B (3:33)

Yeah, I think that that's right about boards. And I actually kind of like the NIMBY correlation, though it's not exact, but it's close. Right. I'm on a few boards and I can tell you that sometimes what shows up is, oh, well, just ask Ann, she's our cyber person. And it's like, okay, well, we all need to be somewhat cyber people. Right. And I do think that there's an opportunity for us, who are the cyber people, to show leadership and to engage the rest of the board in language that the rest of the board can comprehend and understand versus just being the cyber expert in the room. And I think we all who are cyber professionals really have a responsibility to educate our peers, wherever those peers are.

A (4:14)

Yes. I like to think of it as an opportunity, not a burden. You know, we have challenges that are opportunities versus challenges that are the things you don't want to do. I'm with you. I like to empower. Think of it as an empowering opportunity as opposed to an obligation.

B (4:25)

Exactly. When you have that lack of alignment in the boardroom, how does that show up in real decisions about what gets delegated, what may get under resourced, or what things aren't actually brought to the boardroom? Not because anyone's trying to hide them. There's no nefarious intent here. It's just folks saying, oh, you can't bring everything to the boardroom. So how does that lack of alignment maybe show up on things that don't come to the boardroom, but possibly should Come to the boardroom.

A (4:52)

When we think about what gets under resourced or delegated that maybe shouldn't, there are probably three sets of areas where we might look for there to be a greater alignment of the need to continue to have conversation around the responsibility around cybersecurity governance. One is kind of thinking about where there may be near misses that are opportunities to learn from success that may help us avoid the issue down the road. And thinking about how they were avoided, which may seem to your point a minute ago, not everything can make it to the boardroom, so why would we talk about what we didn't have? But I do think there's an opportunity for thinking about near misses or thinking about using, unfortunately what's happening potentially to peers in the sector to say, okay, if that were to happen to us, how well would we be positioned to withstand that type of an incident? And I think too, you know, while we are right five years past, through the COVID situation, I think the second thing I would raise is the idea around how is our workforce managing this issue? Not just thinking about how are our defenders protecting the networks, but also how much of cybersecurity and the responsibility that everyone in the organization has to support it. How much of that is on the workforce's radar and how can we, particularly when we think about the defenders, when's the last time we said thanks to them, giving them a bit of a break or a bit of a boost. Cybersecurity, as we'll talk about, I think is, you know, it's not something that ever stops. And so the drain that can be, particularly for network defenders, is something that I think ought to be like other HR kind of human resources issues, something that the board is considering from time to time. The third thing that I think around kind of delegation or never reaches the boardroom is this issue around two things really. One is we're starting to look at an issue around the abuse of residential proxy networks. And I raise this here because one of the things that we've heard through our research is that CEOs of organizations are being shipped televisions and putting them in their home networks. And guess what happens when they do? Not good things. The set top box or the television becomes part of a residential proxy network and there are malicious actors abusing this. And so thinking about the role of kind of the 360 protection of our leadership team and protecting them in their home environments as well as in their professional environments. So those kind of external exposure points that can still put the organization at risk even if they're happening kind of outside the organization. And the fourth one really is around thinking about on the human resources side, how are we recruiting? We might think that that's something that should be delegated to hr, but particularly as we look at the exposure that we've seen most recently around North Korean IT workers and really thinking about what our recruitment process is, because the idea that we have insiders who are in a range of companies around the United States and our key partners is really, really troublesome. And so I think that issue around how are we thinking about the insider threat issue is also one that needs to be a regular conversation.

B (7:52)

I think those are really good examples. And I want to get to ransomware. The efforts are on Ransomware in a moment. But I wanted to call out a couple things you said, which is that psychological safety and recognition for our defenders, and not just the pressure of them working around the clock and trying to keep a company from being breached or responding to a breach, but also, as they frequently tell me, some of the things that are visible to them when they're actually looking at content from threat actors is stuff that is not safe you don't want your employees to see. And I don't think a lot of folks recognize that. And I do think that that is something that at Microsoft, I know our ciso, Igor, has been very focused on is burnout and something I do think the boards need to think about. The other comment I wanted to make was about resident proxy networks and just the work that the CISO at Comcast Newber Davis has done publicly talking about it being really open and transparent, I think has raised the awareness, but we certainly do. To your point, I talked to my own husband because he wants to put everything on the home network. It was kind of a battle. And finally I gave in and just created his own network for him. Right. I just said, okay, look, I'm just going to segment you and send you away so that whatever you. Then that is the hopefully not bad network, but that's a network where stuff's going to go on that's Iot connected. And because you're insisting that the laundry machine needs to be connected, right, because I just got tired, I was exhausted. But that parallel I can take into the real world, which is we have to make solutions easier for people. You know, I knew how to set up a network that was fully segmented and secure. Anything I do in the work environment or even my personal finances, right. To make sure they aren't impacted by something that could happen on that network. But your Average human doesn't know how to do that. So we have to make it easier in some way.

A (9:38)

Yes, in some ways. Thinking about ways that we might make it easier, I just had a fifth thought, if I may, which is around the board thinking about its opportunity as a purchaser, as a demander, if you will, to require better security of its vendors and third parties. And so can we make some of these issues easier for our teammates among the team by removing their need to even pay attention to security, which of course they can't. Right. That's too extreme. But can we take some measures, make it a bit easier for them to do the things that we do really want them to focus on by leveraging the capability that we may have as purchasers of services and products to require greater security from those services and products so that fewer things are reaching our workforce.

B (10:23)

Yeah. I was talking to another CISO over the weekend before RSA and he's trying to create an initiative that's cross industry about that supply chain risk and really building some focus on what we are all going to require of the hardware and or software vendors that provide materials. Right. You know this, it's a massive problem, but it's also a massive problem at scale. And it's kind of like you don't want to boil the ocean. So where do you start the focus. Right. And then grow from there? It's a big one. So that gets me to one of the things I really appreciate about the work you do. Right. You don't just talk theory and you don't just talk problems. We'd love in the cybersecurity industry to surface problems without solutions. You, however, have led things like the Ransomware Task Force that's brought leaders from across government and industry together around a really shared problem that single organization can possibly solve alone. Can you talk about that experience and how shared responsibility actually works when it's done?

A (11:20)

Well, the Ransomware Task Force is I think our, as an organization at ist, we are one of the things we are most proud of. And I think it's, you know, I want to make sure to emphasize that I was one of six co chairs of this effort and so have had the opportunity to lead the work of the task force for four and a half years now. But it really was a kind of a team effort and I think the idea of teamwork is really one of the key enablers of, I think, the success of the task force. Obviously, when we build teams, teams live on trust. Trust is central to the operation of a well functioning and effective Team the idea around trust being recognizing the role of trust as a two way street and that it really requires a degree of experience for trust to grow and the relationship between trust and responsibility. And one of the things I think that we have come to be more I think is maybe not spoken about enough in the cybersecurity community, but is one of those unspoken rules is that on the responsibility piece, I trust you enough if I'm going to share a piece of information with you that you will take action on it, you understand the responsibility that you have if I've shared something potentially to protect it, but also to take action on it if you can, or to figure out kind of where can we route the information to the entity that can take action on it because of this long standing view of cybersecurity as this shared responsibility. The other piece I would say is that thinking back to kind of the team element and the trust building, we were fortunate when we developed the task force. Phil Reiner, who's the CEO of ist called a few of us and some of the co chairs will joke that we sprinted a marathon. But we were able to do so because we had known each other for a number of years and we had a high degree of trust in each other. We had expertise in policy making and certainly from the the government side. And we were fortunate to be joined by members of industry. And I think that this coalition of over 60 plus organizations that we were able to put together, one of the reasons for its success was this idea that the participants recognized that they trusted us enough to know that we were not coming in with a predefined agenda. We didn't have an outcome that we wanted to make sure that we drove the recommendations to. The participants trusted that we would be responsible in the way that we orchestrated the work of the task force. And we can talk about that if it's helpful. But the backbone of the success and the backbone I think of shared responsibility really is this idea of trust.

B (13:43)

I think that's right and I do think that, and I'll use another little bit of a cliche, that trust starts at home. So that trust between the organization and their board has to be really, really persistent. It has to be a persistent level of trust. And we say here that trust is built in drips and lost in Bucke. So it's just something I always bear in mind as we're thinking about how we create trust internally at Microsoft, but also with our customers and partners in the broader ecosystem. Given that, how do you think that executives and by the way I wanted to say one other thing, Megan, that I think is really important. Thank you to you for mentioning that you were just part of a team. I frequently hear leaders just taking credit. I don't think they do it even in a way that they'll just say thank you and move on. I love the fact that you talked about. It's part of it. You were just part of a team that made it work. So thank you for doing that. I think it's good modeling anyway, given the trust conversations, given the board conversations, how do you think executives should reframe success when they're dealing with threats that are persistent, threats that are adaptive, threats that are both economically and politically motivated?

A (14:57)

Speaking of cliches, I feel like it's cliche a bit to say that security is not a one and done process. It's not about compliance and checklists, that it's really about resilience. So we need to be not thinking that we can prevent everything. We have to recognize that if we take a punch, as my, one of my colleagues here says, how quickly will we be able to get back up? And so thinking about also the other cliche that we've talked about for years, right. Is that building a culture of security. But it's true, it sounds a bit trite, but it really is true that we need this culture of security. And not thinking back to kind of the earlier part of our conversation, as one of the things that's bothered me over the years is the fear, uncertainty and doubt. And while I feel like we had a period maybe a few years ago where that had a bit waned from the discourse, I feel like now with, I'm going to say the bingo card AI, we're back into the fear, uncertainty and doubt phase. But to really think about empowering our teams to recognize that we are resilient and we know the steps that we can take to make ourselves the most resilient and really thinking through how to translate technical resilience into cultural resilience. So thinking about security really as it's not one and done, it's a life cycle issue. It's also kind of a heartbeat type of issue that should be constantly kind of in use. In many cases, it will be running in the background, but in some cases it really needs to be front and center for our teams. The other point I might offer is thinking about, as we think about kind of a heartbeat and we think about what makes us healthy, we have to do, we need to eat our vegetables and get our exercise. And so thinking about Tabletop exercises is a way to potentially help ourselves to be a bit adaptive. And thinking about when we run these tabletop exercises around our incident response plans, looking at the need to ensure that they are regularly reviewed and refreshed and that we are fit with them. Right. We feel like we have the muscle memory to be ready to go when unfortunately the dark day comes that there is an incident. Those are a couple of thoughts there.

B (16:50)

Okay. And I like how you talk about resilience. I talk a lot about resilience because it's incredibly important. I talk about it, write about it, blah. I try to get that attention out there because to your point, cybersecurity is never one and done. You need to assume reach and then how are you going to recover? How quickly can you recover? How are you going to continue doing business while you recover? I think those are all important. Let's talk for one more minute about the board and then I want to talk a little bit about optimism. Based on the resilience topic and based on cybersecurity being a very persistent threat, what do you think boards should actually be asking differently of their leadership teams?

A (17:30)

You know, thinking about the maturity model of hopefully everybody has an incident response plan, so it's not do you have it? But when's the last time you exercised it? Hopefully everyone has backups, so it's not do we have them? But when's the last time we tested them? Have we run a tabletop involving a ransomware incident and have we thought through whether or not we would pay? What type of due diligence will we take if we're forced into a position where we can't recover from backups and we are concerned about the leak of our sensitive information or would we be willing to pay? And so I think thinking about the as applied challenges that will come to boards when an incident happens, I think also thinking about the strategy around you mentioned a couple of minutes ago, supply chain and thinking about our third party vendors and really leveraging where, where it's possible. This ability to demand more from third parties, obviously within reason, but looking at all the points that we can around our ecosystem to build resilience collectively so that it's not just over to kind of it. It's not just we need to think about ensuring that human resources is involved in this question around our kind of cybersecurity culture. And the other piece I would say is thinking about the nuts and bolts around how long will it take us to recover. And I think the point you made a couple minutes ago about what can we keep operating while we're working to recover?

B (18:49)

Exactly, because that's in a lot of the larger breaches. That's what we've seen as being the biggest issue for companies. Well, let's talk a minute about optimism. Look, I always try to end my podcast with a nod toward optimism and I call myself a cyber optimist because I do know for every attack that is a big event and we see in the news there are literally thousands that are cyber defenders of the industry have blocked, they've stopped, they've detected early enough. What are you most optimistic about? Now that we are in a new world. Right. We are starting down this AI as both a security assist, but also AI being used by threat actors Again, I'm still very optimistic and I'd love to know what you're optimistic about.

A (19:31)

I also am optimistic. I'm optimistic that we are being more upfront about the need to have good governance in place as we are adding these new capabilities to our suite of technology to help ourselves be more successful and productive in all the things. I think whereas previously we didn't have as much of a conversation, more open conversation around the risks of kind of the cybersecurity risk. I feel like while some may be concerned that we've over indexed on kind of the transparency around the risk that we are currently in, I think we can turn that around and say it's good that we're talking about it because we can better manage it when we talk about it. There are also kind of smaller sort of if that's kind of the high level set of optimism, maybe I think more specific examples of that would be one of my concerns since the time I left government is that we, and even to an extent when I was in government, but the idea around operational collaboration and active defense. So looking at the ability for industry and government to come together to mitigate threat actor abuse of information and communications technologies. While I will say I don't think it's gone farther fast enough, I think we're making really good progress and that gives me some optimism. I think I heard Brett Leatherman say last week or last earlier this year at RSA that they did double the number of joint sequenced operations and kind of on that thinking about that public private collaboration, looking at some recent progress that we've seen with our partners, Europol leading, I think actually that was a Europol Microsoft event that happened earlier this year. It was a takedown, which is great. And we're seeing more organizations in the private sector standing up units to empower themselves and their partners in having a more proactive role in again, kind of looking at mitigating abuse. The other piece, and you mentioned Nooper, I think she's been really leading the charge in being open about what they're seeing on the residential proxy space. And so that also gives me, while it is, you know, it's a very concerning capability that we're seeing be abused, I think the openness that she's approached it with is also a sign of hope. And the last thing I'll say is, and Microsoft was a partner with us this year and last year in the Cyber Policy Awards, which is an award ceremony that we support the organization. And looking at the number of relationships that were in that room that have grown over the years and the collective goodwill that we've established and kind of this ability to by we, I mean the cybersecurity ecosystem, not we ist thinking about the goodwill that we see in that event and just the number of submissions that we receive for all the great work that's happening in the community that doesn't receive the attention that it deserves. Sometimes we don't want the attention. Right. But kind of coming back to some of the earlier points in our conversation and really thinking, taking time to acknowledge the hard work of members of the ecosystem and people's interest in doing so. And so that I think too is a cause for optimism that we are more open about how hard the work is and wanting to make sure that people who are doing the hard work are getting credit.

B (22:34)

I think that's right. And I really appreciate you joining me today. What stands out for me is your work collectively and the reminder that resilience is not built by any single organization. It's built, as you said, by the leaders who are willing to coordinate, to cooperate, to align incentives, who are willing to share information and take responsibility beyond their own walls. So many thanks to you, Megan. Many thanks to our listeners for joining us. Join us next time on Afternoon Cybertea@afternooncybertea.com or wherever you get your favorite podcast.

A (23:14)

Foreign. This week on the Microsoft Threat Intelligence podcast, Cybercrime isn't just about attackers anymore. It's an entire ecosystem from initial access brokers to nation state actors leveraging the same infrastructure, cybercriminals. We'll break down how the ecosystem actually works. Be sure to listen in in and follow us@mstreatintelpodcast.com or wherever you get your favorite podcasts.