Careers & People

10/10/2018
08:00 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Meet 5 Women Shaping Microsoft's Security Strategy

Profiles of some of the women currently leading Microsoft security operations - and their efforts to drive inclusivity.
2 of 6

Ann Johnson, Corporate VP, Cybersecurity Solutions Group
Johnson is wrapping her third year at Microsoft, which she joined back in 2015 when CEO Satya Nadella brought her in to start its Enterprise Strategy Group.
'I was not thinking of Microsoft with a security lens in 2015,' she says of the summer she was approached for the role. However, later that fall, Microsoft changed its strategy to focus on building security across all platforms and services. 'We couldn't keep going down the path of solutions that were tough to implement,' she adds. The shift inspired her to take the job.
Johnson says she never intended to pursue a technology career - she holds degrees in political science and communications - but she got a job selling computers and never left the industry.
'From that day forward, I just wanted to constantly be learning,' she says. 'Fast forward - I did network work, storage work, always infrastructure work.' Her first employer, Data General, was acquired by EMC, where she stayed for a while before moving on to security and leadership roles at RSA, Qualys, Boundless Spatial, and HYPR Corp. before Microsoft. Her time at Boundless, a geospatial engineering startup, 'was a break from the security field,' she says.
When she joined Microsoft, Johnson's goal was to convey its new strategy to users. 'The first project I worked on was figuring out how to take assets we have and put them coherently into a type of presentation our salespeople could use to present to customers.'
Now she works on strategy development, determining where Microsoft's security priorities should be and how its 3,500 security engineers will build technology in the future. When she thinks about the potential for security tech, Johnson says there are a few things that come to mind.
For starters, she's working on series of blog posts around artificial intelligence and what it means for infosec. Microsoft processes six trillion signals in its security graph each day, Johnson points out, and she believes this amount of data is 'a tipping point for security.' Artificial intelligence and machine learning tools can inform admins' priorities, she notes.
'Most of the time we find it's about five things or so that cripple enterprises,' she says of the current state of enterprise security. One problem is getting customers, before they buy new tools, to adopt basic security practices: don't share domain passwords, for example, or adopt multi-factor authentication.
Johnson is also involved recruitment for the security team. While Microsoft has 3,500 security engineers, there remain open roles. 'It's not easy, and I personally do a lot of the cyber recruiting,' she adds. She's also a mentor and executive sponsor for Microsoft Women in Security.
Part of this job is driving diversity and inclusivity on the security team. 'My view on diversity is, we don't solve problems if we think the same,' Johnson explains. While women on the team are reaching into their networks, she says a priority for her is educating male colleagues on habits, often unintentional, that don't fit into an inclusive work environment.
'A lot of it is unconscious, a lot of people don't know what they're saying,' she says. For example, you'll still have women called 'emotional,' or someone who says, 'Wow, you were aggressive.' Some say it's culturally ingrained in them, Johnson says, and she's trying to fix it.
However, 'I very rarely see malicious behavior anymore,' she points out. 'I'm not saying it doesn't exist, but I don't see it like I would have seen it five or ten years ago.'
(Image: Microsoft)

Ann Johnson, Corporate VP, Cybersecurity Solutions Group

Johnson is wrapping her third year at Microsoft, which she joined back in 2015 when CEO Satya Nadella brought her in to start its Enterprise Strategy Group.

"I was not thinking of Microsoft with a security lens in 2015," she says of the summer she was approached for the role. However, later that fall, Microsoft changed its strategy to focus on building security across all platforms and services. "We couldn't keep going down the path of solutions that were tough to implement," she adds. The shift inspired her to take the job.

Johnson says she never intended to pursue a technology career she holds degrees in political science and communications but she got a job selling computers and never left the industry.

"From that day forward, I just wanted to constantly be learning," she says. "Fast forward I did network work, storage work, always infrastructure work." Her first employer, Data General, was acquired by EMC, where she stayed for a while before moving on to security and leadership roles at RSA, Qualys, Boundless Spatial, and HYPR Corp. before Microsoft. Her time at Boundless, a geospatial engineering startup, "was a break from the security field," she says.

When she joined Microsoft, Johnson's goal was to convey its new strategy to users. "The first project I worked on was figuring out how to take assets we have and put them coherently into a type of presentation our salespeople could use to present to customers."

Now she works on strategy development, determining where Microsoft's security priorities should be and how its 3,500 security engineers will build technology in the future. When she thinks about the potential for security tech, Johnson says there are a few things that come to mind.

For starters, she's working on series of blog posts around artificial intelligence and what it means for infosec. Microsoft processes six trillion signals in its security graph each day, Johnson points out, and she believes this amount of data is "a tipping point for security." Artificial intelligence and machine learning tools can inform admins' priorities, she notes.

"Most of the time we find it's about five things or so that cripple enterprises," she says of the current state of enterprise security. One problem is getting customers, before they buy new tools, to adopt basic security practices: don't share domain passwords, for example, or adopt multi-factor authentication.

Johnson is also involved recruitment for the security team. While Microsoft has 3,500 security engineers, there remain open roles. "It's not easy, and I personally do a lot of the cyber recruiting," she adds. She's also a mentor and executive sponsor for Microsoft Women in Security.

Part of this job is driving diversity and inclusivity on the security team. "My view on diversity is, we don't solve problems if we think the same," Johnson explains. While women on the team are reaching into their networks, she says a priority for her is educating male colleagues on habits, often unintentional, that don't fit into an inclusive work environment.

"A lot of it is unconscious, a lot of people don't know what they're saying," she says. For example, you'll still have women called "emotional," or someone who says, "Wow, you were aggressive." Some say it's culturally ingrained in them, Johnson says, and she's trying to fix it.

However, "I very rarely see malicious behavior anymore," she points out. "I'm not saying it doesn't exist, but I don't see it like I would have seen it five or ten years ago."

(Image: Microsoft)

2 of 6
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8903
PUBLISHED: 2019-02-18
index.js in Total.js Platform before 3.2.3 allows path traversal.
CVE-2019-6453
PUBLISHED: 2019-02-18
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
CVE-2019-8372
PUBLISHED: 2019-02-18
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link an...
CVE-2019-8902
PUBLISHED: 2019-02-18
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.