Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10/10/2018
08:00 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Meet 5 Women Shaping Microsoft's Security Strategy

Profiles of some of the women currently leading Microsoft security operations - and their efforts to drive inclusivity.
2 of 6

Ann Johnson, Corporate VP, Cybersecurity Solutions Group
Johnson is wrapping her third year at Microsoft, which she joined back in 2015 when CEO Satya Nadella brought her in to start its Enterprise Strategy Group.
'I was not thinking of Microsoft with a security lens in 2015,' she says of the summer she was approached for the role. However, later that fall, Microsoft changed its strategy to focus on building security across all platforms and services. 'We couldn't keep going down the path of solutions that were tough to implement,' she adds. The shift inspired her to take the job.
Johnson says she never intended to pursue a technology career - she holds degrees in political science and communications - but she got a job selling computers and never left the industry.
'From that day forward, I just wanted to constantly be learning,' she says. 'Fast forward - I did network work, storage work, always infrastructure work.' Her first employer, Data General, was acquired by EMC, where she stayed for a while before moving on to security and leadership roles at RSA, Qualys, Boundless Spatial, and HYPR Corp. before Microsoft. Her time at Boundless, a geospatial engineering startup, 'was a break from the security field,' she says.
When she joined Microsoft, Johnson's goal was to convey its new strategy to users. 'The first project I worked on was figuring out how to take assets we have and put them coherently into a type of presentation our salespeople could use to present to customers.'
Now she works on strategy development, determining where Microsoft's security priorities should be and how its 3,500 security engineers will build technology in the future. When she thinks about the potential for security tech, Johnson says there are a few things that come to mind.
For starters, she's working on series of blog posts around artificial intelligence and what it means for infosec. Microsoft processes six trillion signals in its security graph each day, Johnson points out, and she believes this amount of data is 'a tipping point for security.' Artificial intelligence and machine learning tools can inform admins' priorities, she notes.
'Most of the time we find it's about five things or so that cripple enterprises,' she says of the current state of enterprise security. One problem is getting customers, before they buy new tools, to adopt basic security practices: don't share domain passwords, for example, or adopt multi-factor authentication.
Johnson is also involved recruitment for the security team. While Microsoft has 3,500 security engineers, there remain open roles. 'It's not easy, and I personally do a lot of the cyber recruiting,' she adds. She's also a mentor and executive sponsor for Microsoft Women in Security.
Part of this job is driving diversity and inclusivity on the security team. 'My view on diversity is, we don't solve problems if we think the same,' Johnson explains. While women on the team are reaching into their networks, she says a priority for her is educating male colleagues on habits, often unintentional, that don't fit into an inclusive work environment.
'A lot of it is unconscious, a lot of people don't know what they're saying,' she says. For example, you'll still have women called 'emotional,' or someone who says, 'Wow, you were aggressive.' Some say it's culturally ingrained in them, Johnson says, and she's trying to fix it.
However, 'I very rarely see malicious behavior anymore,' she points out. 'I'm not saying it doesn't exist, but I don't see it like I would have seen it five or ten years ago.'
(Image: Microsoft)

Ann Johnson, Corporate VP, Cybersecurity Solutions Group

Johnson is wrapping her third year at Microsoft, which she joined back in 2015 when CEO Satya Nadella brought her in to start its Enterprise Strategy Group.

"I was not thinking of Microsoft with a security lens in 2015," she says of the summer she was approached for the role. However, later that fall, Microsoft changed its strategy to focus on building security across all platforms and services. "We couldn't keep going down the path of solutions that were tough to implement," she adds. The shift inspired her to take the job.

Johnson says she never intended to pursue a technology career she holds degrees in political science and communications but she got a job selling computers and never left the industry.

"From that day forward, I just wanted to constantly be learning," she says. "Fast forward I did network work, storage work, always infrastructure work." Her first employer, Data General, was acquired by EMC, where she stayed for a while before moving on to security and leadership roles at RSA, Qualys, Boundless Spatial, and HYPR Corp. before Microsoft. Her time at Boundless, a geospatial engineering startup, "was a break from the security field," she says.

When she joined Microsoft, Johnson's goal was to convey its new strategy to users. "The first project I worked on was figuring out how to take assets we have and put them coherently into a type of presentation our salespeople could use to present to customers."

Now she works on strategy development, determining where Microsoft's security priorities should be and how its 3,500 security engineers will build technology in the future. When she thinks about the potential for security tech, Johnson says there are a few things that come to mind.

For starters, she's working on series of blog posts around artificial intelligence and what it means for infosec. Microsoft processes six trillion signals in its security graph each day, Johnson points out, and she believes this amount of data is "a tipping point for security." Artificial intelligence and machine learning tools can inform admins' priorities, she notes.

"Most of the time we find it's about five things or so that cripple enterprises," she says of the current state of enterprise security. One problem is getting customers, before they buy new tools, to adopt basic security practices: don't share domain passwords, for example, or adopt multi-factor authentication.

Johnson is also involved recruitment for the security team. While Microsoft has 3,500 security engineers, there remain open roles. "It's not easy, and I personally do a lot of the cyber recruiting," she adds. She's also a mentor and executive sponsor for Microsoft Women in Security.

Part of this job is driving diversity and inclusivity on the security team. "My view on diversity is, we don't solve problems if we think the same," Johnson explains. While women on the team are reaching into their networks, she says a priority for her is educating male colleagues on habits, often unintentional, that don't fit into an inclusive work environment.

"A lot of it is unconscious, a lot of people don't know what they're saying," she says. For example, you'll still have women called "emotional," or someone who says, "Wow, you were aggressive." Some say it's culturally ingrained in them, Johnson says, and she's trying to fix it.

However, "I very rarely see malicious behavior anymore," she points out. "I'm not saying it doesn't exist, but I don't see it like I would have seen it five or ten years ago."

(Image: Microsoft)

2 of 6
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12888
PUBLISHED: 2019-06-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-12887. Reason: This candidate is a reservation duplicate of CVE-2019-12887. Notes: All CVE users should reference CVE-2019-12887 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12280
PUBLISHED: 2019-06-25
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3961
PUBLISHED: 2019-06-25
Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
CVE-2019-9836
PUBLISHED: 2019-06-25
Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.