Careers & People

10/10/2018
08:00 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Meet 5 Women Shaping Microsoft's Security Strategy

Profiles of some of the women currently leading Microsoft security operations - and their efforts to drive inclusivity.
2 of 6

Ann Johnson, Corporate VP, Cybersecurity Solutions Group
Johnson is wrapping her third year at Microsoft, which she joined back in 2015 when CEO Satya Nadella brought her in to start its Enterprise Strategy Group.
'I was not thinking of Microsoft with a security lens in 2015,' she says of the summer she was approached for the role. However, later that fall, Microsoft changed its strategy to focus on building security across all platforms and services. 'We couldn't keep going down the path of solutions that were tough to implement,' she adds. The shift inspired her to take the job.
Johnson says she never intended to pursue a technology career - she holds degrees in political science and communications - but she got a job selling computers and never left the industry.
'From that day forward, I just wanted to constantly be learning,' she says. 'Fast forward - I did network work, storage work, always infrastructure work.' Her first employer, Data General, was acquired by EMC, where she stayed for a while before moving on to security and leadership roles at RSA, Qualys, Boundless Spatial, and HYPR Corp. before Microsoft. Her time at Boundless, a geospatial engineering startup, 'was a break from the security field,' she says.
When she joined Microsoft, Johnson's goal was to convey its new strategy to users. 'The first project I worked on was figuring out how to take assets we have and put them coherently into a type of presentation our salespeople could use to present to customers.'
Now she works on strategy development, determining where Microsoft's security priorities should be and how its 3,500 security engineers will build technology in the future. When she thinks about the potential for security tech, Johnson says there are a few things that come to mind.
For starters, she's working on series of blog posts around artificial intelligence and what it means for infosec. Microsoft processes six trillion signals in its security graph each day, Johnson points out, and she believes this amount of data is 'a tipping point for security.' Artificial intelligence and machine learning tools can inform admins' priorities, she notes.
'Most of the time we find it's about five things or so that cripple enterprises,' she says of the current state of enterprise security. One problem is getting customers, before they buy new tools, to adopt basic security practices: don't share domain passwords, for example, or adopt multi-factor authentication.
Johnson is also involved recruitment for the security team. While Microsoft has 3,500 security engineers, there remain open roles. 'It's not easy, and I personally do a lot of the cyber recruiting,' she adds. She's also a mentor and executive sponsor for Microsoft Women in Security.
Part of this job is driving diversity and inclusivity on the security team. 'My view on diversity is, we don't solve problems if we think the same,' Johnson explains. While women on the team are reaching into their networks, she says a priority for her is educating male colleagues on habits, often unintentional, that don't fit into an inclusive work environment.
'A lot of it is unconscious, a lot of people don't know what they're saying,' she says. For example, you'll still have women called 'emotional,' or someone who says, 'Wow, you were aggressive.' Some say it's culturally ingrained in them, Johnson says, and she's trying to fix it.
However, 'I very rarely see malicious behavior anymore,' she points out. 'I'm not saying it doesn't exist, but I don't see it like I would have seen it five or ten years ago.'
(Image: Microsoft)

Ann Johnson, Corporate VP, Cybersecurity Solutions Group

Johnson is wrapping her third year at Microsoft, which she joined back in 2015 when CEO Satya Nadella brought her in to start its Enterprise Strategy Group.

"I was not thinking of Microsoft with a security lens in 2015," she says of the summer she was approached for the role. However, later that fall, Microsoft changed its strategy to focus on building security across all platforms and services. "We couldn't keep going down the path of solutions that were tough to implement," she adds. The shift inspired her to take the job.

Johnson says she never intended to pursue a technology career she holds degrees in political science and communications but she got a job selling computers and never left the industry.

"From that day forward, I just wanted to constantly be learning," she says. "Fast forward I did network work, storage work, always infrastructure work." Her first employer, Data General, was acquired by EMC, where she stayed for a while before moving on to security and leadership roles at RSA, Qualys, Boundless Spatial, and HYPR Corp. before Microsoft. Her time at Boundless, a geospatial engineering startup, "was a break from the security field," she says.

When she joined Microsoft, Johnson's goal was to convey its new strategy to users. "The first project I worked on was figuring out how to take assets we have and put them coherently into a type of presentation our salespeople could use to present to customers."

Now she works on strategy development, determining where Microsoft's security priorities should be and how its 3,500 security engineers will build technology in the future. When she thinks about the potential for security tech, Johnson says there are a few things that come to mind.

For starters, she's working on series of blog posts around artificial intelligence and what it means for infosec. Microsoft processes six trillion signals in its security graph each day, Johnson points out, and she believes this amount of data is "a tipping point for security." Artificial intelligence and machine learning tools can inform admins' priorities, she notes.

"Most of the time we find it's about five things or so that cripple enterprises," she says of the current state of enterprise security. One problem is getting customers, before they buy new tools, to adopt basic security practices: don't share domain passwords, for example, or adopt multi-factor authentication.

Johnson is also involved recruitment for the security team. While Microsoft has 3,500 security engineers, there remain open roles. "It's not easy, and I personally do a lot of the cyber recruiting," she adds. She's also a mentor and executive sponsor for Microsoft Women in Security.

Part of this job is driving diversity and inclusivity on the security team. "My view on diversity is, we don't solve problems if we think the same," Johnson explains. While women on the team are reaching into their networks, she says a priority for her is educating male colleagues on habits, often unintentional, that don't fit into an inclusive work environment.

"A lot of it is unconscious, a lot of people don't know what they're saying," she says. For example, you'll still have women called "emotional," or someone who says, "Wow, you were aggressive." Some say it's culturally ingrained in them, Johnson says, and she's trying to fix it.

However, "I very rarely see malicious behavior anymore," she points out. "I'm not saying it doesn't exist, but I don't see it like I would have seen it five or ten years ago."

(Image: Microsoft)

2 of 6
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.