
workshops and committeeed and it's become anodyne and I just repeat it with a funny voice as a
dramatic reading and that alone is a basis for comedy. But this goes back to the idea of the
larger you get the harder it is to communicate directly,
succinctly and transparently because everyone has an agenda.
Everyone has an agenda and opinion.
And I'm never, you know, folks will tell you, I'm never anodyne enough that I could be a
marketing person, unfortunately.
I'm not pithy enough.
I'm not, you know, brief enough because I wanted to be a lawyer, by the way.
So my communication skills were trained in a very different way.
My wife is an attorney and every time she was like, I think I'm going to become a
lawyer who reflective responses.
No, don't do that.
It's a, it's a decision that isn't going to go the way you imagine it, put in your
head.
Teachers should to be a little more verbose.
It does because you want to be super clear in what you're trying to drive.
But I do think it's funny.
Sometimes I read even marketing stuff we put out.
And by the way, full respect to our marketing team.
This is not in any way,
but sometimes I'll read something like,
wow, that's kind of cheesy.
You know, that is not exactly probably how we want.
But when you read something
and you've got the armchair quarterback,
it's like sports, right?
It's opening day for baseball today
when we're recording this.
It's like sports being the armchair quarterback.
When you read something that someone else wrote
and you're removed from it,
you actually can have perspective on it.
And I do try to give gentle feedback to people
if I think a message is just, you know,
a little bit off base.
This episode is sponsored by my own company,
the Duckbill Group.
Having trouble with your AWS bill?
Perhaps it's time to renegotiate
a contract with them. Maybe you're just wondering how to predict what's going on in the wide
world of AWS. Well, that's where the Duckbill Group comes in to help. Remember, you can't
duck the Duckbill bill, which I am reliably informed by my business partner is absolutely
not our motto.
And changing context on it works too. I submitted a talk a year or so ago for
GitHub Universe that in their excellent decision-making capacity they did not
select but it was about Gen.ai because it has to be and my co-presenter was
listed as GitHub Copilot. Surprise! And it wanted a bio so I wound up copying and
pasting what it had on the marketing website.
And if you ever met a person who self described
in those terms, they would be the world's biggest blowhard.
And I had fun with like relationship to GitHub,
mandatory field, product.
Great, it was easy.
We just had fun with it.
And yeah, they went with good talks instead of my nonsense,
which is absolutely the right decision.
But even that, it really drove home the idea
that things that make perfect sense in one context,
because it's not a bad product page at all,
but turn that into a self-description bio
and you want to stay as far away from that person as you can.
I wish there were a lot of leaders,
just take leaders in general,
that actually had people that told them the truth.
So I try to be that person,
it doesn't always make me super popular,
but I do try to do it in a very constructive way.
And by the way, I try to encourage my team that too.
I said, you can say anything to me, say it respectfully,
say it with context, but you can say,
hey, this really sucks.
Because I'd ever wanna be that person
that you can't give feedback to.
And I find that a lot of the communication
we're talking about here, why people struggle
is because people don't give leaders feedback.
They tell them what they wanna hear.
There's so many leaders I know in industry that they
don't have anyone who is brave enough that immediately surrounds them that's willing
to tell them the truth. And that's the problem. That's why companies fail, by the way. That's
why leaders fail, because you have to have that one or two people in your circle that
are willing to tell you the truth. It's risk to do that. It takes a certain willingness to be direct.
I found that in the early days of my career, that when it comes to office politics, you're
not opting out, you're forfeiting.
It's why I was always a terrible employee in some ways, but as a consultant, it's great
because the politics that I have to manage are minimal at their absolute worst and mostly non-existent.
It's great.
I'm here to give you advice as actual consulting advisory, and then you do with that what you'd
like, but I'm not here to worry about building a strategy for a fiefdom that you're trying
to spin up to accumulate headcount.
Great.
You do you.
That's not my role.
It's nice.
It affords me a freedom, to be be direct that I think is refreshing to folks.
People are, we used to say it was laudable that like,
oh, I'm very direct and I say what I mean
and people should emulate that as,
yeah, I just don't have a filter.
I don't know that it's necessarily a skill
or an actor or a talent.
It's just a personality defect.
Great, find a way to work with it.
You know, I don't even know if it's a personality defect.
And I think it comes a little bit from a place of privilege, right?
I'm senior enough in my career.
By the way, I've had a career that I never would have expected.
I've been more successful than I ever would have imagined.
And so now I don't give a fluff, as my dog would say.
In a lot of cases, I just don't.
I'm like, look, I want everything to be better.
I want everyone to be good.
I'm not going to be a rude, abusive jerk, but I got to give you constructive
feedback and if that means that tomorrow I don't have a paycheck for Microsoft,
I guess I just live with that outcome.
Right.
You, that feels like a perfect time for you to bring this little gem up.
You are, as you say, you're very direct and you've been doing
this an awfully long time.
What is your take on the current state of AI, given that every company is, to be direct,
becloning itself as fast as it can to AI wash everything they've been doing for the last
five years and slap it all over their marketing?
So it's so funny.
This will be my 23rd or 24th year going to RSA in a few weeks, the RSA conference.
And every year at RSA, I joke about it, it's the year of whatever.
It was the year of smart cards, or the year of certificates, or the year of network filtering, or the year of whatever.
15 straight years, the year of the firewall again and again and again.
Everyone's trying to sell me one.
Well, the past couple of years has been the year of AI, right?
So every vendor on their booth, they AI something, to your point, they AI-wash.
Here's my view, and I've been writing on the topic of AI and blogging about it and talking
about it for years.
You know, we had open AI before we had co-pilots, before we had large language models.
I do think there's a lot of promise for AI, and I'm going to be a little, you know, maybe Pollyanna here when I say that I think that there is promise of AI.
Let's talk, I want to talk outside of security for just a second.
In solving some of the bigger problems we have in the world,
predictability of clean food supplies,
predictability of clean water supplies,
one of the biggest problems we have with immigration
is it's unpredictable.
People are leaving places that are becoming uninhabitable
because of climate change
or because they don't have sustainable food or water.
Our ability to predict those things
and then have orderly migration problem solutions
or get ahead of it
or have better sustainable clean
food and water supplies. I think there's promise of AI and I think we should be going really hard
in that direction. From a cybersecurity standpoint, I think there's a lot of...
Cybersecurity is a big data problem. I think I told you before the show, or even here, I was a
data person. I was a network person and data person for a long time. So to me, security is a big data problem.
It is fundamentally a big data problem.
You probably have all the data in your environment
to tell you you are under attack
or that you have a flaw or you have a vulnerability.
The problem is you don't have visibility
or you can't reason over that data fast enough.
So today's AI has the ability
to modernize our security operations center capabilities
and our human beings.
We could do this today by reasoning over the data faster,
by getting to better outcomes, by using agentic AI
and actually automating 90, 95% of what we do,
and then let your humans, your really smart humans
work on the hardest tasks, right?
I believe that exists today.
It's just an implementation and an architecture conversation.
The promises for tomorrow and
the things that we could do with devices, device identities, vulnerable devices, particularly
like in healthcare organizations, are a huge problem.
Think about oil rigs that have 25-year life on these things. Manufacturing line, they're
not going to rip these things out, so they have to get better signal from them. They
also can't patch them and update them. They also can't firewall. I think you know
Leslie Carhart from talks a lot about, you know, you can't just contain everything. They actually
have to work. Okay. Unplug it, sink it in concrete and drop it in the ocean. It's mostly secure then,
but that's not the most usable product. No, it's not. So I think that AI has a lot of promise for
devices. I also think we're, everything're back, everything has an identity, right?
Everything has an identity in the world of computers.
We're pretty decent as a, as a industry and managing human identities.
We are lousy about managing service identities, machine identities, device identities, et
cetera, et cetera, et cetera.
I think those are the places where AI can make a big difference and it's nascent, right?
Everyone's rushing to solve the security operations there.
That's fantastic.
I'm really thrilled that we're seeing all this innovation and SIM and SOAR and next
gen graphs and all of that because that's a big lift, but we need to get really good
at things like identities and devices.
Increasingly, this is feeling like the needle in a haystack problem.
There was a report that came out recently that highlighted a fact I didn't know,
which is that apparently over in Azure land
or Microsoft 365, the line gets blurry sometimes
and I don't play in that space,
so apologies for any misspeaks.
That every time a user gets an entitlement
for a different product,
it represents as a different role or identity
as a part of that, which okay,
I'm not criticizing the security model,
but I know that when
you have hundreds upon hundreds upon hundreds, if
not add orders of magnitude to that number of roles,
finding the needle in a haystack, that's the
problem. Ooh, that's an overscoped thing that just
has way more permissions than it needs becomes
intractable for humans to tackle. I want the
computer to be better at finding those things for
me. Yeah. And I, by the way, I'll say this. I don't know if that's the exact architecture.
So we're just going to illustratively use it, right? I would have to go look.
Yes. If it's not true, something directionally like that exists somewhere on the planet.
Directionally, let's say it's directionally correct. We do create, and it is a, it is a
computer problem. We do create way too many ethereal identities, right? We do create way
too many. And Johnson is way too many things in too many places that are unmanageable. And every
interaction I make, remember, everything I make has its own unique noise and its own unique signal,
right? So the computer AI can make us a lot better at that. We just have to get there, right? We just
have to get there. I think that there's also a misunderstanding because the term AI is starting to mean a whole
bunch of different things. You talk about trying to predict the impact of climate change.
There are ways to do that with analysis of statistical models and feed that in.
That is not the same thing as asking chat-jippity, what predict what's going to happen? And it just
spits out a bunch of words that it predicts and sounds incredibly confident.
But yeah, that turns out that's not a qualification in its own right.
So you will appreciate what I'm about to tell you, because we talked about the fact that I have, you know,
communications undergrad degree, my graduate degree, which at some point I'll actually finish, is in statistics.
Because it's a passion for me. And yes, I know that makes me, you can judge me on that.
Combine them and you're talking about numbers all the time.
Yeah, that I love statistics and you can judge me.
You're allowed to judge me for that.
To your point, statistics as we think about it today
is point in time or look back, right?
What I'm talking about is predictability.
And you actually have to be able to reason over all
that data to say, okay, the climate
in sub-Sahara is going to become unsustainable in this particular microclimate in 2040.
And we need to think about how we either make the changes we need to, we might be too late,
who knows, or how we're going to orderly migrate that population so it doesn't become this
issue that we have today with populations migrating because they're running from whatever harms, right?
And that's the stuff I'm talking about AI doing.
That is very different than looking at statistical modeling and understanding what's happening today or going back in time and understanding what's happening.
It's one of the things, and I'll just make this one comment, and I'm going to be nonpartisan saying,
it's one of the things that makes like political polling so difficult because everything you do is a point in time and a reflection on the day
you found the person.
And that doesn't give you any predictability honestly on how they're actually going to
vote, believe it or not.
Because you could have a favored candidate today and tomorrow they get up and you're
polled today and tomorrow they get up and give some speech and you just say, you know what, I'm going to stay home or I'm going to go vote for the other
guy or other gal. So it's one of the statistics is wonderful if you understand what statistics is.
Numerical literacy is not historically something that has been emphasized in most public school
curricula or private for that matter. It's not. And we need to, we obviously, I am, I fund a couple of scholarships. I've been, I told
you, I've been very privileged in my life. I grew up very poor. I funded school myself. So now with
the two, I went to junior college, by the way, to start. And then I went to what we call community
college. And then I went to a state school and I fund scholarships for them both in STEM, because STEM for underprivileged
youth, because I'm like, we just have to get that education out there.
I understand that having a degree that's not in STEM has not held me back, but the world
has changed rapidly.
Technology has changed.
I look at my daughter.
My daughter's early 20s.
I should remember exactly how old she is. This is terrible. My daughter's early 20s. The kid I gave
birth to, I can't remember exactly how old she is. But anyway. It was some time ago, time got weird
during the pandemic. We have a fudge factor in there. Yeah. She's early 20s, right? And I look
at her generation and the generation we know her, they're digital natives, right? They are digital
natives. She had a, whatever the device was in her hand, you know, when she was a natives, right? They are digital natives. She had a, she had a, whatever the device
was in her hand, you know, when she was a toddler, right? And she's had an iPhone since she was 13,
you know, they're digital natives. So STEM is just so incredibly important.
I agree. I worry sometimes in some aspects that they're going to over index on that,
to the expense of the humanities, where, okay, great, you can do a lot of math, that's great,
but you need to be able to have something to do that about.
Something, there's a, we can't replace every facet
of humanity with AI, and I would argue we shouldn't try.
No, we should not try.
Even with music is one of those things where I find,
I find that a particularly tone deaf way
to start exploring AI.
Music is the soul of humanity, whether we like it or not.
Watch a sad movie without
a soundtrack. You don't cry. It's very much tied to the human experience. We're going
to have computers do that now. I don't know that that's the message you think it is.
Well, I worry about this generation that's coming up. I was reading that reading. There
were timeout readings since just the year 2000, by the way, kids since the year 2000,
it's gone from like 80 to 20% of kids read weekly.
And I'm like, that's horrible.
And to your point, music's evocative,
the other thing is books.
I don't want AI writing books.
I read a lot, I'm a voracious reader.
And I like the fact that a lot of authors play,
no part of this book was produced by AI.
They put that right in the beginning of the book because these,
this is art, right? Art. Yeah. There's a place for AI. I just, you know,
there's a place where it probably should stay away from too.
Yeah. I wholeheartedly agree on that front.
I want to thank you for taking the time to speak with me.
If people want to learn more, where should they go to find you?
Ah, they can find me on LinkedIn as Ann Johnson.
If they want to, generally want to learn more
about Microsoft, obviously we have
a Microsoft security website.
And then I have, and I want to thank you.
And if you don't mind, my own plug,
I have my own podcast, maybe we'll have you on,
a reciprocal one.
They can find me at afternooncybert.com.
And we will put links to all of that in the show notes.
Thank you so much for taking the time to speak with me.
It's great to finally have a conversation like this that isn't entirely
basically Twitter random passings in the night.
Thank you for inviting me. Thanks for making the time.
Ed Johnson is the corporate vice president and deputy CISO
of customer security management office at Microsoft. The announcer is the Corporate Vice President and Deputy CISO of Customer Security Management
Office at Microsoft.
I'm Cloud economist Corey Quinn and this is Screaming in the Cloud.
If you've enjoyed this podcast, please leave a five-star review on your podcast platform
of choice.
Whereas if you hated this podcast, please leave a five-star review on your podcast platform
of choice along with an angry comment pointing out that nine years of Microsoft is still very much the new kid, and then go download the next episode onto
your Zune.