Screaming in the Cloud - The Latest on Microsoft Security with Ann Johnson

Episode Date: May 1, 2025

Microsoft has its fingers in a lot of pots, but just how secure are said pots? On this episode, Corey is joined by Ann Johnson, Corporate Vice President and Deputy CISO of Microsoft's Custome...r Security Management Office. Ann talks about her 40-year professional journey and how it's culminated in her current role. Corey is known to “punch up” at the big guys in the tech industry, but he and Ann talk about the challenges of corporate leadership and being a public face in such a prominent company. Since it’s 2025, of course, they’re going to talk about AI’s pros and cons (and why it shouldn’t be used to make art).Show Highlights(0:00) Intro(0:51) The Duckbill Group sponsor read(1:25) What Ann's been up to since she and Corey last spoke (2:29) The makeup of Microsoft Security(4:28) The unique company culture at Microsoft(8:42) What's going on with Microsoft Azure(10:31) How Ann handles the immense pressure of working in Microsoft Security(14:13) The toxic nature of online criticism(19:57) The Duckbill Group sponsor read(20:24) The value of telling your leaders the truth(23:31) Ann's thoughts on the current state of AI(28:44) Properly defining what AI can and can't do(30:54) Why Ann helps fund multiple STEM scholarships(32:16) The need for the humanities alongside tech(33:38)  Where you can find more from Ann JohnsonAbout Ann JohnsonAnn Johnson is Corporate Vice President and Deputy CISO at Microsoft. In this role, Ann drives all external engagement for the Microsoft Office of the CISO. She is a long-tenured, recognized thought leader on cybersecurity, published author, and a sought-after global speaker and digital author specializing in cyber resilience, online fraud, cyberattacks, compliance, and security. Ann challenges traditional schools of thought and cyber-norms–from the way the tech industry tackles cyber threats to the language it uses to communicate–and encourages the industry to get outside its comfort zones and expand how it addresses the evolving threat landscape with the power of technology and people. As a global cybersecurity leader and strategist, she is looking ahead at how today’s cybersecurity investments will impact tomorrow’s cybersecurity reality.  Ann currently serves on the Board of Directors of N-Able, Human Security, Datavant, and is Member of the Board of Advisors for Cybersecurity Center of Excellence, WA and the Signal Cyber Museum Society. Ann is also an Executive Sponsor of the Microsoft Women in Cybersecurity Group.LinksAnn Johnson’s LinkedIn: https://www.linkedin.com/in/ann-johnsons/Microsoft Security: https://www.microsoft.com/en-us/securityAfternoon Cyber Tea: afternooncybertea.comSponsorThe Duckbill Group: duckbillgroup.com

Transcript
Discussion (0)
Starting point is 00:00:00 Because I never want to be that person that you can't give feedback to. And I find that a lot of the communication we're talking about here, why people struggle is because people don't give leaders feedback. They tell them what they want to hear. There's so many leaders I know in industry that they don't have anyone who is brave enough that immediately surrounds them, that's willing to tell them the truth. And that's the problem.
Starting point is 00:00:19 That's why companies fail, by the way. That's why leaders fail, because you have to have that one or two people in your circle that are willing to tell you the truth. Welcome to Screaming in the Cloud. I'm Corey Quinn. My guest today is Ann Johnson, who's a corporate vice president and deputy CISO of the Customer Security Management Office at presumably a large company with a title like that, Microsoft. And thank you for joining me.
Starting point is 00:00:50 Thank you for having me. This episode is sponsored in part by my day job, the Duck Bill Group. Do you have a horrifying AWS bill? That can mean a lot of things. Predicting what it's going to be, determining what it should be, negotiating your next long- term contract with AWS, or just figuring out why it increasingly resembles
Starting point is 00:01:10 a phone number, but nobody seems to quite know why that is. To learn more, visit DuckBillGroup.com. Remember, you can't duck the duck bill bill. And my CEO informs me that is absolutely not our slogan. You and I have talked for a while about various things throughout the industry. We were Twitter mutuals for a while. We've rediscovered each other on Blue Sky as after the great diaspora. And then there's a recombining now in social media. What have you been up to the last couple of years? Oh, nothing. It's just, you know, that's what's going on with computers these days.
Starting point is 00:01:46 What could it possibly be? What have I been up to? Let's see. I took a new job at Microsoft in May, which is to Igor Sygansky, who's our CISO recruited me. And he said, look, I need my security people to be focused on securing Microsoft. He said, and we get a lot of customer demand to talk about how do we secure Microsoft? Come meet with us, tell us what your experts are doing.
Starting point is 00:02:08 Come do this podcast or come write this blog or come do this interview. And he said, so I'd really like you to build a small team that does those things, that actually can be subject matter experts on how we secure Microsoft, can write blogs, can go do podcasts and do interviews. So the security, the core security team
Starting point is 00:02:24 is actually focused on security Microsoft. It is probably the funnest job I've had in a very long time. Forgive me, the taxonomy of large companies is something that is tricky to ascertain from the outside. And I'm told the inside as well in some cases. So Microsoft security is its own organization. How does that interrelate with the, frankly, sprawling at, I guess, various business units
Starting point is 00:02:49 that you folks have? There's Xbox, there's Azure, there's LinkedIn, there's GitHub or Jithub, as I insist on pronouncing it. Where do you start and where do you stop as a security org? I'm a hard G person, you know that, because we've had this debate. I also like pineapple and pizza, which is a whole nother debate. So Charlie Bell leads all of Microsoft security. Microsoft security is a peer organization to those other organizations you name. So Charlie has peers who lead Microsoft 365, Azure, LinkedIn, gaming, AI, et cetera, et cetera, et cetera. Within Charlie's organization
Starting point is 00:03:22 is where the office of the CISO sits and we do call it the office of the CISO. So Igor Syganski, my boss, works for Charlie Bell. The other parts of Charlie's organization are focused on the engineering and product management efforts of our Microsoft Security Solutions portfolio. So the actual security products that we sell to our customers. So on some level you are not part of those other those other orgs you appear to them but presumably you also dive deeply into those other orgs. Do they have their own internal security apparatus, apparatus, apparatus as well? Well we are the security apparatus. Now we are the security apparatus not just for internal Microsoft employees but also for Microsoft products. So now that being said as you know these big huge companies have a lot of matrixes.
Starting point is 00:04:06 So there are people within those organizations that will be a deputy CISO that will report directly into the senior engineering leader like Charlie or Scott Guthrie or Rajesh Jha, but they have a matrix reporting to Igor and that matrix is related to risk and improvements we need to make in the products to make them more secure.
Starting point is 00:04:26 I forgot, that's right, Scott does run Azure. He was a guest on the show years ago and I was impressed the fact that he still wore the white, sorry, the red shirt when he showed up. Wow, okay, this is not just something he does when he's on stage. This is actually how the man dresses, which awesome. I love the branding. You know what else I love about the guy and I'm sorry, I'm not here to be the president of the Scott Guthrie Fan Club, but you get on a phone call with him, Rajesh, Charlie Bell, any of those
Starting point is 00:04:52 folks that are Saudi's leadership team, Saudi himself, they understand at a micro level that I've never seen senior executives understand how the products are wired. They understand the coding. They understand a deep, deep technical depth and can coach and move their teams along. It is unbelievably impressive to watch a Scott Guthrie be able to scale across the business, right? You would expect him to understand the cloud business, but also the deep, deep technical depth that he has. I think the common thread among all of the,
Starting point is 00:05:23 I guess tech titans to use the framing, the one that really separates those companies from others, is that the executive leadership team deeply and profoundly cares. They sweat the details across the board. When you have other companies that like to style themselves as being one of these, but they never quite seem to break through, and you look at their executive suite and there's basically it's a revolving door and they wind up bringing in a bunch of outsiders, because, okay, this is generic company,
Starting point is 00:05:48 so we're gonna call down to Central Casting and get generic CTO to come in for 18 months. It does not have that same ethos. I mean, you've joked that you're still the new kid at Microsoft, but you've been there for nine years. Yeah, and I've been in tech almost 40, just so you know. So I've been in tech my entire professional career since I graduated from college. And Microsoft does have a very, very unique culture compared to other companies.
Starting point is 00:06:12 And that's not a good or bad statement. It's just a very different culture. But the thing we have that is awesome is we do have a very senior leadership team that is deeply in the details, that cares passionately about the business and cares passionately about what product we're putting out there. So I sit on these calls sometimes and these big calls where the senior executives will start to get into a conversation about something. And I'm always amazed at the way they scale up and down. They scale at the super high level. Let's talk strategy at this 20,000 foot view. All right. Let me talk specifically about how we're skewering a specific mailbox
Starting point is 00:06:50 within a specific tenant with it. I'm like, wow, really? It's the fractal complexity that always blows me away by so many of these things. One of my old favorite repos on GitHub was entirely devoted to exhaustively answering the question. You type www.google.com into your browser and press enter. What happens? And people have gone into stupendous detail on the nature of the keyboard, the bouncer in the switch that winds up it goes beyond the level of insane complexity. And we still haven't finished it. It's still not done because there's always more to learn and more to know
Starting point is 00:07:26 Well, there is and look I'm not an I'm not a coder. I'm not an engineer I grew up as an architect actually I was a network architect early in my career with token ring even before we got to ethernet Which was a blessing but that all aside So I look at problems differently like everything to me is an architecture problem These folks look at it and I think it was Bill Gates that said, anybody that could code can solve any problems because you're talking about putting a bunch of strings and characters together and making something happen and it's the most awesome thing in the world. I can't even imagine having the skills to do that, right? I was much the same way. My only programming languages that work are brute force and enthusiasm
Starting point is 00:08:01 and with the advent of AI doing what it can do, apparently I can bully the LLM into eventually building something that least reasonably with inhaling distance of working. It may be psychotic, but it also works. It's starting to unlock that for folks who don't have that classical, I'm going to sit down and write code for the next 10 years mentality. Yeah. I mean, I built in college, I took a computer class, computer science class, and I built a Pong game in basic.
Starting point is 00:08:27 That is the last time I wrote a line of code. So I have deep appreciation for the profession. Oh, they were teaching C++ when I went to school, and I think I filed a complaint with the university that I thought you'd outlawed hazing. What is this? Exactly. So I do want to ask,
Starting point is 00:08:44 but Azure had a couple of, I guess about a year or so of interesting security revelations. You folks did a blog post on it. It's been a couple of years since then. So, I am curious, what is going on? What's changed? How are you viewing this? Yeah. And Cory, again, I didn't come on your podcast to sound like a Microsoft commercial, but
Starting point is 00:09:02 I will tell you what's changed. Saudia and Charlie Bell last May, you know, really kicked off the Secure Futures Initiative, which is this wholesale across the company, 34,000 full-time equivalent people who are working on security every day and making sure that we're closing any gaps. You know, like a lot of companies, Microsoft's going to turn 50 years old, by the way, next week. Okay, that's an old company. Okay, Microsoft's going to turn 50 years old, by the way, next week. OK, that's an old company. OK, it's going to turn 50. That's that's older than most technology people's life span. But anyway, so we had a lot of technical debt. We had a lot of stuff that we had to go back and clean up. And it's just like our customers.
Starting point is 00:09:37 Our customers suffer from having too much technical debt. They suffer from, hey, we're going to bring something new to market and we're going to rush and move really fast. And oh, by the way, we didn't go clean up these other 10 things that already exist. Right. So we've spent almost a year now. We're publishing reports twice a year. The next one will come out in April. But we have this wholesale effort and Saudi has sent out this memo that we call the security above all else memo.
Starting point is 00:10:00 And it is really true. We have transformed the culture of the company, but we've also really, really hardened the environment and we'll continue to do that. The attackers are not any less persistent than they were. We are a target-rich environment, just like the other hyperscalers are a target-rich environment. So they find unique and innovative ways, and if you have one hole, they find it. So we're going to continue to harden the environment, but we've done so much just in a year. It's a really, it's a testament to the breadth and depth of Microsoft that if you want to be, if we want to put an effort around something,
Starting point is 00:10:30 we will get it done. Something I didn't appreciate fully at the time is that unlike any other company on the planet, Microsoft does business and has contracts with modulo every entity on the planet. Virtually every government, except some on a very small restricted list, every enterprise for certainty, etc. And so much of that curtails inherently what you can say about anything that even comes with inhaling distance of security. For me, the longer I've had to think about this, the more surprised I am that you can say anything at all,
Starting point is 00:11:08 just based upon the fact that basically all of humanity on some level has a view, position, stake, and will take any issue they can with anything you folks say. How do you do it? It can be tough. Look, I'll give you a perspective. I had a couple small startups right before
Starting point is 00:11:27 I came to Microsoft, but I spent a lot of years at EMC and I thought EMC was a huge company until I came to Microsoft. And the one thing I've learned about Microsoft and it you can, my LinkedIn feed and my LinkedIn inbox and my in-mails will tell you this is that I get the most amazing, I'm going to use the word amazing, mails from people. I had a problem with this and I'm like, I don't even know what that is, some consumer piece and I want to be empathetic and sensitive to people. But we get challenged. It's like people throw a lot of rocks at us because we are a very large organization. We have a consumer email presence. We are a very large organization. We have a consumer
Starting point is 00:12:05 email presence. We have an enterprise email presence. We have a cloud presence. We do gaming. We have LinkedIn. We have GitHub. You name it. There's a lot of rocks that get thrown. And sometimes it can be really difficult. One of my roles as a leader here is to keep my team from being demoralized. If they pick up the paper every day and people are saying horrible things about Microsoft, it's really hard to get up, put your shoes on and go to work. And I wish that people, I understand, like we were deserved of criticism, right? We had some work we had to do.
Starting point is 00:12:32 We had to clean house a bit. We had to clean up the environment a bit. But understand the human, and I know that social media right now, we don't understand the human aspect of anything. As a matter of fact, it's fun to target people in some aspects, you know, people like, it's a sport, but understand the demoralizing understand the human aspect of anything. As a matter of fact, it's fun to target people in some aspects, you know, people like it's a sport, but understand the demoralizing and the human aspect
Starting point is 00:12:49 and understand that Microsoft security professionals get up every day and want to do the right thing. We come to work trying to do the right team. People work exceptionally hard here, and it can be really demoralizing to folks if all they're doing is being criticized. Something that I have had to relearn again and again and again, and it's so easy to view it as a multi-trillion dollar behemoth.
Starting point is 00:13:10 Like any type of criticism I give is of course going to punch up everything that I can say. It's a faceless giant entity that you just can't even wrap your head around completely. But these things are comprised of people. It's not a million people working on a particular initiative. It's generally a smallish team. And it doesn't feel great when people like me are running our mouths about some of the missing features or approaches to things that haven't gone super well.
Starting point is 00:13:37 I mean, at some point, you sort of have to take the licks. That's a consequence of sheer scale. But I endeavor not to make it personal. And the challenge of course is not everyone takes that view. I've talked to a lot of people at all of the hyperscalers, none of them feel great when effectively people start throwing rocks. Yeah, look, you have to learn not to take it personally,
Starting point is 00:14:02 right, and that's what I coach my people. I also have this expression, it's a little rough, but I say, look, if you can't run with the big dogs, get off the porch. Because at the end of the day, we are working for this very large company. There are a lot of advantages and benefits for working for this very large company. You're learning, you're experienced, the people you're surrounded with, the talent, your opportunities are amazing. And unfortunately, the downside that does come with the fact that people are going to call us out as they should. They should, people make us better. But what I would ask is try not to make it personal. Try not to say, Hey, Ann Johnson, she really sucks because this happened. Say, Hey, this happened
Starting point is 00:14:37 and it wasn't great. And we're like, yeah, you know what? You're right. That's, that's all I ask. But you don't, you know, like I said, social media at times was such a bad invention because it lets people hide and throw rocks, things they would never do if they had to have a more personal interaction. People say things to me on the internet they would never in a million years say in person because you don't talk to people like that. It is wild seeing, I guess, the way that it shades human interaction. And I've met almost my entire social circle on the internet. I met my wife on a dating site. I met my business partner on IRC many, many years ago.
Starting point is 00:15:17 It has changed the course of my life. But even so, I still find myself inclined to say things to people on the internet that I would not say to them directly. And I recently had the unfortunate discovery that I really hope I never talk to humans the way that I talk to LLMs when they get things wrong because I am reactionary and angry about it and I don't like that person that I become, though it can admittedly be
Starting point is 00:15:40 somewhat hilarious when you realize this is just a stochastic parrot and I'm a sarcastic parrot and we compete with each other and it's great. But yeah, I would never talk to humans like that. I hope. Yeah, I hope not too. I worry other people don't have that boundary. No, they don't. And sometimes I make mistakes, right? And then I, you know, I'll make a mistake in a response to some internet trying to be funny and I reread it and I'm like, oh, that wasn't actually funny. And that was a little bit too snarky, right? It wasn't funny snarky. It was actually kind of mean snarky. But I also joke that, just so you know, that there is one place we could all be snarky. And if someone could please program my GPS,
Starting point is 00:16:12 because I am directionally challenged to say, you idiot, I told you to turn back there. I would accept that type of snarkiness from a computer. Yeah. No, Jack, hold your other left. Yeah, exactly. Yeah, exactly. Yeah. I would accept that kind of snarkiness from a computer, but no, people have to realize that there are real live human beings and they're getting up every day and trying to do their best. And yes, human beings make mistakes
Starting point is 00:16:34 and yes, companies make mistakes, but that doesn't mean we all suck. It just means that we need the feedback to get better. One of the wisest things I've ever heard was from John Scalzi, who fortunately is very prolific and shitposty himself on Blue Sky. But I've been quoting it for years where I learned that he was the one that said it. And ever since then, I have quote attributed every time, the failure mode of clever is
Starting point is 00:16:55 asshole. And he's right. I love that, by the way. I've seen when I do the live tweeting now live skeeting of various corporate keynotes very often other people try to join in and do the emulation approach they're mean about it and I look back at my very early days I was too it's a it's sort of the evolution of it but I didn't have anything of a following back then and the blast radius was very contained and I'm still atoning for some of those sins and it's don't do it like that. That's not
Starting point is 00:17:25 gonna work. I worry that I'm the worst kind of role model. No, I look at maybe but I think you do it with the best intent. I can you know I'm old enough now we talk about my age but I am old enough now that I can tell intent. People will say and I'm just gonna give you an example say well that you know that person was kind of sexist. I'm like yeah I don't think they actually were being I don't think they I think if you told them they were being sexist, they'd be horrified because I don't think there was intent behind it. I think it was subconscious.
Starting point is 00:17:50 They need a little education and let's give them some grace. Let's just say, hey, this didn't land well because you said it like this. If you had said it like this, you would have been constructive without anybody reading negative things into it. I think most people, and I'm going to stick to this because it's the reason I get up every morning.
Starting point is 00:18:04 I think most people have good intent. I have a communications degree, Corey. I have an advantage, right? I understand communication is all about the receiver and even I make mistakes. Most people don't have a communications degree so they don't get up thinking about the receiver and the communication. They don't have that level of training. So I really try to cut people grace unless that can tell they're deliberately being a jerk. I also, it's easy for me just because all I have to do is more or less repeat the same thing that corporate marketing departments put out after there's been so workshops and committeeed and it's become anodyne and I just repeat it with a funny voice as a
Starting point is 00:18:38 dramatic reading and that alone is a basis for comedy. But this goes back to the idea of the larger you get the harder it is to communicate directly, succinctly and transparently because everyone has an agenda. Everyone has an agenda and opinion. And I'm never, you know, folks will tell you, I'm never anodyne enough that I could be a marketing person, unfortunately. I'm not pithy enough. I'm not, you know, brief enough because I wanted to be a lawyer, by the way.
Starting point is 00:19:02 So my communication skills were trained in a very different way. My wife is an attorney and every time she was like, I think I'm going to become a lawyer who reflective responses. No, don't do that. It's a, it's a decision that isn't going to go the way you imagine it, put in your head. Teachers should to be a little more verbose. It does because you want to be super clear in what you're trying to drive.
Starting point is 00:19:22 But I do think it's funny. Sometimes I read even marketing stuff we put out. And by the way, full respect to our marketing team. This is not in any way, but sometimes I'll read something like, wow, that's kind of cheesy. You know, that is not exactly probably how we want. But when you read something
Starting point is 00:19:37 and you've got the armchair quarterback, it's like sports, right? It's opening day for baseball today when we're recording this. It's like sports being the armchair quarterback. When you read something that someone else wrote and you're removed from it, you actually can have perspective on it.
Starting point is 00:19:50 And I do try to give gentle feedback to people if I think a message is just, you know, a little bit off base. This episode is sponsored by my own company, the Duckbill Group. Having trouble with your AWS bill? Perhaps it's time to renegotiate a contract with them. Maybe you're just wondering how to predict what's going on in the wide
Starting point is 00:20:11 world of AWS. Well, that's where the Duckbill Group comes in to help. Remember, you can't duck the Duckbill bill, which I am reliably informed by my business partner is absolutely not our motto. And changing context on it works too. I submitted a talk a year or so ago for GitHub Universe that in their excellent decision-making capacity they did not select but it was about Gen.ai because it has to be and my co-presenter was listed as GitHub Copilot. Surprise! And it wanted a bio so I wound up copying and pasting what it had on the marketing website.
Starting point is 00:20:45 And if you ever met a person who self described in those terms, they would be the world's biggest blowhard. And I had fun with like relationship to GitHub, mandatory field, product. Great, it was easy. We just had fun with it. And yeah, they went with good talks instead of my nonsense, which is absolutely the right decision.
Starting point is 00:21:02 But even that, it really drove home the idea that things that make perfect sense in one context, because it's not a bad product page at all, but turn that into a self-description bio and you want to stay as far away from that person as you can. I wish there were a lot of leaders, just take leaders in general, that actually had people that told them the truth.
Starting point is 00:21:20 So I try to be that person, it doesn't always make me super popular, but I do try to do it in a very constructive way. And by the way, I try to encourage my team that too. I said, you can say anything to me, say it respectfully, say it with context, but you can say, hey, this really sucks. Because I'd ever wanna be that person
Starting point is 00:21:36 that you can't give feedback to. And I find that a lot of the communication we're talking about here, why people struggle is because people don't give leaders feedback. They tell them what they wanna hear. There's so many leaders I know in industry that they don't have anyone who is brave enough that immediately surrounds them that's willing to tell them the truth. And that's the problem. That's why companies fail, by the way. That's
Starting point is 00:21:57 why leaders fail, because you have to have that one or two people in your circle that are willing to tell you the truth. It's risk to do that. It takes a certain willingness to be direct. I found that in the early days of my career, that when it comes to office politics, you're not opting out, you're forfeiting. It's why I was always a terrible employee in some ways, but as a consultant, it's great because the politics that I have to manage are minimal at their absolute worst and mostly non-existent. It's great. I'm here to give you advice as actual consulting advisory, and then you do with that what you'd
Starting point is 00:22:31 like, but I'm not here to worry about building a strategy for a fiefdom that you're trying to spin up to accumulate headcount. Great. You do you. That's not my role. It's nice. It affords me a freedom, to be be direct that I think is refreshing to folks. People are, we used to say it was laudable that like,
Starting point is 00:22:50 oh, I'm very direct and I say what I mean and people should emulate that as, yeah, I just don't have a filter. I don't know that it's necessarily a skill or an actor or a talent. It's just a personality defect. Great, find a way to work with it. You know, I don't even know if it's a personality defect.
Starting point is 00:23:06 And I think it comes a little bit from a place of privilege, right? I'm senior enough in my career. By the way, I've had a career that I never would have expected. I've been more successful than I ever would have imagined. And so now I don't give a fluff, as my dog would say. In a lot of cases, I just don't. I'm like, look, I want everything to be better. I want everyone to be good.
Starting point is 00:23:22 I'm not going to be a rude, abusive jerk, but I got to give you constructive feedback and if that means that tomorrow I don't have a paycheck for Microsoft, I guess I just live with that outcome. Right. You, that feels like a perfect time for you to bring this little gem up. You are, as you say, you're very direct and you've been doing this an awfully long time. What is your take on the current state of AI, given that every company is, to be direct,
Starting point is 00:23:46 becloning itself as fast as it can to AI wash everything they've been doing for the last five years and slap it all over their marketing? So it's so funny. This will be my 23rd or 24th year going to RSA in a few weeks, the RSA conference. And every year at RSA, I joke about it, it's the year of whatever. It was the year of smart cards, or the year of certificates, or the year of network filtering, or the year of whatever. 15 straight years, the year of the firewall again and again and again. Everyone's trying to sell me one.
Starting point is 00:24:14 Well, the past couple of years has been the year of AI, right? So every vendor on their booth, they AI something, to your point, they AI-wash. Here's my view, and I've been writing on the topic of AI and blogging about it and talking about it for years. You know, we had open AI before we had co-pilots, before we had large language models. I do think there's a lot of promise for AI, and I'm going to be a little, you know, maybe Pollyanna here when I say that I think that there is promise of AI. Let's talk, I want to talk outside of security for just a second. In solving some of the bigger problems we have in the world,
Starting point is 00:24:45 predictability of clean food supplies, predictability of clean water supplies, one of the biggest problems we have with immigration is it's unpredictable. People are leaving places that are becoming uninhabitable because of climate change or because they don't have sustainable food or water. Our ability to predict those things
Starting point is 00:24:59 and then have orderly migration problem solutions or get ahead of it or have better sustainable clean food and water supplies. I think there's promise of AI and I think we should be going really hard in that direction. From a cybersecurity standpoint, I think there's a lot of... Cybersecurity is a big data problem. I think I told you before the show, or even here, I was a data person. I was a network person and data person for a long time. So to me, security is a big data problem. It is fundamentally a big data problem.
Starting point is 00:25:27 You probably have all the data in your environment to tell you you are under attack or that you have a flaw or you have a vulnerability. The problem is you don't have visibility or you can't reason over that data fast enough. So today's AI has the ability to modernize our security operations center capabilities and our human beings.
Starting point is 00:25:45 We could do this today by reasoning over the data faster, by getting to better outcomes, by using agentic AI and actually automating 90, 95% of what we do, and then let your humans, your really smart humans work on the hardest tasks, right? I believe that exists today. It's just an implementation and an architecture conversation. The promises for tomorrow and
Starting point is 00:26:05 the things that we could do with devices, device identities, vulnerable devices, particularly like in healthcare organizations, are a huge problem. Think about oil rigs that have 25-year life on these things. Manufacturing line, they're not going to rip these things out, so they have to get better signal from them. They also can't patch them and update them. They also can't firewall. I think you know Leslie Carhart from talks a lot about, you know, you can't just contain everything. They actually have to work. Okay. Unplug it, sink it in concrete and drop it in the ocean. It's mostly secure then, but that's not the most usable product. No, it's not. So I think that AI has a lot of promise for
Starting point is 00:26:41 devices. I also think we're, everything're back, everything has an identity, right? Everything has an identity in the world of computers. We're pretty decent as a, as a industry and managing human identities. We are lousy about managing service identities, machine identities, device identities, et cetera, et cetera, et cetera. I think those are the places where AI can make a big difference and it's nascent, right? Everyone's rushing to solve the security operations there. That's fantastic.
Starting point is 00:27:06 I'm really thrilled that we're seeing all this innovation and SIM and SOAR and next gen graphs and all of that because that's a big lift, but we need to get really good at things like identities and devices. Increasingly, this is feeling like the needle in a haystack problem. There was a report that came out recently that highlighted a fact I didn't know, which is that apparently over in Azure land or Microsoft 365, the line gets blurry sometimes and I don't play in that space,
Starting point is 00:27:33 so apologies for any misspeaks. That every time a user gets an entitlement for a different product, it represents as a different role or identity as a part of that, which okay, I'm not criticizing the security model, but I know that when you have hundreds upon hundreds upon hundreds, if
Starting point is 00:27:47 not add orders of magnitude to that number of roles, finding the needle in a haystack, that's the problem. Ooh, that's an overscoped thing that just has way more permissions than it needs becomes intractable for humans to tackle. I want the computer to be better at finding those things for me. Yeah. And I, by the way, I'll say this. I don't know if that's the exact architecture. So we're just going to illustratively use it, right? I would have to go look.
Starting point is 00:28:10 Yes. If it's not true, something directionally like that exists somewhere on the planet. Directionally, let's say it's directionally correct. We do create, and it is a, it is a computer problem. We do create way too many ethereal identities, right? We do create way too many. And Johnson is way too many things in too many places that are unmanageable. And every interaction I make, remember, everything I make has its own unique noise and its own unique signal, right? So the computer AI can make us a lot better at that. We just have to get there, right? We just have to get there. I think that there's also a misunderstanding because the term AI is starting to mean a whole bunch of different things. You talk about trying to predict the impact of climate change.
Starting point is 00:28:53 There are ways to do that with analysis of statistical models and feed that in. That is not the same thing as asking chat-jippity, what predict what's going to happen? And it just spits out a bunch of words that it predicts and sounds incredibly confident. But yeah, that turns out that's not a qualification in its own right. So you will appreciate what I'm about to tell you, because we talked about the fact that I have, you know, communications undergrad degree, my graduate degree, which at some point I'll actually finish, is in statistics. Because it's a passion for me. And yes, I know that makes me, you can judge me on that. Combine them and you're talking about numbers all the time.
Starting point is 00:29:28 Yeah, that I love statistics and you can judge me. You're allowed to judge me for that. To your point, statistics as we think about it today is point in time or look back, right? What I'm talking about is predictability. And you actually have to be able to reason over all that data to say, okay, the climate in sub-Sahara is going to become unsustainable in this particular microclimate in 2040.
Starting point is 00:29:52 And we need to think about how we either make the changes we need to, we might be too late, who knows, or how we're going to orderly migrate that population so it doesn't become this issue that we have today with populations migrating because they're running from whatever harms, right? And that's the stuff I'm talking about AI doing. That is very different than looking at statistical modeling and understanding what's happening today or going back in time and understanding what's happening. It's one of the things, and I'll just make this one comment, and I'm going to be nonpartisan saying, it's one of the things that makes like political polling so difficult because everything you do is a point in time and a reflection on the day you found the person.
Starting point is 00:30:30 And that doesn't give you any predictability honestly on how they're actually going to vote, believe it or not. Because you could have a favored candidate today and tomorrow they get up and you're polled today and tomorrow they get up and give some speech and you just say, you know what, I'm going to stay home or I'm going to go vote for the other guy or other gal. So it's one of the statistics is wonderful if you understand what statistics is. Numerical literacy is not historically something that has been emphasized in most public school curricula or private for that matter. It's not. And we need to, we obviously, I am, I fund a couple of scholarships. I've been, I told you, I've been very privileged in my life. I grew up very poor. I funded school myself. So now with
Starting point is 00:31:14 the two, I went to junior college, by the way, to start. And then I went to what we call community college. And then I went to a state school and I fund scholarships for them both in STEM, because STEM for underprivileged youth, because I'm like, we just have to get that education out there. I understand that having a degree that's not in STEM has not held me back, but the world has changed rapidly. Technology has changed. I look at my daughter. My daughter's early 20s.
Starting point is 00:31:44 I should remember exactly how old she is. This is terrible. My daughter's early 20s. The kid I gave birth to, I can't remember exactly how old she is. But anyway. It was some time ago, time got weird during the pandemic. We have a fudge factor in there. Yeah. She's early 20s, right? And I look at her generation and the generation we know her, they're digital natives, right? They are digital natives. She had a, whatever the device was in her hand, you know, when she was a natives, right? They are digital natives. She had a, she had a, whatever the device was in her hand, you know, when she was a toddler, right? And she's had an iPhone since she was 13, you know, they're digital natives. So STEM is just so incredibly important. I agree. I worry sometimes in some aspects that they're going to over index on that,
Starting point is 00:32:21 to the expense of the humanities, where, okay, great, you can do a lot of math, that's great, but you need to be able to have something to do that about. Something, there's a, we can't replace every facet of humanity with AI, and I would argue we shouldn't try. No, we should not try. Even with music is one of those things where I find, I find that a particularly tone deaf way to start exploring AI.
Starting point is 00:32:41 Music is the soul of humanity, whether we like it or not. Watch a sad movie without a soundtrack. You don't cry. It's very much tied to the human experience. We're going to have computers do that now. I don't know that that's the message you think it is. Well, I worry about this generation that's coming up. I was reading that reading. There were timeout readings since just the year 2000, by the way, kids since the year 2000, it's gone from like 80 to 20% of kids read weekly. And I'm like, that's horrible.
Starting point is 00:33:11 And to your point, music's evocative, the other thing is books. I don't want AI writing books. I read a lot, I'm a voracious reader. And I like the fact that a lot of authors play, no part of this book was produced by AI. They put that right in the beginning of the book because these, this is art, right? Art. Yeah. There's a place for AI. I just, you know,
Starting point is 00:33:31 there's a place where it probably should stay away from too. Yeah. I wholeheartedly agree on that front. I want to thank you for taking the time to speak with me. If people want to learn more, where should they go to find you? Ah, they can find me on LinkedIn as Ann Johnson. If they want to, generally want to learn more about Microsoft, obviously we have a Microsoft security website.
Starting point is 00:33:54 And then I have, and I want to thank you. And if you don't mind, my own plug, I have my own podcast, maybe we'll have you on, a reciprocal one. They can find me at afternooncybert.com. And we will put links to all of that in the show notes. Thank you so much for taking the time to speak with me. It's great to finally have a conversation like this that isn't entirely
Starting point is 00:34:14 basically Twitter random passings in the night. Thank you for inviting me. Thanks for making the time. Ed Johnson is the corporate vice president and deputy CISO of customer security management office at Microsoft. The announcer is the Corporate Vice President and Deputy CISO of Customer Security Management Office at Microsoft. I'm Cloud economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice.
Starting point is 00:34:36 Whereas if you hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry comment pointing out that nine years of Microsoft is still very much the new kid, and then go download the next episode onto your Zune.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.