 From our studios, in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Everyone, welcome to this special CUBE Conversation here in Palo Alto, California. I'm John Furrier, co-host of theCUBE. We're here at Brett Arsenault as a CISO, CISO for Microsoft, also corporate vice president, chief information security. Brett, thanks for joining me today. Thank you. Appreciate it. Thanks. So, you have a really big job. You're a warrior in the industry. Security is the hardest job on the planet. And being an Infra-Secured Officer is so hard. Tell us about the role at Microsoft. You have to overlook the entire thing, your report to the board, give us an overview of what happens. Yeah, I mean, it's, you know, obviously, we're pretty busy in this world we have today with a lot of adversaries going on and operational issues happening. And so I have responsibility and accountability for obviously protecting Microsoft assets, our customer assets, and then, and for me with the trend, also responsibility for business continuity and disaster recovery at the company. On the CISO job that's been evolving, we were talking before the camera came on that it was kind of like the CIO, CFO role years ago, kind of evolved into a business leader. Where's the CISO role now in your industry? Is there, is it a formal title? Is it established? Is there clear lines of reporting? How's it evolving? What's the current state of the market in terms of the CISO, its role? Yeah, the role is involved a lot. Like you said, I think like the CIO role 20 years ago, you know, started from the back room to the front room. And I think the, you know, one of the things I look at in the role is it's really made up of four things. There's technical architecture, there's business enablement, there's operational excellence, and then there's risk management. And the older, I'm sorry, what was part of the right word, but the early CISO model was really about the technical architecture. Today it's really a blend of those four things. How do you enable your business to move forward? How do you take calculated risks or managed risks? And then how do you do it really effectively and efficiently? Which is, so when you look at them, you'll see people evolving to those four functions. And who's your boss? Who do you report to? I report to a gentleman by the name of Kurt Dolbeni. And he is the Chief Digital Officer, which would be a combination of COO, Digital Officer and Transformation, as well as all of Microsoft's corporate strategy. And this product board visibility actually in the security for you guys. How has Microsoft evolved? You've been with the company for a long time. In the old days, you had perimeters and we talk about it on theCUBE all the time. We're in a periminalist environment now and there's no perimeter. The world's changed. How has Microsoft evolved? Its view on security, has it evolved from central groups to decentralized? How has it managed? What's the current state of the art for security organizations? Well, I think that you raise a good point. The things have changed. And so in this idea where there was this perimeter and you manage everything through the network, that was great. But in a client-to-cloud world we have today with mobile devices and proliferation of cloud services and IoT, the model just doesn't work anymore. So we sort of simplified it down into, well, we should go with this. People call it zero trust. I refer to it as just don't talk to strangers. But the idea being is it's really simplified, which is you got to have a good identity, strong identity to participate. You have to have a managed and healthy device to participate to talk to a Microsoft asset. And then you have to have data and telemetry that surrounds it all the time. So you basically have a trust and then verify model between those three things. And that's really the fundamental, it's really that simple. Dave Vellante asked Pat Gelsinger in 2012 when he was EMC before he was the CEO of VMware, he said, you know, is security a do-over? And he was like, yes, it's going to be a do-over. It's an opportunity. What's your thoughts on that perspective? Has it been a do-over? Is it a do-over? Are people looking at security in a whole new way? What's your thoughts? Yeah, I mean, I've been around security for a long time and there's obviously changes in massinations that happen. Obviously at Microsoft at one point, we had a security division. I was the CTO in that division and we really thought the better way to do it was make security baked into all the products that we do. Everything has security baked in. And so we stepped back and really changed the way we thought about it to make it easier for developers, for end users, for admins, that it's just a holistic part of the experience. So again, the technology really should disappear if you really want it to be effective, I think. Don't make it an episode, make it baked in from day one on new product development and new opportunities. Yeah, basically shift the whole thing left, put it right in from the beginning and so then therefore it's a better experience for everyone using it. So one of the things we've observed over the past 10 years of doing theCUBE when Hadoop first rolled onto the scene, big data, role of data has been critical. And I think one of the things that's interesting is as you get data into the system, you can use data contextually and look at the contextual and behavioral data. It really is create some visibility into things you might or may not have seen before. Your thoughts and reaction to the concept of leveraging data, because you guys get a lot of data at Microsoft. How do you leverage the data? What's the view of data? New data will make things different and get different perspectives, creates more visibility. Is that the right view? What's your thoughts on the role of data and the role data plays? Well, I think it is saying, we had this idea of there's identity, there's device, and then there's the data and telemetry. That platform becomes everything we do, whether it's just security or anomalous behavior like you were talking about, or just how do we improve the user experience all the way through so we use it as a service health indicator as well. I think the one thing we've learned though is we've, I was building one of the biggest data repositories we've had for some time. Like we look at about 6.5 trillion different security events a day in any given day and so sort of how do you filter through that and manage that's a pretty amazing process. 6.5 trillion. Per day. Events per day, yeah. That's coming into Microsoft. We run through the different. Ecosystems, your systems, your computers. Yeah, about 3,500 people reason over that. So you can sort of do the math. You need to have some pretty good, pretty good technology to make it work effectively for you and efficiently. At RSA I heard a quote on the floor and on the cube kind of echo in the same sentiment is you can't hire your way to success in this market. There's just not enough people qualified and jobs available to handle the volume and the velocity of the data coming in. Automation plays a critical role. Your reaction to that comment, thoughts on that? Well I think the, I think the key word there John knows when you talk about the volume of the data, right? Cause there's what we used to call speeds and fees, how big is the data? And we used to get great network data so I can share a little because we've talked like from the 90s or whatever period that we were in there, like the network was everything. But it turns out much like a diverse workforce creates the best products. It turns out diverse data is more important than speeds and feeds. So for example, authentication data, maps to email data, map to endpoint data, map to service data. So when you're hosting the number of customers we are like financial sector data versus healthcare data. And so it's the ability to actually do correlation across that diverse set of data that really differentiates it. So as an example, we update 1.2 billion devices every single month. We do 630 billion authentications every single month. And so the ability to start correlating those things in movement, give us a set of insights to protect people like we never had before. That's interesting telemetry. You're getting from the marketplace plus you have the systems to bring it in. I probably should, I probably should come in and just realize, and it's all with this consent. We don't do it without consent. We would never do it without consent. Of course, you guys have the terms of service. You guys do a good job on that. But I think the point that I'm seeing there is that you guys are Microsoft. Microsoft's got a lot of access, got a lot of stuff out there. How does an enterprise move to that diverse model? Because they'll have email obviously, but they have devices. So you guys are kind of operating, I would say a tier one of the IQ level of that environment because you're Microsoft. I'm sure all of the big scale players do that. I'm just an enterprise. I'm a bank or I'm an insurance company or I'm an oil and gas, whatever the vertical may be. What do I do if I'm the CISO there? So what does that mean, diversity? How should they? Well, I think they have a diverse set of data as well. Also, if they participate even in our platform today, we have this thing called the security graph, which is an API people can tap into and tap into the same graph that I use. And so they can use that same graph, particular for them. They can use our security experts to help them with that if they don't have all the resources and staff to go do that. So we provide both models for that to happen. And I think that's probably a unique perspective I should remind myself of, which is we sort of have these three things. We have a really good security operations group. We have, I think that makes us pretty unique that people can leverage. We build the stuff into the products, which I think is good. But then the partnership, the other partners who play in the graph, it's not just us. So there's lots of people who will play on that as well. So I'd like to ask you two lines of questions. One is on the internal complexities that organizations will have and then the external complexity and realities of threats and coming in. How do you balance that out? What's your vision on that? Because obviously there's technology, there's culture and people, and there's gaps and capabilities on all three. Internally, just getting the culture right and then dealing with the external. How does CISO and how does companies balance those realities? Well, I think you raised a really good point, which is how do you move the culture forward? That's a big conversation we always have. And that was sort of, it's interesting because the one side, we have 3,500 people who have security title in their job, but there's over 100,000 people every day that part of their job is doing security and making sure they all understand that and know that is a key part we can reinforce every day. And so, but I think balancing it is, for me, it's actually simplifying just a set of priorities because there's no shortage of, vendors who play in this space, there's no shortage of things you can read about. And so for us, it was just simplifying it down and getting it to that simplified view of, these are the three things we're gonna go do. We build it on a risk platform to prioritize relative to threat. And then we ensure we're building quality products. Those five things make it happen. I'd like to get your thoughts on a comment you had again before you came on camera around how you guys view simplification internally. You guys have a lot of conversations at the board level. And then also you made a comment around trust and security and you had an analogy around putting the drops in a bucket. So first talk about the simplification. How are you guys simplifying it? And why is that important? Yeah, I think we simplify two things. One was just simplifying the message so people understood the identity of the device and making sure everything is emitting the right telemetry. The second part though was like for us to be illustrative, just get rid of passwords. Like we started with this technology thing and we're gonna do 2FA and we had cards and we had readers and oh my gosh, we go talk to a user and we say, we're gonna put 2FA everywhere and you could just see a recoil and I told him, please no. And then just a simple change of being visual and we said, hey, how about this? We're just gonna get rid of passwords. Then people loved it. Like they're super excited about it. And so we moved to this idea of, we always said this know something, know something, know how something, have something. Like a card and they said, what about just be something and be done with it? And so we built a lot of the capability natively into the product, into Windows obviously. But I support a heterogeneous environment. So I support a lot of Mac, Linux, and iOS and Android as well. So we provided both models you could use by or you could use your device in the case of phones. That seems to be a trend obviously to see that with phones as well. And who you are is the password. And why is this important? Because now is it because of ease of use? Is it easier to program? What's the possible? Well I think there's two things that make it super helpful for us. One is when you do the biometric model, well first of all, to your point, the user experience is so much better. Like if we walk up to a device and it just comes on. So there's no typing this in, no mistyping my password. And we talked earlier and one of the most popular passwords in Seattle was Seahawks 2017. You can guess why. But it would meet the complexity requirements. And so the idea is you just eliminate all that all day that you walk up, machine recognize you and you're off and running. So the user experience is great. But plus, it's actually the entropy is harder in the biometric which makes it harder for people to break it. But also more importantly, it's bound locally to the device so you can't run it from somewhere else. And that's the big thing that I think people misunderstand in that scenario which is you have to be local to that to make it actually work. That's a great example of rethinking the security paradigm. Yeah exactly. Let's talk about trust and security. You have an opinion on this I want to get your thoughts. The difference between trust and security. Because they go hand in hand by the same time they can be confused. What are your thoughts on this? Well I mean you can have great trust. You can have great security but you generally, and you would hope that would equate like a direct correlation to trust but it's not. You know you build trust that I think our CEO said it best a long time ago. You put one bucket of water, one bucket, sorry, one truffle water in the bucket every time and that's how you build trust over time. My teenager will tell you that. And then you kick it over and you put it all on the floor. So you have to, it's always this ratcheting up bar that builds trust. So you're doing great. You got a bucket of water. You got a lot of trust. The breach it's over, right? And you got to go rebuild it and you got to start all over again. And so key obviously is not to have that happen but then that's where you make sure you have operational rigor and process around it. I think a great example of that just totally is look at Facebook. Great, they have massive, great security although they went down this past week but still the trust factor on just some of the other or societal questions. Yeah. And that doesn't do with security. Yeah and I think that's a large part of making sure you know you're being, that's why I said before about, you know we make sure we have consent we're transparent about how we do the things we do and that's probably one of the best ways to build trust. Okay so you guys have been successful with Microsoft just to kind of tie the company for a second to your role. It's pretty well documented that the stock price is at an all time high. Satya Nattella, CUBE alumni by the way has been on the CUBE before. He took over and clear he didn't pivot. He just said we're going to the cloud. And he saw the great moves. He donated a lot of great stuff to open source from open compute to open source. And the ship has turned and everything's going great but that journey to cloud has been great for the company. So I got to ask you as you guys move to the cloud the impact to your business is multi-fold. One, products, ecosystem, suppliers. All these things are changing. How has the security role and the CISO position been impacted? What have you guys done? How does that impact security in general? Your thoughts? Yeah I think we obviously were like any other enterprise we had thousands of online or thousands of line of business applications. We did a transformation and we took a methodological approach with the risk management and we said okay well this 30% we should just get rid of and decommission. These we should optimize and just lifting, shifting applications of the cloud was okay but it turns out there's massive benefit there. Like for elasticity, you think of things like quarterly reporting or annual surveys or things like that where you could just dynamically grow and shrink your platform which was awesome. Linear scale that we never had because those events I talk about would require rearchitecture, step rate function now becomes linear. And so I think there is a lot of things from a security perspective I could do in a much more efficient fact than I had done it before but also much more effective. I just have compute capability I didn't have, I have signal I didn't have. And so we had to wrap our head around that and figure out how to really leverage that and to be honest get the point where we exploit it because remember in my space I have disaster and continuity and business process stuff and so everyone would build dark fiber, big data centers, storage, active active and now when you use a platform as a service like on Azure, you could just click a box and say I want this thing to replicate. And it also feeds into your customers diverse data and getting that data into the system that you throw a bunch of compute at scale. So about diverse data, how does that impact the good guys and the bad guys? Does it tip the scales because if you have diverse data and you have visibility, it's a race for who has the most data because more data diversely increases the aperture and or visibility into events. Yeah, it's interesting. Talk about that dynamic. You know, I should be careful. I feel like I always, this is the job you always feel like you're treading water and trying to stay ahead. But I think that I think for the first time in my tenure doing this, I feel there was an asymmetry that benefits the good guys in this case because of the fact that your ability to reason over large sets of data like that and is computing data intensive and it'll be much harder for them. Like they can generally use encryption more effectively than some organization because of the one, the many relationship that happens in that scenario. But in the data scenario, you can't. So at least for now, I feel like there's the, the scales may have tipped a bit for the good guy. I think you're right on that one. I think it's good observation. And I think that industry insight, look at the activity around from new funded ventures to overall activity on the analytics side. Clearly the data edge is going to be an advantage. I think that's a great point. Okay, let's talk about the explosion of devices. We're seeing now an explosion of IP enabled devices, internet of things to the edge, operational technologies are out there that in factory floors, everything's being IP enabled. Kind of reminds me of the old days where internet population, number of users on the internet is growing and that caused a lot of change in value creation and opportunities. Devices are coming on both physical and software enabled at a massive rate. It's causing a lot of change in the industry. Certainly from a security posture standpoint, you've got more surface area, but there's still an opportunity to either help on the do over, but also create value. Your thoughts on this exploding device landscape. I think your Boston background, so Metcalf's law was the value of the network is the number of the nodes on the network squared, right? And so that tends to still be true and it continues to grow. I think there's huge value in the devices there. I mean, if you look at the things we can do today, whether it's this watch or your smartphone or your smart home or whatever it is, it's just, it's pretty unprecedented the capabilities. And not just in those, but even in emerging markets where you see the things people are doing with phones and lower end phones that you just didn't have access to from information, democratization of information and analysis, I think it's fantastic. I do think though on the devices, there's a set of devices that don't have the same capabilities as some of the more market, so they don't have encryption capability. They don't have some of those things. And one of Microsoft's responses to that was, everything has an MCU in it, right? And so we, with Azure Sphere, we created our own MCU that did give you the ability to update it, to secure it, to run it and manage it. And I think that's one of the things we're doing to try to help, which is to start making these IoT or smart devices, but at a very low cost point that still gives you the ability because the problem with not being able to update which we learned in OT is that over time new techniques happen and you can't update the system so you can do something about it. And that's getting down to the product level with security and also having the data. Great threads. So final talk track I want to get with you on is, you're a warrior in the industry, I said earlier, CISO is a hard job. You're constantly dealing with compliance to current attacks, new vectors, new strains of malware, and it's all over the map. You got the inbound coming in and you got to deal with all the blocking and tackling of the organization. What are you finding as best practice? What are some of the things on the CISO's checklist that you're constantly worried about and or investing in? What are some of the day to day, take us through the day to day life of a CISO. Yeah, it starts with not a lot of sleep, that's the first thing you have to get used to, but I think the, again, let's say there's risk management, you just prioritize your set of risks, it's different for every company. For us, hackers don't break and they just log in. So identity still is one of the top things people have to go work on, hence the get rid of passwords is good for the user, but good for the system. We see a lot in supply chain going on right now. Obviously, as you mentioned in the Cambridge Analytical Authority, we had the issue which is down the supply chain and when you look at not just third party, but fourth party, fifth party supply, it's just the time it takes to respond is longer. So that's something that we need to continue to work on. And then I think, those are some of the big things. The other big thing though is again about this, how do you become effective and efficient and how you manage that supply chain? Like I've been on a mission for three years to reduce my number of suppliers by about 50%. And there's still lots of work to do there, but it's just getting better leverage from the supplier I have, as well as taking on new capability or things that we may be providing natively. But at the end of the day, if you have one system that can do what four systems can do, going back to the war for talent, having people know four systems versus one system, it's just way better for efficient use of talent. And obviously simplicity is the friend of security whereas entropy is not. And also you mentioned quality data, or diverse data as you mentioned, but also there's also quality data. If you have quality and diverse data, you can have a nice mechanism to get machine learning going well. But that's kind of complex because in the modes of security breaches, you got pre-breached, in-breached, post-breached, all have different data characteristics all flowing together. So you can't just throw that answer across as a prism across the problem sets. This is super important kind of fundamentally. Yeah, but I think the way I would characterize those is it's honestly one of the better lessons I think I learned was learning how to understand how to talk with CFOs. And I really think about just two things, there's technical debt that we're all working on, everybody has, and then there's future-proofing the company. And so we have a set of efforts that go on to like red teaming and other activities, think like bad people, break them before they break you, break it yourself and then go work on it. And so we're always balancing how much we're spending on the technical debt to clean up modernizing systems and things that are more capable. And then also the future-proofing issues, seeing things coming around the corner, cryptography and other elements. Supply chain, blockchain might be a great case. Supply chain is another good one. It has a great mechanism. So you're constantly testing R and D and also practical mechanisms. And the red teams, which are the teams that attack and pin everything, which is again, break yourself first, is super, super helpful for us. Well, Brad, you've seen a lot of ways of innovation you've been involved in multiple ways, computer industry, client-server, all through the days. So, I feel good about this interview, because this reminds me of when we broke in the business together. But this is the interesting point I want to get to is, there's a lot of younger CISOs coming in and a lot of young talent is being attracted. Security has kind of a gamer vibe to it. You know, most people, my friends that are security experts, they're all gamers. They love gaming. They love the thrill of it. It's exciting, but it's also challenging. Young people coming in might not have the experience lessons you've learned. Share some thoughts over the years at SCAR, either SCAR tissue or best practices. Share some advice on some of the younger folks coming in, breaking into the business of, you know, current situation, what you've learned over the years that's applicable to now in the industry. Yeah, sadly, I'd probably say it's probably no different than a lot of the general advice I would have in this space, which is there's, you value experience, but it turns out I value enthusiasm and passion more in terms of you can teach about it. Anybody who's passionate, enthusiastic, and smart, anything they want. So we get great data people and make them great security people. And we get people of a passion, like this person, it's his mission is to eliminate all passwords everywhere. And like that passion, take your passion and drive it wherever you need to go do. And I think the nice thing about security is, it is something that is technically complex, human sociology complex, right? Like you said, changing culture. And it affects everything we do, whether it's enterprise, small, medium, business, large, international, it's actually pretty, it's a fascinating, if you like hard problems you're a puzzle person. It's a great profession to be in. I like how you said puzzle because I think that's exactly it. We also bring up a good point I want to get your thoughts on quickly is the talent gap is really not about getting just computer science majors. It's bigger than that. In fact, I've heard many experts say and you don't have to be a computer scientist. You can be a lot of cross disciplines. So is there a formula or industry or a profession to college degree? Or is it, doesn't matter, it's just smart person. Again, it depends. If your job's 100% secured, it's one thing. But like what we're trying to do is make not, we don't want to have security for developers. We want to have developers who understand how to put security in what they build as an example. And so same with administrators and other components. I do think, again, I would say the passion thing is a key piece for us, but there's all aspects of the profession. Like the risk managers are on the actuarial side then there's math people. I had one of my favorite people was working on his PhD in maladaptive behavior. And he was super valuable for helping us understand what actually makes things stick when you're trying to train or educate people and what doesn't make that stick. Anthropologists are super helpful in this field. Anthropologists really, yeah, anthropologists are great in this field. So yeah. And sociology too, you mentioned that one. I think that's a big factor because you've got human aspects, interests, human piece of it, you have society impact. So there's really not really one thing. It's really cross-section depending upon where you want to sit in the spectrum of opportunity. No, and it gives us a chance to really hire, like we hire, a big thing for us has been hiring earlier in career and building talent because it's just not all available. But then also you hire from military, from law enforcement for people returning back. It's been actually, it's been a really fascinating thing from a management perspective. That I didn't expect when I did the role and it's been fantastic. Let me ask you a personal question, final question. What's getting you excited these days? I mean, honestly, you got a very challenging job. Again, you have got to attend all the big board meetings with the risk management compliance. So there's a lot of stuff going on, but it's a lot of technology you fund in here too. A lot of hard problems to solve. What's getting you excited? What trends or things in the industry get you excited? Well, I'm hopeful we're making progress on the bad guys, which I think is exciting. But honestly, this idea, the long history of studying safety when I did this, and I would love to see security become the airbags of the technology industry, right? It's just always there, omnipresent, but you don't even know it's there until you need it. And I think that getting to that vision would be awesome. And then really kind of helping move the trust equation to a whole other level, reputation, new data sets. So data, it's a data business. It's total data business. Brett, thanks for coming on theCUBE. Appreciate your insights. Brett, I also know CISO, the Chief Information Security Officer at Microsoft, also Corporate Vice President here inside theCUBE in Palo Alto. This is theCUBE Conversations, I'm John Furrier. Thanks for watching. Thank you.