Careers & People

10/10/2018
08:00 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Meet 5 Women Shaping Microsoft's Security Strategy

Profiles of some of the women currently leading Microsoft security operations - and their efforts to drive inclusivity.
2 of 6

Ann Johnson, Corporate VP, Cybersecurity Solutions Group
Johnson is wrapping her third year at Microsoft, which she joined back in 2015 when CEO Satya Nadella brought her in to start its Enterprise Strategy Group.
'I was not thinking of Microsoft with a security lens in 2015,' she says of the summer she was approached for the role. However, later that fall, Microsoft changed its strategy to focus on building security across all platforms and services. 'We couldn't keep going down the path of solutions that were tough to implement,' she adds. The shift inspired her to take the job.
Johnson says she never intended to pursue a technology career - she holds degrees in political science and communications - but she got a job selling computers and never left the industry.
'From that day forward, I just wanted to constantly be learning,' she says. 'Fast forward - I did network work, storage work, always infrastructure work.' Her first employer, Data General, was acquired by EMC, where she stayed for a while before moving on to security and leadership roles at RSA, Qualys, Boundless Spatial, and HYPR Corp. before Microsoft. Her time at Boundless, a geospatial engineering startup, 'was a break from the security field,' she says.
When she joined Microsoft, Johnson's goal was to convey its new strategy to users. 'The first project I worked on was figuring out how to take assets we have and put them coherently into a type of presentation our salespeople could use to present to customers.'
Now she works on strategy development, determining where Microsoft's security priorities should be and how its 3,500 security engineers will build technology in the future. When she thinks about the potential for security tech, Johnson says there are a few things that come to mind.
For starters, she's working on series of blog posts around artificial intelligence and what it means for infosec. Microsoft processes six trillion signals in its security graph each day, Johnson points out, and she believes this amount of data is 'a tipping point for security.' Artificial intelligence and machine learning tools can inform admins' priorities, she notes.
'Most of the time we find it's about five things or so that cripple enterprises,' she says of the current state of enterprise security. One problem is getting customers, before they buy new tools, to adopt basic security practices: don't share domain passwords, for example, or adopt multi-factor authentication.
Johnson is also involved recruitment for the security team. While Microsoft has 3,500 security engineers, there remain open roles. 'It's not easy, and I personally do a lot of the cyber recruiting,' she adds. She's also a mentor and executive sponsor for Microsoft Women in Security.
Part of this job is driving diversity and inclusivity on the security team. 'My view on diversity is, we don't solve problems if we think the same,' Johnson explains. While women on the team are reaching into their networks, she says a priority for her is educating male colleagues on habits, often unintentional, that don't fit into an inclusive work environment.
'A lot of it is unconscious, a lot of people don't know what they're saying,' she says. For example, you'll still have women called 'emotional,' or someone who says, 'Wow, you were aggressive.' Some say it's culturally ingrained in them, Johnson says, and she's trying to fix it.
However, 'I very rarely see malicious behavior anymore,' she points out. 'I'm not saying it doesn't exist, but I don't see it like I would have seen it five or ten years ago.'
(Image: Microsoft)

Ann Johnson, Corporate VP, Cybersecurity Solutions Group

Johnson is wrapping her third year at Microsoft, which she joined back in 2015 when CEO Satya Nadella brought her in to start its Enterprise Strategy Group.

"I was not thinking of Microsoft with a security lens in 2015," she says of the summer she was approached for the role. However, later that fall, Microsoft changed its strategy to focus on building security across all platforms and services. "We couldn't keep going down the path of solutions that were tough to implement," she adds. The shift inspired her to take the job.

Johnson says she never intended to pursue a technology career she holds degrees in political science and communications but she got a job selling computers and never left the industry.

"From that day forward, I just wanted to constantly be learning," she says. "Fast forward I did network work, storage work, always infrastructure work." Her first employer, Data General, was acquired by EMC, where she stayed for a while before moving on to security and leadership roles at RSA, Qualys, Boundless Spatial, and HYPR Corp. before Microsoft. Her time at Boundless, a geospatial engineering startup, "was a break from the security field," she says.

When she joined Microsoft, Johnson's goal was to convey its new strategy to users. "The first project I worked on was figuring out how to take assets we have and put them coherently into a type of presentation our salespeople could use to present to customers."

Now she works on strategy development, determining where Microsoft's security priorities should be and how its 3,500 security engineers will build technology in the future. When she thinks about the potential for security tech, Johnson says there are a few things that come to mind.

For starters, she's working on series of blog posts around artificial intelligence and what it means for infosec. Microsoft processes six trillion signals in its security graph each day, Johnson points out, and she believes this amount of data is "a tipping point for security." Artificial intelligence and machine learning tools can inform admins' priorities, she notes.

"Most of the time we find it's about five things or so that cripple enterprises," she says of the current state of enterprise security. One problem is getting customers, before they buy new tools, to adopt basic security practices: don't share domain passwords, for example, or adopt multi-factor authentication.

Johnson is also involved recruitment for the security team. While Microsoft has 3,500 security engineers, there remain open roles. "It's not easy, and I personally do a lot of the cyber recruiting," she adds. She's also a mentor and executive sponsor for Microsoft Women in Security.

Part of this job is driving diversity and inclusivity on the security team. "My view on diversity is, we don't solve problems if we think the same," Johnson explains. While women on the team are reaching into their networks, she says a priority for her is educating male colleagues on habits, often unintentional, that don't fit into an inclusive work environment.

"A lot of it is unconscious, a lot of people don't know what they're saying," she says. For example, you'll still have women called "emotional," or someone who says, "Wow, you were aggressive." Some say it's culturally ingrained in them, Johnson says, and she's trying to fix it.

However, "I very rarely see malicious behavior anymore," she points out. "I'm not saying it doesn't exist, but I don't see it like I would have seen it five or ten years ago."

(Image: Microsoft)

2 of 6
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1848
PUBLISHED: 2018-12-14
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1977
PUBLISHED: 2018-12-14
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.
CVE-2018-18006
PUBLISHED: 2018-12-14
Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.
CVE-2018-18984
PUBLISHED: 2018-12-14
Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
CVE-2018-19003
PUBLISHED: 2018-12-14
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails...