A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Strengthening Our Collective Defense 
Episode
12

Strengthening Our Collective Defense 

In this episode, host Raghu Nandakumara sits down with Ann Johnson, Corporate Vice President, Microsoft Security Business Development, to explore AI, everyday Zero Trust conversations, cyber resilience best practices, and so much more.  


Transcript

0:00:03.8 Raghu Nandakumara: Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation company. Today I'm joined by Ann Johnson, Corporate Vice President, Security Business Development at Microsoft. A 22-year cybersecurity industry veteran with tenure at RSA Security, Qualys and Microsoft, Ann is a recognized global speaker, an author and an outspoken advocate for diversity and belonging in tech and throughout the world. Additionally, Ann advises and serves on the Board of Directors for many organizations, including the Seattle Humane Society, Human Security, and the Executive Women's Forum. Today, Ann joins us to discuss AI, everyday Zero Trust conversations, cyber resilience best practices, and so much more. We're so honored to have you on our podcast, on The Segment. As a way of introduction, can you tell us a little bit about your background in cyber and what your current role at Microsoft entails?  

0:01:12.3 Ann Johnson: Yeah. Thank you Raghu. It's wonderful to be a guest. I lead, today at Microsoft, our strategic partnerships and M&A for cybersecurity. So it's a wonderful job. I think I have one of the best jobs in cybersecurity because I get to see everything in the industry, the newest stuff, the things that are nascent, and then think about how we partner with everyone to really build a security ecosystem because we fundamentally believe security is a team sport. I've been in cyber for 23 years since I started with this little company called RSA Security. I am.. all cyber people have domains of expertise. I'm actually an identity and fraud person, so that's the place that I came from for cybersecurity for a very long time. And I've been at Microsoft for about seven years and I've done a few different jobs here but it's just been this extraordinarily fun run and really exceeded our expectations with our ability to bring customer solutions that will simplify their security and help them be more secure ultimately.

0:02:11.1 Raghu Nandakumara: That's incredible. So you've had such a storied career in cyber. What continues to keep you interested and motivated to stay in this domain?  

0:02:21.5 Ann Johnson: It changes every day. I'm one of those people that your brain never shuts off and you're looking for constructive things for it to focus on, and what I find is the dimensions with cyber are dynamic and the actors who are the bad actors change and the threads change and the landscape changes. And as companies now are modernizing, that made a huge change of cyber and now we have this thing called artificial intelligence, the natural language models and ChatGPT that are becoming real. So it's so dynamic and fun and ever-evolving. It just continually keeps me interested.

0:02:53.5 Raghu Nandakumara: You kind of brought up AI and those natural language models and ChatGPT. So in your opinion, the potential threat they pose and how they could be leveraged by malicious actors, is that very much real or at the moment is it just more hype than reality? What's your opinion on that?  

0:03:13.3 Ann Johnson: Yeah. So I don't know that it's real today. I think that as we continue to think about artificial intelligence and natural language models, they obviously are going to be abused by bad actors and I think in two ways. The first way is they're going to leverage the technology to launch some of their attacks. They're going to figure out how to leverage the technology to make it easier or faster for them to launch attacks. The second thing, though, is that we need to secure the models themselves. We need to secure the data. We need to secure against data poisoning. We need to secure against model poisoning. Because if you think about AI, such as for cyber, the world's data is going to sit there in some way or another in the future and that is a great target rich environment for any bad actor.

0:03:56.0 Raghu Nandakumara: Absolutely, and I think that's always been the challenge with machine learning initially and now as AI, that form of intelligence is really being expressed, is ultimately it is based on whatever data you feed into it and compromising that in some way or tainting that impacts what is output. But if we look at it from a positive perspective, you've touched on how bad actors could leverage AI models. But do you see that also as a potential there for essentially the blue teams, the defensive folks like ourselves, to get ahead of the bad actors, leveraging these models? Do you see the potential for that as well?  

0:04:36.1 Ann Johnson: Yeah, I think that there's absolutely huge potential for our blue teams, for our red teams, but also for us internally to learn from what we think the actors are going to do. Our job in this industry, I've always believed, is to stay a step ahead of them and that's why I'm optimistic constantly and I do think our blue teams and our red teams can take a lot of learnings from these natural language models. The thing it does is it makes it more egalitarian. So if you're not a coder, let's say you're not somebody who's written a lot of code, you actually have the ability now to really send a prompt into a system and have it execute something for you, which means it opens up this world that whether you're doing investigations or red or blue teaming, you suddenly open the world to a much broader audience.

0:05:19.6 Raghu Nandakumara: I think the way you describe that is so wonderful, egalitarian, because cybersecurity can often seem to be something that is the domain of a very select few and that classic example of, let's say, like a Mr. Robot with a hoodie on hunched over a keyboard. But I think as we think about security today and we hear about terms like democratization of security, it's so important that the entire organization is brought along for the ride. Is that something that you are very much onboard with?  

0:05:52.3 Ann Johnson: I am completely onboard with it. And it has two dimensions for me. One, I've been quoted as saying in the past that, “We know cybersecurity has matured as an industry when there are no longer is a cybersecurity group.” Now, that's an extreme statement and obviously I make it as a way of just poking at it a little bit. Cybersecurity is everyone's job and the more we can make the tools easier for people to use and we can truly make it everyone's job, the more secure we are ultimately going to be. The second thing, is that we have this cyber poverty line globally. There are going to be countries that don't have the ability to protect themselves from nation-state attacks. And as cyber war continues to be one of the elements of a kinetic war, it's truly an element of war as we've seen recently, we're going to have to find a way to give these countries the skills that they need so that they can defend themselves. These folks that just don't have cyber skills or they don't have the money to have cyber skills. And we do call that the cyber poverty line. So I think it's both those dimensions. I really think that AI, as much as it's going to help our SOC and our defenders and [make] those folks’ job easier, that democratization of it is going to actually be a real change for the industry.

0:07:00.1 Raghu Nandakumara: Ann I think that's fascinating. And I think also some part of that is also just, what I see, is the leveling up of individual countries and obviously groups of countries. For example, here in the EU where countries act more as a collective to bring that leveling up of general cybersecurity stance driven by legislation at the national level, which can only be a positive thing. Tied into all what you describe with that more democratization. Is that how you see it?  

0:07:30.0 Ann Johnson: It is how I see it and I think that democratization has to exist as well and there has to be global standards and there has to be global regulation. But there also has to be global cooperation, right? Cooperation, private sector, private-public sector, public to public sector. We're seeing an increase in collaboration and cooperation, but we're not where we need to be and the only way we actually defeat the bad enemy is with collective defense. And we need to get a lot better about collective defense, and AI should just be one tool in the arsenal.

0:08:00.0 Raghu Nandakumara: I like that. I like that term, collective defense. Okay. I think we've spent the early part almost looking forward to what the future holds, so I'd like to go back a bit and just ask you: how in your time in cyber have you seen the priorities and the approaches to cyber evolve over time? because I was listening to your podcast, I think it was the episode with Sounil Yu, where he described the various eras of cybersecurity. How do you think about those eras?  

0:08:31.3 Ann Johnson: I think the first era of cybersecurity is you had some people stand up a few firewalls, maybe they used tokens for authentication, they had some routers, and they had some antivirus software. And it was like, "Okay. We're all good here." It was a, "Keep everything out of the environment." It was very much a, "Our employees are all coming to the office. They're working on devices we issue them." Maybe not even laptops, maybe some of them are green screen. And the biggest concern that the CIO had was somebody plugging in a rogue server on the data center, right? And then we've evolved to this world where, okay, we've suddenly become more mobile and people are working on various devices and there's this Bring Your Own Device concept. And by the way, we started assuming breach somewhere around... And it's probably been about 10 years now, we've started assuming breach. We assume somebody is in your environment. So how do we contain them? How do we minimize the damage? How do we find them? And how do we evict them? So the tools started changing. No longer could you keep everyone out. You actually had to give people access because people wanted to work from anywhere on any device. How do you securely do that?  

0:09:33.1 Ann Johnson: So that was like the second era. This third wave we're going into now, it really was largely accelerated by the pandemic when we saw 87 or 90 percent of global employees went and worked from home. And suddenly we had these hybrid environments that were not necessarily secure, and we had people working on kiosks or working on the same device that their child was essentially doing their school work on and we introduced this whole other vector. We've swung back a little to where now you have more people in the office, some people still at home, or they're in the office or at home part of the time, and you're truly hybrid but then you also have this new tooling of AI. So again, it's how did the... The biggest problem CISOs still tell me today is visibility. So how do you see that something truly bad is happening in your environment, detect it super quickly and stop it from doing damage? And that is like the third wave of tooling and it's all about the data. People don't come into your environment just to hang around. It truly is all about the data.

0:10:33.8 Raghu Nandakumara: That's really interesting. And just picking up on that last thing you said, it's all about visibility. When I think about this, I almost feel that visibility should be the first thing that you put in place when you deploy a new technology to get complete understanding of what is happening around it. Why is that still a significant gap for so many organizations? Why do they not have enough visibility in the right places?  

0:11:01.1 Ann Johnson: Because it's super hard. If you think about technical debt and legacy systems and disparate systems and rogue cloud environments and people signing up for SaaS apps and people working on their own devices and the need to balance productivity with security, it becomes really hard to get complete visibility across your environment. We have people that are still running on Windows NT or Windows 95 systems. How are you going to get visibility for those if they're not talking to the cloud type environments? You have manufacturing lines that don't have cloud connectivity. You have oil companies that have offshore production systems, mining companies around the world that their automated mining trucks are 3,000 miles away from their corporate office yet they have 800 sensors on them. It is really hard to get visibility and it's what people struggle with, and it's the greatest thing that the security industry can do is to continue to improve visibility so that our CISOs know at least what their attack surface looks like and they can put the right controls in place.

0:12:00.0 Raghu Nandakumara: So when you talk to, in your role, when you talk to cyber leaders across the multitude of industries and nations, etc, what do they say is their biggest concern? Do they also align with, "I'm concerned that I just don't know what's going on," or do they sort of up-level that a bit?  

0:12:19.1 Ann Johnson: They generally, and this is a really blanket statement, they generally feel pretty good about the things they know about. The threats they are aware of, the devices they can see, they generally feel like they have good security controls. It is the old we don't know what we don't know. And the concern is that someone could have been in their environment for 18 months in some type of rogue system or somebody brought a new SaaS app online and didn't tell corporate and how they're sharing data with it. ChatGPT goes into that category. A lot of questions we get are, "We don't have the visibility of what potentially confidential data our employees are putting in a system like that." So they have hyper-concern over this. We need to have maximum productivity for our organization but we don't have visibility to what folks are doing. And if we don't have visibility to what they're doing, we can't secure it.

0:13:05.0 Raghu Nandakumara: Right. It's kind of like, that sort of, the catch-22 then. I need productivity but then, in order to secure that, I need better visibility. I don't have visibility so I don't know how to secure that, so I don't know how to support your need for better productivity. And you get into that cycle. So I kinda want to go back to something that you said and you talked about, about a decade ago that the assume breach mentality coming up and it not being just sufficient to recover or restore but really be able to survive. So I'd like to use that as a segue into talking about Zero Trust. I guess the first question to you is, when did you first come across the term Zero Trust? What does it mean to you and how do you feel about it?  

0:13:51.4 Ann Johnson: So, a few things. One, I think the concept of Zero Trust is a wonderful concept. When did I first come... I don't remember when I first came across Zero Trust but let's say it's five to seven years ago, let's just put it in that time frame. I think the problem is it has become this amorphous term that nobody really understands. And it was a marketing term for a while that people just say, "Hey, we're Zero Trust," with no grounding in principles. So we have really explicit principles around it. The first thing is you verify explicitly. Anything that happens in a session needs to be verified. Anything, whether it's a single piece of data passing through the environment, authentication, anomalies, etc. The second thing is you use least privilege access. You have to use least privilege access for all of your users. Most end users do not need admin rights on the laptop. You need to have some type of secure admin work stations. And these policies need to be adaptive so people just have the just-in-time privilege they need, when they need it, and then it goes away and it needs to be logged and audited.

0:14:50.6 Ann Johnson: The third thing is that assume breach. Always assume that someone is in your environment, assume you don't have complete visibility, and that's where you get into encryption and data protection and DLP and having a really mature program around that. And that is super hard because people don't know where all their data is and it's really hard to secure stuff that you don't know where it is. So Zero Trust to me is fundamental to cybersecurity. And most customers, by the way, whether they know it or not, they're on a Zero Trust journey. They're doing some pieces of this already and it's just really having the program maturity. And there are some programs that are more mature than others, it's the typical early adopters that are more mature than others. But people often ask me, "Where do I start? What do I do?" And one of the things I tell them is least privilege access is a really good place to start and multi-factor authentication, for 100% of the people who access your environment 100% of the time, is the other really good place to start.

0:15:43.3 Raghu Nandakumara: I agree. And I think just listening to the way you laid that out and if I think back to my undergraduate computer science course and I took a couple of modules on security, a lot of what Zero Trust really talks about and preaches are the axioms of computer security, of information security, like least privilege. And to me, it's almost like, why is it that those best practices haven't been followed from the get-go and now we're almost reverse engineering what we have in order to accommodate something that we should have been doing in the first place? Why has that gap developed?  

0:16:18.6 Ann Johnson: Yeah I think that people over-privilege access because they don't want any of their employees to run to productivity issues. I know that, by the way. So access is over-privileged just, literally, for productivity reasons and you really have to be scientific about how you think about access. We are at the place in the industry that everyone talks assume breach, I think that one is very well known, but the verify explicitly everything that happens in the session is the harder thing. Because it used to be, and you know this, if someone was concerned about the security, they would strongly authenticate however they strongly authenticated, and then there was some type of role-based access control and then that was good enough, right? Now we're saying, no, that's not good enough. Actually, every single transaction that happens in someone's session has to be interrogated because you could have malicious malware that's impacting the software. You could have malicious malware that's impacting the data. Somebody could have hijacked the session. Somebody could have followed them into the session. And so we're saying this "explicitly verify everything that happens in a session" is hard and it's new but in order to have ultimate security it's the place you really want to be.

0:17:25.9 Raghu Nandakumara: And so what does that then translate into what customers are asking for and then what they're executing on? What is that typical conversation that you would have? And I guess in your role, it's very much at that exec level. Does the conversation start from organization XYZ, "We want to build out a Zero Trust program. How do I do it?" or is it more around, "Here is a sort of a transformation that we're about to undertake. How should I ensure that security is best of breed to support that transformation?" What is the nature of that conversation that leads ultimately to "you need to adopt Zero Trust"?  

0:18:06.5 Ann Johnson: That would be ideal, the latter of what you said would be ideal. “The company is going to have some type of major transformation, let's bring security in early” would just be ideal. It doesn't happen as often as you'd like. We're getting better. By the way, security is now a board-level conversation. Lines of business are getting more comfortable that their security peers aren't trying to block them, they're just trying to enable secure business. And security should be an enabler, right? So ideally it happens when the business is trying to do something new and then you think practically how they're going to do that. The good news about having a Zero Trust architecture is that you can snap a lot of it into that. If the architecture already exists, then even bringing in other lines of business doesn't mean you have to do anything different.

0:18:48.4 Ann Johnson: And running things, I'll give an example, running things like Microsoft Conditional Access, which looks at every transaction that happens in the session from a user standpoint, is one of the underpinnings of having a really good Zero Trust strategy. Things that look at your devices, the health of your device, what is your device doing in this session, technology that looks at that. Then if you can enable the business that they don't have to come back to security every time. They just have to follow the principles of Zero Trust whenever they're rolling out something good. And it really truly does become both a business enabler and it makes security more effective and security more simple. Those are the ultimate measures of having a good Zero Trust program.

0:19:27.6 Raghu Nandakumara: And I think, I mean, that really is the ideal state where there is that consistency is built under the business or the application developers, etc, know that as long as they adhere to the security requirements and they build according to those, then they're going to be getting the best of breed security, it's going to be least privilege access and that transformation is not going to be in any way impeded. So from a Microsoft perspective, what do you see are the key technology enablers that you have that you're delivering to customers to support this?  

0:20:05.8 Ann Johnson: Yeah. Our Zero Trust strategy, and everybody comes at it in a different way, starts with our identity. Because we are very strong in identity and we have our Microsoft Entra Suite, our Zero Trust starts there. And it starts with strong authentication, Windows Hello for Business or the Azure Authenticator, we have third parties we're integrated with. So it starts with strongly authenticating the user and then it goes to using conditional access, so making sure that all of your app access, all of your apps are attached to Conditional Access and we're looking at the health of everything that's happening within the session from that standpoint. Then, as you know, we do a lot of partnering. We do a tremendous amount of partnering. And in the spaces where we don't have a discrete or explicit technology, whether it's the network controls or those type of controls, secure web gateways, those type of controls, and we are moving further into saying we need to have a very robust Zero Trust offering that's powered with our partner ecosystem and with some Microsoft first-party solutions. So you'll see, over the next 12, 18, 24 months us moving even further in that direction.

0:21:07.1 Raghu Nandakumara: And do you see it... If I think back to the NIST Zero Trust architecture and there's this concept of this unified control plane that is then enabled, enforced via those individual policy enforcement points, whatever they need to be. Do you see it as being realistic that at some point in the future we will see true single policy sort of control planes that are able to go and deliver that Zero Trust enforcement across all of the pillars? Let's say if we refer back to Forrester’s original Zero Trust definition and the pillars that they talk about, do you see that as being something realistic?  

0:21:50.9 Ann Johnson: We have been trying to get the things that are single panes of glass for a ton of controls for decades. Ideally, we have very few controls, where someone has to interact or we obfuscate the complexity from the end user even if there are... For Microsoft, even if there's partner solutions under the hood, we obfuscate the complexity for the end user and for the admin so that they can do all of their control management in one place. We're not there. As an industry, we're not there. I know you all are doing your piece of a lot of work with Zero Trust but the simpler we can make the solutions and the more aligned we can make the controls and the ability for the admins to work on a single console, the better the industry is going to be. So it's an ambition.

0:22:34.2 Raghu Nandakumara: And do you see the... In order to get closer and closer to that and if it is a couple of different control planes that are able to in some way interact with each other, that may be good enough. But the key thing there saying essentially... Zero Trust, the modern definition of Zero Trust, talks, among other things, about a risk-based, context-based ability to define policy. So is it important? I guess it's essential that those control planes share the same context and the same view of risk in order to be able to do that consistently. Is that, I guess, the first step?  

0:23:19.7 Ann Johnson: So if you think about your segmentation platform and that being a user control place where the user can actually have visibility across all the workloads and devices and then you can set up your granular segmentation policies to the extent that can run underneath or alongside what we are doing with our Zero Trust control plan and we can just point the user to Illumio with one click. But my ideal scenario is you have this ecosystem and Microsoft is sitting at the front of the ecosystem with our platform, with our Entra platform, and all data is coming to us and it's going through conditional access and then we are leveraging, because we're not going to be 100 percent of the solution, we're leveraging places like Illumio to do specific work but we're obfuscating the complexity of the end user having to spin up a completely different console to have to do that work. That's ideal.

0:24:10.3 Raghu Nandakumara: Yes, absolutely. But I think this is the interesting thing is I think the way you expressed it is so accurate, that ultimately there is the ideal scenario but then what is possible today with integrating best of breed solutions and how you're able to build that consistency because today no customer can essentially go to a, I'm going to say, to a marketplace and say, "Hey, I'm buying the all encompassing Zero Trust solution. Click, done. I have Zero Trust." No one's doing that today.

0:24:42.5 Ann Johnson: No. But that's why our ambition is to be the platform and it's the platform that others build on top of. You build your solutions on top of our platform and that way the traffic comes to us, it goes through conditional access, and we can feed out with all of these different partners that we're bringing in to our Zero Trust ecosystem. Our ambition is exactly what we're talking about here, but we're not there yet and we're probably 18, 24 months away from being there.

0:25:08.4 Raghu Nandakumara: Sure. That's an exciting 18, 24 months then. That's not too far on the horizon. So I kind of want to shift gears a bit and talk about how you see, what’s happening from a legislation and a regulation perspective, not just in the US but globally, that you feel is going to drive or accelerate adoption of Zero Trust. Everyone talks about the Biden mandate and what's following up on the back of that but also we're seeing things like, let's say, the EU, NIS2 and DORA. And we're seeing similar regulation out in APAC and so on. How beneficial do you think this legislation and regulation is going to be to really accelerate the adoption of better security practices? Do you think there's going to be a significant positive outcome?  

0:25:55.2 Ann Johnson: I think to the extent... Look, the EU did something really interesting with their concept of having a cyber dome almost and having collective defense within the EU. And that type of regulation and that type of requirements and that type of framework moving forward is really high impact and meaningful. One of the challenges our customers who have, who work in global environments, is that the regulations lack consistency. And I'll use an example. The one great thing about GDPR is it drove consistency. Whether you liked it or didn't like it is not the conversation. The conversation is you understood what your requirements were if you were in the EU, from a privacy standpoint. So I think to the extent that we can get regulation that is more aligned and more consistent, and the industry can help educate the regulators and the regulators can talk to the experts, I think that there's going to be a tremendous amount of value there. I do.

0:26:47.6 Ann Johnson: And we welcome the opportunity to have constructive conversations on regulation across all parts of tech, including AI, because it's needed. But what's challenging is if you have... I think the number is around 250. Microsoft looks at about 250 unique regulations around the globe on a daily basis to see if we need to be compliant. There has to be more consistency in region. There has to be more global standards because at the end of the day it's really tough for organizations to work at that pace on compliance but also run a security program and run their business.

0:27:24.0 Raghu Nandakumara: If you think about something like DORA, and I know that you're very passionate about talking about cyber resilience and the move towards this, do you see that, something like that, as bringing the consistency into a particular industry? Or is it still the challenge is that it's still then gotta be enacted at a country level that sort of then brings the complications of how quickly it's going to be adopted and so on?  

0:27:51.8 Ann Johnson: Yeah, I think that's right. I think the uniqueness within country is going to drive complexity that's not thought of. Your ability to recover from an attack is the most important thing you have. Your ability to get your core business systems back online after an attack is one of the most important things that you have and I think any regulation that actually helps organizations do that without adding a lot of overhead is fantastic, but the actual implementation at a per country and a per business level is going to drive a lot of complexity.

0:28:27.0 Raghu Nandakumara: So then, if we then change this a bit, from an organization's perspective, what should they be thinking of when they think about cyber resilience? How should they be thinking about building out the right controls to give them a level of cyber resilience that their board is happy with, that guarantees a certain minimum level of productivity?  

0:28:48.9 Ann Johnson: Yeah. And, Raghu, this is something that, because you listen to my podcast at times, I've talked a lot about, I've written about, etc. I'm passionate about it. The first thing that businesses need to know is where are your core business systems. What are the three to five or 10 or whatever systems that absolutely have to be online for your business to run? What are they? And that's everything from payroll to your customers. What is it that keeps the business going? That's number one. Where does the data sit for that, is number two. Once you identify that then you know what... A lot of security programs will talk about, they frame it as the crown jewels because they may not have the resources or people to secure everything, but they have to secure those things. Then what is your failover plan? Let's just say that those systems are all down, where is the redundancy for those systems?  

0:29:33.7 Ann Johnson: Do you have a cloud environment? Do you have redundancy off-shore? Do you have redundancy in a different country for those systems? How are you going to communicate? If your email system has been compromised, and that means possibly your messaging system has also been compromised, how are you going to communicate internally in your organization if you have an event? What is going to happen? There has to be it. Who is going to speak to regulators and how are they going to speak to regulators? Who is going to speak publicly and how are they going to speak publicly? Who's going to communicate with your lawyers? Who is speaking to your employees, and how are they speaking to your employees? Do you have a third party already under contract on some type of agreement on a retainer to do incident response? Do you have a third party on a retainer to rebuild your systems? I know it sounds really tactical, but where are your backups and have you actually tested you can recover from your backups?  

0:30:26.3 Ann Johnson: And are your backups in line so that they could be compromised? One of the things ransomware actors do is, one of the first things they do is go look for your backups because they want to actually corrupt those backups. So all of those things have to be... So it's not just technological, it's on the business side. And then you actually need to have table top exercises and assume you've had an event like this and you have to actually plan. You have to run the plan a few times. We all do red teaming and blue teaming and purple teaming, but do you do a table top exercise that says, "Your environment is completely down. Now what?" And you need to do that a couple of times a year, not just with the operational folks but with your executives and potentially with your Board at least once a year. It's all of those things that we recommend as best practices.

0:31:05.0 Raghu Nandakumara: What I like, and you touched on this at the end there, is that move towards what does being cyber compliant mean. Moving away from... And I think what you're hinting on but I don't want to put words in your mouth, is that moving away from checkbox exercises to really threat-led, offensive security-led exercises, whether those are purple team exercises, real purple team exercises, or table top exercises that test your actual controls versus a set of, "Okay. Is it configured to do X? Is it configured to do Y?" And so on.

0:31:45.6 Ann Johnson: That’s right. And I would say, and just like you said, there's a lot to unpack. The first question is, “Whose job is it? Who owns cyber resilience for your organization?” And the plan for cyber resilience, every organization that I can think of, every large organization has a natural disaster plan. If you had a natural disaster in your region, you have a plan for how you're going to bring your business back online, keep your employees safe, etc. You need that exact same plan for cyber. And then whose job is it? Is it the folks that do your resilience? Is it your cyber team? Those decisions all need to be made now, not after you have an event.

0:32:24.2 Raghu Nandakumara: And just following up from that, what are the key things that CISOs, without fail, should be reporting to their Board that actually provides a clear indication to the Board, to the CEO, of how the security program ties to the business objectives? Like what are those, let's say, three key things?  

0:32:45.9 Ann Johnson: Yeah. The first thing I want to say is understand your Board aren't security people. They may not even be technology people. Understand that first because whatever you're going to talk to the Board about you need to put it in language that they will understand. The language a Board understands is risk. So everything that you talk about should be related to business risk. This is just a really basic example. "If we do not roll out multi-factor authentication to our organization, there is a much higher risk for us because we know that the number one attack vector is still phishing and people using weak passwords." So that is a risk the business should be able to understand, especially when you're trying to get budget for that. But at the Board level, you want to go in and keep it very simple, go over maybe your top 10 risks and keep it in that risk language and keep away from, "Hey, I want to talk about our end-to-end encryption strategy." Talk about why you have an encryption strategy and what it's going to accomplish and how it's going to lower the risk for the business. That's what I would encourage CISOs to do. And CISOs used to be really technical roles. They're getting to the place now where CISOs have to be really good business people who understand the technology and the application of the technology to the business.

0:33:58.9 Raghu Nandakumara: So that's really interesting. Absolutely. That evolution of the CISO from very technical, inward, almost technology-facing, to now much more business-aligned, business facing, and being able to marry those two. But you talked about in terms of communicating to the Board and almost it's like what you said was you talk about technology and you talk about, let's say, encryption and you talk about how this provides a business benefit. To me, that still feels like bringing it to a very low level to the Board and it's potentially a terminology and concept that they wouldn't understand. So can you talk about that a bit more?  

0:34:42.3 Ann Johnson: Yeah. Let me clarify what I said. No, I don't think you talk about encryption to the Board. I think whatever technology you talk about, you should talk about only business risk. What is your data security program and how does that reduce your business risk? Everything you talk about should be business risk. But, no, I don't think you should talk encryption to the Board, and that's the point I was trying to make. Don't talk technology. Talk business risk and how a program is going to drive down your business risk.

0:35:08.4 Raghu Nandakumara: Yeah. No, understood. Okay. I am perfectly clear and there's no ambiguity on that. So we're talking about cyber leaders and you've already spoken about the evolution of the CISO that you've seen in your time in cyber. Where do you see that evolution leading to over the next few years? How do you see that CISO role continuing to evolve?  

0:35:31.9 Ann Johnson: I think the CISO role is going to continue to evolve and be, obviously, going to be much more demanding. We have a great CISO at Microsoft, Bret Arsenault, a wonderful CISO. Most of the CISOs I know are wonderful humans who want to do the right things who are in a thankless job, because you get blamed for everything and thanks for nothing. But the role is going to continue to evolve to this business level complexity. You need to understand regulation. You need to understand how the controls apply to regulation. You need to be able to speak to the folks that are on the front line in the SOC. You need to be able to talk to your Board. It is a really tough job. But the more that the CISO, like Bret does, can align his priorities to the priorities of the business, the more effective you are going to be in that role.

0:36:13.9 Raghu Nandakumara: Ann for you personally, what are you excited about, looking forward to in cyber, whether that's a technology evolution, whether that's a people evolution or a legislation evolution? What are you really excited about over the next few years?  

0:36:33.2 Ann Johnson: I will tell you, and I’m not a buzz word... I've been doing this long enough that I don't get very excited. I'm actually really excited about AI and natural language models. The ability to extend the capabilities of cyber to a much broader pool of talent who could actually contribute to the industry will help reduce our talent shortage we have, as well as the application of the technology itself to reason across millions and trillions of signals that people see in their environment and actually tell you what a real problem is. It gives you visibility much more quickly. If it solves just those two things, giving you visibility much more quickly and helping solve our talent shortage because the talent pool becomes greater, it's lived up to its promise in my mind.

0:37:13.5 Raghu Nandakumara: Oh, absolutely. And I think just reiterating what you said and tying it back to that big problem that you highlighted, a lack of visibility. If it enables us to improve visibility, I think from that we can lead to better decision making and better security, which is ultimately the outcome that we want.

0:37:32.7 Ann Johnson: Correct. That's exactly right.

0:37:34.9 Raghu Nandakumara: Awesome. Ann, this has been such a pleasure to speak to you today. And of course, for our listeners, if you want to learn more about trends, if you want to choose one security leadership podcast that you absolutely have to listen to, then tune in to Ann's podcast Afternoon Cyber Tea with Ann Johnson. It's on CyberWire, it's on all the usual podcasting platforms. And go and listen to all of the previous editions because there's just so much fantastic content in there. Ann, thank you again for your time. I really appreciate it. And it's been wonderful conversing with you.

0:38:10.9 Ann Johnson: Thank you so much, Raghu. I appreciate it. It's been a great conversation. Have a wonderful day.

0:38:15.0 Raghu Nandakumara: Thank you. Thanks for tuning in to this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter @illumio. And if you liked today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.