WEBVTT 00:00:03.720 --> 00:00:06.240 Welcome to the Azure Security Podcast, where 00:00:06.240 --> 00:00:08.759 we discuss topics relating to security, privacy, 00:00:09.039 --> 00:00:11.460 reliability, and compliance on the Microsoft 00:00:11.460 --> 00:00:15.900 Cloud Platform. Hey everybody, welcome to episode 00:00:15.900 --> 00:00:20.019 119. This week it's myself, Michael, with Sarah 00:00:20.019 --> 00:00:22.440 and Mark, and our guest this week is Ryan Makababa. 00:00:22.500 --> 00:00:24.960 And we're here to talk about kind of what Ryan's 00:00:24.960 --> 00:00:27.199 been up to over the last few years. We actually 00:00:27.199 --> 00:00:31.570 interviewed Ryan about five years ago now. And 00:00:31.570 --> 00:00:33.490 I'm saying this with a bit of a smile on my face 00:00:33.490 --> 00:00:37.009 because I couldn't get Ryan's last name right 00:00:37.009 --> 00:00:39.969 at all. The good news is we actually still have 00:00:39.969 --> 00:00:42.210 a recording of that. So at the very end, if you 00:00:42.210 --> 00:00:44.130 want to have a bit of a laugh, go and listen 00:00:44.130 --> 00:00:46.990 to me completely messing up Ryan's last name. 00:00:47.570 --> 00:00:50.009 But before we get to our guest, let's take a 00:00:50.009 --> 00:00:52.229 little lap around the news. Sarah, why don't 00:00:52.229 --> 00:00:55.880 you kick things off? Okay, well, it's that time 00:00:55.880 --> 00:01:00.100 of year where the AI tour is starting again. 00:01:00.159 --> 00:01:03.939 So the day that we're recording this, I am packing 00:01:03.939 --> 00:01:08.099 my bags to go away to start the AI tour for the 00:01:08.099 --> 00:01:14.780 financial year. 2026. So if you've been to the 00:01:14.780 --> 00:01:16.840 AI tour in previous years, you'll know it's a 00:01:16.840 --> 00:01:19.359 one day event. We do it in various different 00:01:19.359 --> 00:01:22.340 cities around the globe. It's usually about 40 00:01:22.340 --> 00:01:24.859 of them. So there could well be one near you. 00:01:25.060 --> 00:01:28.489 So I'll put the link. They are still being all 00:01:28.489 --> 00:01:32.290 planned out at the moment. So you can have a 00:01:32.290 --> 00:01:34.430 look at the link to see if there's one coming 00:01:34.430 --> 00:01:38.090 near you. It does get updated. I know not every 00:01:38.090 --> 00:01:42.310 city is on there immediately. So go and have 00:01:42.310 --> 00:01:45.329 a look. And depending on when we release this 00:01:45.329 --> 00:01:47.930 one, if you happen to be in Chicago, Toronto, 00:01:48.170 --> 00:01:52.150 or Ottawa for the AI tour, I will be there. So 00:01:52.150 --> 00:01:55.609 yeah, go and have a look. There is security stuff. 00:01:56.590 --> 00:02:00.689 You can obviously go learn more about AI and 00:02:00.689 --> 00:02:03.250 just have fun at Microsoft events. I'm biased. 00:02:03.370 --> 00:02:05.930 I love a Microsoft event, of course. So yeah, 00:02:05.989 --> 00:02:09.569 just that one for me. Cool. So a couple updates 00:02:09.569 --> 00:02:13.780 in my part of the world. We did... Update the 00:02:13.780 --> 00:02:16.259 access and identity module of the security adoption 00:02:16.259 --> 00:02:19.199 framework or SAF. So these are workshops that 00:02:19.199 --> 00:02:22.080 any Microsoft Unified customer can get delivered. 00:02:22.240 --> 00:02:24.800 And so we just did a refresh of that. We're working 00:02:24.800 --> 00:02:27.400 on the security operations or SOC ones now as 00:02:27.400 --> 00:02:30.949 we speak. Recently published some of the learnings 00:02:30.949 --> 00:02:34.250 that we've made around AI anti -patterns and 00:02:34.250 --> 00:02:37.169 best practices. Obviously focused on security, 00:02:37.469 --> 00:02:40.110 but the anti -patterns are just common mistakes. 00:02:40.490 --> 00:02:42.949 Pattern is anything you do over and over. Anti 00:02:42.949 --> 00:02:44.889 -pattern is one that you don't want to do because 00:02:44.889 --> 00:02:48.090 it's ineffective or counterproductive. And so 00:02:48.090 --> 00:02:50.469 I'll pop a link to the LinkedIn feed on that 00:02:50.469 --> 00:02:53.979 one so you can check that out. And then just 00:02:53.979 --> 00:02:55.919 in general, it had been a little while since 00:02:55.919 --> 00:02:59.080 I had updated the marks list. So it's an article 00:02:59.080 --> 00:03:01.400 I maintain on LinkedIn with kind of a list of 00:03:01.400 --> 00:03:04.060 a bunch of different resources that. A bunch 00:03:04.060 --> 00:03:06.580 of different resources that I provide, as well 00:03:06.580 --> 00:03:08.539 as other ones that I refer people to and use 00:03:08.539 --> 00:03:12.419 all the time. And so it's just aka .ms .markslist. 00:03:12.500 --> 00:03:14.280 Again, the link is going to be in the show notes. 00:03:14.659 --> 00:03:16.479 But, you know, I just kind of organized it, cleaned 00:03:16.479 --> 00:03:18.900 up some of the older links, the dead links, added 00:03:18.900 --> 00:03:20.759 a bunch of the work on the open group standards. 00:03:21.680 --> 00:03:23.919 That's one of the big updates there. And, you 00:03:23.919 --> 00:03:25.340 know, a couple of newer Ignite session recordings 00:03:25.340 --> 00:03:27.580 and, you know, Zero Trust in AI White Paper. 00:03:28.020 --> 00:03:30.099 You know, some of the phenomenal work for the 00:03:30.099 --> 00:03:33.369 Zero Trust Practice Guide and a few others. So 00:03:33.369 --> 00:03:36.110 that's what I got this week. All right, I have 00:03:36.110 --> 00:03:38.469 a couple of, actually I have three items. The 00:03:38.469 --> 00:03:41.710 first one is Azure Databricks. Automatic identity 00:03:41.710 --> 00:03:45.210 management is now generally available. I'm going 00:03:45.210 --> 00:03:46.909 to be honest, I'm not an expert in Azure Databricks, 00:03:46.949 --> 00:03:48.590 even though I was in Azure Data for a long time. 00:03:48.629 --> 00:03:50.530 It was a bit of a mystery to me. But apparently 00:03:50.530 --> 00:03:53.990 it now has automated user provisioning and deprovisioning 00:03:53.990 --> 00:03:56.610 through native integration with Microsoft Entry 00:03:56.610 --> 00:03:59.060 ID. Anything that integrates with Microsoft Entry 00:03:59.060 --> 00:04:01.759 ID, so you've got access to those identities, 00:04:01.860 --> 00:04:05.120 as well as support for all the nice things like 00:04:05.120 --> 00:04:06.479 conditional access and what have you that come 00:04:06.479 --> 00:04:09.319 with that, is always a good thing. Ultimately, 00:04:09.360 --> 00:04:13.080 this is all about simplifying that workflow of 00:04:13.080 --> 00:04:17.560 managing identities. Next one, also from my old, 00:04:17.560 --> 00:04:19.740 my old stomping ground is Azure Cosmos DB for 00:04:19.740 --> 00:04:21.980 MongoDB encryption with customer managed keys 00:04:21.980 --> 00:04:23.920 is now generally available. I know we've mentioned 00:04:23.920 --> 00:04:25.959 it in the past, but now it's generally available. 00:04:26.180 --> 00:04:28.740 So this allows you to control the encryption 00:04:28.740 --> 00:04:30.819 keys or more accurately, the wrapping keys that 00:04:30.819 --> 00:04:32.379 actually wrap the symmetric encryption keys. 00:04:32.519 --> 00:04:34.879 You can now control those because some compliance 00:04:34.879 --> 00:04:36.639 requirements require that. But remember, if you 00:04:36.639 --> 00:04:39.579 lose that key, Microsoft does not have a backup. 00:04:39.720 --> 00:04:43.290 So make sure you control that key. The last one, 00:04:43.350 --> 00:04:45.250 which is a bit of a mystery. Look, I've got to 00:04:45.250 --> 00:04:46.990 be very careful what I say here, and I'm going 00:04:46.990 --> 00:04:49.209 to be really honest with you. I'm a bit of a 00:04:49.209 --> 00:04:53.069 TLS nerd, and I'm also a bit of a TLS purist 00:04:53.069 --> 00:04:56.870 as well. So this is generally available as backend 00:04:56.870 --> 00:04:59.730 TLS validation controls in Azure Application 00:04:59.730 --> 00:05:01.910 Gateway. And essentially what it allows you to 00:05:01.910 --> 00:05:05.470 do is control certain aspects of validation of 00:05:05.470 --> 00:05:08.829 certificates. I have a philosophical issue with 00:05:08.829 --> 00:05:12.230 this. Again, I'm sure that there are customers 00:05:12.230 --> 00:05:14.209 out there that need this while they're experimenting. 00:05:14.430 --> 00:05:17.569 I completely get that. But I do want to make 00:05:17.569 --> 00:05:19.629 sure people are aware of what they're doing when 00:05:19.629 --> 00:05:22.910 they do this. So it essentially allows you to 00:05:22.910 --> 00:05:26.569 enable and disable things like certificate chain 00:05:26.569 --> 00:05:29.269 validation and expiry date. So if you've got 00:05:29.269 --> 00:05:31.449 a certificate that's expired, then you can still 00:05:31.449 --> 00:05:33.970 go ahead and use it. The application gateway 00:05:33.970 --> 00:05:36.009 will still allow the connection to occur even 00:05:36.009 --> 00:05:38.610 though the certificate has expired. Things like 00:05:38.610 --> 00:05:42.329 validating SNIs. There's a few other options 00:05:42.329 --> 00:05:48.149 in there as well. I don't like it. I mean, I 00:05:48.149 --> 00:05:50.069 get it. Look, I get that there's some customers 00:05:50.069 --> 00:05:51.870 who may have issues and this will get them out 00:05:51.870 --> 00:05:55.170 of a hole. I get that. Even the documentation 00:05:55.170 --> 00:05:58.250 says, we recommend keeping all validations enabled 00:05:58.250 --> 00:06:01.269 for production environments. Disabling some or 00:06:01.269 --> 00:06:03.350 all of these validations is suggested only for 00:06:03.350 --> 00:06:05.949 testing and development purposes, such as when 00:06:05.949 --> 00:06:08.449 self -signed certificates are used. I get that, 00:06:08.569 --> 00:06:11.029 but I still don't agree with it. Because if you're 00:06:11.029 --> 00:06:12.930 using self -signed certificates in development 00:06:12.930 --> 00:06:15.990 or in testing, you're not actually, especially 00:06:15.990 --> 00:06:17.610 in testing, you're not actually testing what 00:06:17.610 --> 00:06:19.829 is going to be rolled out into production. You 00:06:19.829 --> 00:06:23.110 should be using a real certificate in testing. 00:06:23.709 --> 00:06:26.389 and production and development. It doesn't have 00:06:26.389 --> 00:06:28.470 to be the certificate that's used in production. 00:06:28.649 --> 00:06:30.910 It can be a certificate that's used in development 00:06:30.910 --> 00:06:32.689 and testing, but it's still a valid certificate. 00:06:33.009 --> 00:06:36.310 It still chains up to a trusted route. It may 00:06:36.310 --> 00:06:38.449 be one that's issued separately. That's completely 00:06:38.449 --> 00:06:41.050 fine, but it still chains up to a trusted route. 00:06:41.129 --> 00:06:42.449 You're doing all the certificate validation. 00:06:42.730 --> 00:06:46.610 Because if you turn this off in testing and you're 00:06:46.610 --> 00:06:49.120 not doing, say, date validation, And then in 00:06:49.120 --> 00:06:51.779 the future, the date becomes incorrect in production. 00:06:52.079 --> 00:06:55.819 Now your system fails in production. Again, I 00:06:55.819 --> 00:06:58.759 get why that's there. Just be really super, super 00:06:58.759 --> 00:07:01.240 careful if you're doing all this stuff. And again, 00:07:01.319 --> 00:07:04.220 I despise self -signed certificates with every 00:07:04.220 --> 00:07:08.600 fiber in my being because they're useless. And 00:07:08.600 --> 00:07:10.899 again, I hear people say all the time, you know, 00:07:10.939 --> 00:07:12.980 oh, we just use them in testing. It's like, no, 00:07:13.100 --> 00:07:16.160 don't use real certificates. that chain up to 00:07:16.160 --> 00:07:18.100 a real trusted root, but it's not the same one 00:07:18.100 --> 00:07:20.839 necessarily as used in development, but it's 00:07:20.839 --> 00:07:24.040 still a valid certificate with valid dates and 00:07:24.040 --> 00:07:28.319 valid names, everything. And I realize someone's 00:07:28.319 --> 00:07:30.100 going to probably comment on what I just said, 00:07:30.180 --> 00:07:32.199 but anyway, that's just my philosophical perspective, 00:07:32.379 --> 00:07:35.199 but I'm right. Anyway, let's move on. I'm right 00:07:35.199 --> 00:07:37.800 with you on the self -signed thing. I never really 00:07:37.800 --> 00:07:39.819 liked the self -signed thing. So we're right. 00:07:39.980 --> 00:07:43.300 So we're right, not just me. So we'll both get 00:07:43.300 --> 00:07:45.019 a lot of that comment. We'll both get the flag. 00:07:45.139 --> 00:07:48.759 Fair enough. All right, let's move on to our 00:07:48.759 --> 00:07:50.720 guest. Now that I've got my news out of the way, 00:07:50.759 --> 00:07:53.120 as I mentioned, our guest this week, who's actually 00:07:53.120 --> 00:07:55.439 coming back from, so we're at episode 119. We 00:07:55.439 --> 00:07:59.379 last had Ryan on the podcast, episode seven. 00:07:59.600 --> 00:08:03.800 So that was July 20th. That was five years ago. 00:08:04.259 --> 00:08:05.660 So basically what we're trying to do here is 00:08:05.660 --> 00:08:07.459 just catch up with Ryan, see what's going on, 00:08:07.519 --> 00:08:09.360 what's changed for Ryan and what sort of stuff 00:08:09.360 --> 00:08:12.899 she's working on, especially in the area of enterprise 00:08:12.899 --> 00:08:16.060 strategy and enterprise architecture and strategy 00:08:16.060 --> 00:08:19.920 from a security perspective. So Ryan, thank you 00:08:19.920 --> 00:08:23.079 so much for coming back. I'm very happy you've 00:08:23.079 --> 00:08:25.560 come back, but would you like to take a moment 00:08:25.560 --> 00:08:28.800 and introduce yourself to our listeners? Sure. 00:08:29.550 --> 00:08:34.730 I will say that my name is Ryan Makababad. So 00:08:34.730 --> 00:08:36.490 you're still getting it wrong, but you're much, 00:08:36.529 --> 00:08:40.809 much closer. So good job. And I'm a principal 00:08:40.809 --> 00:08:44.909 security program manager. I'm at Microsoft and 00:08:44.909 --> 00:08:49.110 I'm part of the enterprise security team. And 00:08:49.110 --> 00:08:52.830 basically what I'm doing right now is working 00:08:52.830 --> 00:08:57.190 across the company to ensure that everyone is 00:08:57.190 --> 00:09:03.669 aligned on taxonomy and in understanding exactly 00:09:03.669 --> 00:09:10.289 what our requirements are from a legal or contractual 00:09:10.289 --> 00:09:13.429 or regulatory perspective, as well as what best 00:09:13.429 --> 00:09:19.350 practices when it comes to how we as Microsoft 00:09:19.350 --> 00:09:24.730 use the cloud. So yeah, that's what I'm up to 00:09:24.730 --> 00:09:27.289 these days. So I know I still got your name wrong, 00:09:27.350 --> 00:09:29.289 but I said the name better than the very first 00:09:29.289 --> 00:09:31.389 time we first met. I mean, that was just that 00:09:31.389 --> 00:09:34.230 was atrocious. Yes, you did. You did a lot better. 00:09:34.309 --> 00:09:37.309 There's only the one the one syllable that you 00:09:37.309 --> 00:09:39.950 got wrong this time. Oh, well, I'll call that 00:09:39.950 --> 00:09:45.409 improvement. Ryan, you're obviously you're a 00:09:45.409 --> 00:09:47.669 very busy person. I know this because we talked 00:09:47.669 --> 00:09:50.970 about this and I like pre -record brief. But 00:09:50.970 --> 00:09:55.639 I mean. What is the hardest part of your role 00:09:55.639 --> 00:09:59.240 nowadays? What do you find the most challenging? 00:10:00.000 --> 00:10:02.539 So I think that one of the things that I find 00:10:02.539 --> 00:10:05.159 most challenging and why I'm working on it right 00:10:05.159 --> 00:10:08.679 now, it's like whenever you say like getting 00:10:08.679 --> 00:10:15.559 people to align on what policy is or what. you 00:10:15.559 --> 00:10:18.740 know, our requirements are, like, that can sound 00:10:18.740 --> 00:10:22.519 really scary. But the thing is, is that everybody 00:10:22.519 --> 00:10:26.019 understands language differently. And we, we 00:10:26.019 --> 00:10:29.860 all use language differently. And so like, when 00:10:29.860 --> 00:10:33.179 one person talks about production, they might 00:10:33.179 --> 00:10:35.919 be talking about first party. And when another 00:10:35.919 --> 00:10:38.919 person is talking about production, they might 00:10:38.919 --> 00:10:44.110 be talking about the stage in the development 00:10:44.110 --> 00:10:47.350 life cycle that something is in, right? And so 00:10:47.350 --> 00:10:51.789 if you use the same word within a policy, then 00:10:51.789 --> 00:10:54.169 now you have to provide the context of what you 00:10:54.169 --> 00:10:57.009 mean. And if you don't provide the context of 00:10:57.009 --> 00:10:59.649 what you mean, then now what you've done is zone 00:10:59.649 --> 00:11:03.700 confusion and discord. amongst the folks that 00:11:03.700 --> 00:11:07.299 on that your audience that actually have to use 00:11:07.299 --> 00:11:10.299 and implement whatever policy or standard or 00:11:10.299 --> 00:11:14.960 communication that you've put out right so like 00:11:14.960 --> 00:11:20.240 that's that's probably one of my biggest I don't 00:11:20.240 --> 00:11:23.059 know, things in just life in general is how we 00:11:23.059 --> 00:11:27.960 use language. Because we use words in ways that 00:11:27.960 --> 00:11:31.340 they aren't intended to be used for. Or we use 00:11:31.340 --> 00:11:36.299 words in ways that where we're assuming the knowledge 00:11:36.299 --> 00:11:43.039 or experience or that the understanding of the 00:11:43.039 --> 00:11:46.960 other party that is part of that communication. 00:11:48.730 --> 00:11:52.269 So much gets lost in translation because of that 00:11:52.269 --> 00:11:54.350 assumption. Can I just add something here? So 00:11:54.350 --> 00:11:57.870 I'm a big stickler for getting words correct 00:11:57.870 --> 00:12:02.269 in general, but certainly in security and absolutely 00:12:02.269 --> 00:12:05.490 when it comes to cryptography. But let me give 00:12:05.490 --> 00:12:08.690 an example. So I'll review things and people 00:12:08.690 --> 00:12:10.389 say, well, we're encrypting the certificate. 00:12:11.259 --> 00:12:12.759 I'm like, are you really encrypting the certificate 00:12:12.759 --> 00:12:14.700 or are you encrypting the private key? Because 00:12:14.700 --> 00:12:16.960 I don't really care that much about the certificate 00:12:16.960 --> 00:12:18.440 because the certificate is public information 00:12:18.440 --> 00:12:21.620 and it's protected with a digital signature so 00:12:21.620 --> 00:12:23.120 it can't be tampered with. So there's nothing 00:12:23.120 --> 00:12:24.759 to see there because there's nothing sensitive 00:12:24.759 --> 00:12:27.440 in there and it can't be tampered with. So do 00:12:27.440 --> 00:12:29.059 you actually really mean the certificate or do 00:12:29.059 --> 00:12:30.960 you mean the private key? And I say, oh, we mean 00:12:30.960 --> 00:12:34.549 the private key. Well, say that. And that sounds 00:12:34.549 --> 00:12:36.230 horrible to say, but I'm like, just be really 00:12:36.230 --> 00:12:39.269 pedantic about what you mean. And again, to your 00:12:39.269 --> 00:12:41.750 point about assumptions, I assume, but I'm usually 00:12:41.750 --> 00:12:43.690 wrong, I assume that people know the difference 00:12:43.690 --> 00:12:46.950 between a certificate and a private key. But 00:12:46.950 --> 00:12:50.490 surprisingly, a lot of people don't. Actually, 00:12:50.509 --> 00:12:53.669 that ties into a lot of the stuff we're doing 00:12:53.669 --> 00:12:56.710 with the roles in Glossary at the Open Group. 00:12:58.360 --> 00:13:00.580 there's some things in precision within security, 00:13:00.799 --> 00:13:03.480 but there's also, when you talk about governance 00:13:03.480 --> 00:13:05.940 to a security person, that means something. When 00:13:05.940 --> 00:13:09.220 you talk it to an IT person and you say governance, 00:13:09.399 --> 00:13:11.360 it means something very different. When you talk 00:13:11.360 --> 00:13:14.159 to a board member who has a fiduciary duty, a 00:13:14.159 --> 00:13:16.940 relationship of trust to the shareholders, governance 00:13:16.940 --> 00:13:19.419 has an entirely different meaning to them and 00:13:19.419 --> 00:13:22.639 the CEO and CFO and chief operating officer, 00:13:22.759 --> 00:13:25.129 et cetera. And the business operations people 00:13:25.129 --> 00:13:28.289 also have a different view of it. And so that 00:13:28.289 --> 00:13:30.210 was one of the interesting things as security 00:13:30.210 --> 00:13:35.269 becomes a mainstream part of an organization. 00:13:35.330 --> 00:13:38.529 And if a business person demands 100 % uptime 00:13:38.529 --> 00:13:42.250 and doesn't fund anything for redundancy or patching 00:13:42.250 --> 00:13:44.350 or whatever, and then you're going to blame the 00:13:44.350 --> 00:13:45.850 security team for something that was out of their 00:13:45.850 --> 00:13:48.710 control that you made a decision on. As we sort 00:13:48.710 --> 00:13:51.230 of realize that security is a part of everyone's 00:13:51.230 --> 00:13:54.639 job. all of these worlds and these assumptions 00:13:54.639 --> 00:13:56.580 are colliding. It's not just within the security 00:13:56.580 --> 00:14:00.360 space, but just like language is so, so important. 00:14:00.840 --> 00:14:03.279 So a hundred percent agree with you, Ryan. Yeah. 00:14:03.360 --> 00:14:05.220 And I don't, I don't think that it's pedantic 00:14:05.220 --> 00:14:09.559 to say, like, say what you mean. Right. And, 00:14:09.679 --> 00:14:12.779 and maybe that's because I'm autistic. And so 00:14:12.779 --> 00:14:16.259 I need people. I like literally need people to 00:14:16.259 --> 00:14:18.580 say what they mean, because if they don't say 00:14:18.580 --> 00:14:20.980 what they mean, then like, I'm going to completely 00:14:20.980 --> 00:14:25.629 miss. Like whatever passive and underlying communication 00:14:25.629 --> 00:14:29.450 is going on, whatever nuance is going on that 00:14:29.450 --> 00:14:34.570 they are assuming that I am following, right? 00:14:35.269 --> 00:14:38.389 And there's nothing wrong with being pedantic 00:14:38.389 --> 00:14:40.769 either. Like that's actually a good thing to 00:14:40.769 --> 00:14:43.070 be focused on the facts and the meaning. Yeah, 00:14:43.070 --> 00:14:45.870 but it has a negative connotation to it, right? 00:14:46.230 --> 00:14:48.370 Yeah, that's true. But it's one worth breaking, 00:14:48.490 --> 00:14:51.289 I would say. Yeah, I mean, I was in a conversation 00:14:51.289 --> 00:14:55.009 just recently, and I can't talk about all the 00:14:55.009 --> 00:14:57.889 details, but somebody on the call said, and we 00:14:57.889 --> 00:15:03.049 need a security review. And my response to that 00:15:03.049 --> 00:15:05.750 was, what do you actually mean by security review? 00:15:05.970 --> 00:15:07.389 And again, I even said, I'm not trying to be 00:15:07.389 --> 00:15:10.330 difficult to deal with, but what do you actually 00:15:10.330 --> 00:15:13.570 mean? Do you want a review and feedback, or do 00:15:13.570 --> 00:15:16.190 you want a sign -off? No, I'm going to go one 00:15:16.190 --> 00:15:20.269 level below that. Code review, static analysis, 00:15:20.570 --> 00:15:24.169 dynamic analysis, red team, pen test, privacy 00:15:24.169 --> 00:15:26.490 review. I mean, what do you, you know, compliance 00:15:26.490 --> 00:15:29.570 review? What does that actually mean? It turns 00:15:29.570 --> 00:15:32.789 out that the actual answer was all of the above. 00:15:33.330 --> 00:15:35.429 Well, in which case we need to work out who is 00:15:35.429 --> 00:15:37.889 doing all that work and when, because all of 00:15:37.889 --> 00:15:40.629 the above is actually a lot of work. Yeah, so 00:15:40.629 --> 00:15:44.830 I think that I got really comfortable with asking 00:15:44.830 --> 00:15:49.139 people what they mean. when I got really comfortable 00:15:49.139 --> 00:15:52.639 with saying, I don't know what that means. And 00:15:52.639 --> 00:15:55.700 I'll tell you that it was actually watching bones, 00:15:55.840 --> 00:16:00.600 which was a, uh, a TV show about a, uh, like 00:16:00.600 --> 00:16:04.659 a scientist who she's definitely autistic, who 00:16:04.659 --> 00:16:09.159 doesn't understand like nuance. And, um, and 00:16:09.159 --> 00:16:13.039 when, you know, people are, uh, kind of trying 00:16:13.039 --> 00:16:17.820 to lead into something. And so like, I think 00:16:17.820 --> 00:16:22.720 that I have had a lot of practice on asking people 00:16:22.720 --> 00:16:26.320 like, what do you mean? I don't understand, but 00:16:26.320 --> 00:16:29.120 leading with like, I don't understand what that 00:16:29.120 --> 00:16:32.279 means. Can you explain it to me in a different 00:16:32.279 --> 00:16:36.679 way? Or can you, can you provide me with more 00:16:36.679 --> 00:16:40.799 context or can you expand on that? And also like 00:16:40.799 --> 00:16:43.879 just telling people straight up, like, Hey, I'm 00:16:43.879 --> 00:16:47.649 autistic and I need. I need more information 00:16:47.649 --> 00:16:52.190 than maybe you might be used to giving so that 00:16:52.190 --> 00:16:55.909 I can ensure that I fully understand what it 00:16:55.909 --> 00:16:58.529 is that you're saying. And I think that that 00:16:58.529 --> 00:17:01.690 helps a lot because then people think, you know, 00:17:01.690 --> 00:17:04.450 like they are really interested in what I'm saying. 00:17:04.529 --> 00:17:06.849 And so they're really putting in effort to understand 00:17:06.849 --> 00:17:10.789 what I say. Yeah. And I think no reasonable person 00:17:10.789 --> 00:17:13.259 would. would uh would disagree with what you 00:17:13.259 --> 00:17:15.519 just said i'll give you a really good example 00:17:15.519 --> 00:17:18.579 as well is because of the role that i'm in now 00:17:18.579 --> 00:17:21.240 in the red team um i get to deal with a lot of 00:17:21.240 --> 00:17:23.380 the as your back end like you know that thing 00:17:23.380 --> 00:17:26.279 is full of code names and abbreviations and you 00:17:26.279 --> 00:17:28.420 know heaven only knows what else right and i 00:17:28.420 --> 00:17:29.960 don't know them all i mean i'm learning a lot 00:17:29.960 --> 00:17:32.759 but i don't know them all and so i make a point 00:17:32.759 --> 00:17:35.200 of actually saying to people hey i don't know 00:17:35.200 --> 00:17:37.039 what the awful baffle gloop is would you mind 00:17:37.039 --> 00:17:38.599 just taking you know Could you please explain 00:17:38.599 --> 00:17:40.539 what that is? Or I'll send a little message to 00:17:40.539 --> 00:17:42.039 someone and say, hey, what the heck's an awful 00:17:42.039 --> 00:17:44.180 baffle gloop? No one has a problem telling me 00:17:44.180 --> 00:17:47.079 what the things are. And in fact, there's a meeting, 00:17:47.400 --> 00:17:50.240 there's a call that we have every day. The person 00:17:50.240 --> 00:17:53.299 who hosts the call, it's a very important call, 00:17:53.359 --> 00:17:55.779 by the way, the person who hosts the call doesn't 00:17:55.779 --> 00:17:59.079 just explain for the first 15 seconds the purpose 00:17:59.079 --> 00:18:01.839 of this meeting. She explains what the purpose 00:18:01.839 --> 00:18:04.880 of the meeting is. And then there is after that, 00:18:04.960 --> 00:18:07.440 if you have any... three letter acronyms, or 00:18:07.440 --> 00:18:10.980 in the case of Azure, 17 letter acronyms, spell 00:18:10.980 --> 00:18:13.319 them out, spell them out on first use, because 00:18:13.319 --> 00:18:14.980 that's really important. And if you use a code 00:18:14.980 --> 00:18:17.420 name, explain on first use what that code, what 00:18:17.420 --> 00:18:19.559 that actually is, because not everyone on the 00:18:19.559 --> 00:18:22.480 call knows what all those things are. It's like 00:18:22.480 --> 00:18:24.839 the old meme, right? It's like, I don't know 00:18:24.839 --> 00:18:28.269 what ABC is. this point I'm too afraid to ask. 00:18:28.450 --> 00:18:30.650 We need to not do that. We need to make sure 00:18:30.650 --> 00:18:32.529 that everyone understands exactly what all the 00:18:32.529 --> 00:18:34.930 acronyms and code names and product names are, 00:18:34.950 --> 00:18:38.289 are certainly on first use. Yeah. I mean, like 00:18:38.289 --> 00:18:40.950 people are afraid to look, you know, like quote 00:18:40.950 --> 00:18:43.589 unquote dumb and they're, they're afraid to ask 00:18:43.589 --> 00:18:46.589 a quote unquote stupid question. And so like 00:18:46.589 --> 00:18:50.089 I try, I, and I try to do this a lot with, with. 00:18:51.099 --> 00:18:54.480 Just being like the advocate, saying like, hey, 00:18:54.500 --> 00:18:59.180 I'm going to ask what might seem like known information 00:18:59.180 --> 00:19:02.640 or what might seem like stupid questions. I might 00:19:02.640 --> 00:19:04.920 be asking for myself, but I also might be asking 00:19:04.920 --> 00:19:07.140 because I know that there are other people that 00:19:07.140 --> 00:19:11.599 don't know what that means. Oh, 100%. Especially 00:19:11.599 --> 00:19:14.000 early in career, people are more afraid of that. 00:19:14.160 --> 00:19:16.910 So I think it's part. Part of our obligation 00:19:16.910 --> 00:19:19.789 as experienced people in the industry to help 00:19:19.789 --> 00:19:23.109 make that okay. I remember, this is a while ago 00:19:23.109 --> 00:19:24.750 now, but I remember it like it was yesterday. 00:19:25.230 --> 00:19:27.650 I actually said, hey, I'm going to ask this question 00:19:27.650 --> 00:19:29.529 because I know full well that probably 20 people 00:19:29.529 --> 00:19:31.289 on this call are asking the exact same question. 00:19:31.609 --> 00:19:35.470 So I asked the question. So I took the hit, air 00:19:35.470 --> 00:19:37.869 quotes, took the hit. You'd be amazed how many 00:19:37.869 --> 00:19:40.369 messages I got asynchronously saying, thank you 00:19:40.369 --> 00:19:42.069 for asking because I had no idea what that thing 00:19:42.069 --> 00:19:44.630 was either. And I've been around long enough 00:19:44.630 --> 00:19:46.930 that people, I don't even know how to put it, 00:19:46.970 --> 00:19:49.369 I've been around long enough that I can ask the 00:19:49.369 --> 00:19:51.609 question without putting anybody, you know, no 00:19:51.609 --> 00:19:53.390 one's going to feel bad about me asking a question. 00:19:53.910 --> 00:19:55.710 I'm so glad Michael asked that question because 00:19:55.710 --> 00:19:57.029 I've been in the company for three weeks and 00:19:57.029 --> 00:19:59.930 I have no idea what it is. It's funny you say 00:19:59.930 --> 00:20:05.069 that because I have started. I have moved teams 00:20:05.069 --> 00:20:09.809 recently and there are a lot of acronyms being 00:20:09.809 --> 00:20:13.930 used that I don't understand. And I do ask most 00:20:13.930 --> 00:20:17.049 of the time, though I can understand the reluctance. 00:20:17.089 --> 00:20:19.950 And though I did have a couple of people tell 00:20:19.950 --> 00:20:21.990 me afterwards, people who've been there a lot 00:20:21.990 --> 00:20:24.390 longer saying, oh, yeah, I didn't understand 00:20:24.390 --> 00:20:28.269 that either. So, yeah, I feel this very much 00:20:28.269 --> 00:20:31.700 so. Well, and the thing is, is that that's that's 00:20:31.700 --> 00:20:35.460 really common, you know, that like people, nobody 00:20:35.460 --> 00:20:38.279 wants to put their reputation online and some 00:20:38.279 --> 00:20:41.960 people can't. Right. Or they feel like they can't 00:20:41.960 --> 00:20:44.599 for whatever reason or because of the environment 00:20:44.599 --> 00:20:48.059 that they're in. And that's totally OK. You know, 00:20:48.059 --> 00:20:50.619 like we're all at different places in our journeys 00:20:50.619 --> 00:20:54.619 to be able to ask the questions that. may make 00:20:54.619 --> 00:20:57.460 us feel self -conscious or or that ask questions 00:20:57.460 --> 00:21:01.940 that like may make make other people have a certain 00:21:01.940 --> 00:21:06.099 perception of us and I'm at a point in my career 00:21:06.099 --> 00:21:09.920 and just in my my life that I can ask questions 00:21:09.920 --> 00:21:13.880 and recognize that people might have opinions 00:21:13.880 --> 00:21:18.440 about me because of it but Their opinions don't 00:21:18.440 --> 00:21:21.859 matter that much to me if they can't give me 00:21:21.859 --> 00:21:25.059 grace for learning, right? If they can't give 00:21:25.059 --> 00:21:29.359 me grace for making a mistake. You know, it's 00:21:29.359 --> 00:21:32.269 funny you should say that as well because I think 00:21:32.269 --> 00:21:34.549 most people that know me well know that I make 00:21:34.549 --> 00:21:36.529 fun of everything. I'm always laughing at things 00:21:36.529 --> 00:21:38.829 and I always find humor in things. So when I 00:21:38.829 --> 00:21:40.529 say I don't know something, I always do it with 00:21:40.529 --> 00:21:43.009 a smile on my face. And I even say, hey, you 00:21:43.009 --> 00:21:44.809 know, I'm asking this because I know a lot of 00:21:44.809 --> 00:21:46.569 other people have no idea what the heck you're 00:21:46.569 --> 00:21:49.910 talking about either. In a nice way. But yeah, 00:21:49.970 --> 00:21:51.730 you're absolutely right. So I think that's such 00:21:51.730 --> 00:21:54.269 an important thing is don't assume that everyone 00:21:54.269 --> 00:21:58.049 knows. all the backstory, all the inside baseball 00:21:58.049 --> 00:22:00.829 stuff. That's even inside baseball, unless you're 00:22:00.829 --> 00:22:02.329 in the US, you don't even know what inside baseball 00:22:02.329 --> 00:22:04.670 even means. So, Mark, would you mind explaining 00:22:04.670 --> 00:22:08.029 what inside baseball is? I'm in the US and I 00:22:08.029 --> 00:22:09.890 don't know what that means. Well, there you go. 00:22:09.970 --> 00:22:11.509 Mark, do you know what inside baseball means? 00:22:11.650 --> 00:22:13.390 If not, I'll give you my really bad interpretation. 00:22:14.509 --> 00:22:16.609 Just inside knowledge, I think, is probably the 00:22:16.609 --> 00:22:18.789 best way to describe it, is that only people 00:22:18.789 --> 00:22:20.950 who are in the in -group would understand this 00:22:20.950 --> 00:22:22.809 terminology. And that could be deliberate or 00:22:22.809 --> 00:22:26.309 it could be accidental. But that's really what 00:22:26.309 --> 00:22:29.069 it means. It's just inside, not so much inside 00:22:29.069 --> 00:22:32.309 information, but just inside context to interpret 00:22:32.309 --> 00:22:35.450 the information you just got. And I would argue 00:22:35.450 --> 00:22:37.509 that AI is in that position right now. There 00:22:37.509 --> 00:22:43.799 is so much technical stuff about AI that... You 00:22:43.799 --> 00:22:45.779 know, there's new words that are popping up constantly 00:22:45.779 --> 00:22:48.779 and you need to understand what those words are 00:22:48.779 --> 00:22:50.900 if you're working in AI and the odds are extremely 00:22:50.900 --> 00:22:52.759 good you don't know what many of those words 00:22:52.759 --> 00:22:56.559 are. I certainly don't. I still read articles 00:22:56.559 --> 00:23:00.000 once in a while which are basically AI 101 because 00:23:00.000 --> 00:23:03.480 the AI 101 this year changed from the AI 101 00:23:03.480 --> 00:23:06.559 three years ago. There's things that didn't exist 00:23:06.559 --> 00:23:09.309 in AI. especially from a security perspective 00:23:09.309 --> 00:23:12.509 so it's really important you stay on top of some 00:23:12.509 --> 00:23:15.650 of that wording yeah and it's moving really really 00:23:15.650 --> 00:23:18.549 quickly and i think like the same thing needs 00:23:18.549 --> 00:23:22.250 to happen with so like when i when i say that 00:23:22.250 --> 00:23:25.180 i'm I'm you know trying to align everyone across 00:23:25.180 --> 00:23:28.079 the company on on you know these different requirements 00:23:28.079 --> 00:23:31.019 and policies and stuff it's it's because it's 00:23:31.019 --> 00:23:34.339 it's difficult to understand it's because like 00:23:34.339 --> 00:23:38.759 there has been so much growth and evolution and 00:23:38.759 --> 00:23:41.900 and innovation in the technologies that we've 00:23:41.900 --> 00:23:46.000 um that we've been working with but also in in 00:23:46.000 --> 00:23:50.019 you know In the different laws that we have to 00:23:50.019 --> 00:23:52.259 exist in and the different markets that we that 00:23:52.259 --> 00:23:56.099 we operate in. And so it's like you have to be 00:23:56.099 --> 00:24:01.599 able to distill these things down into easily 00:24:01.599 --> 00:24:06.079 digestible information like the one on one on 00:24:06.079 --> 00:24:09.539 one articles that you're reading, Michael. Right. 00:24:09.700 --> 00:24:13.740 So when you look at these at these like a company 00:24:13.740 --> 00:24:17.109 policy, for example. you have like three different 00:24:17.109 --> 00:24:19.210 people that have three different interpretations, 00:24:19.269 --> 00:24:21.869 even though they're all reading the same thing 00:24:21.869 --> 00:24:24.130 because of the language that's used. Like it's 00:24:24.130 --> 00:24:27.630 not, it's, it's legalese and there's nothing 00:24:27.630 --> 00:24:31.309 that, that translates it for you. So I will use, 00:24:31.430 --> 00:24:34.789 I will use things like Copilot or, you know, 00:24:34.789 --> 00:24:37.910 whatever I'm using in, in my, in my personal 00:24:37.910 --> 00:24:41.349 life. I use this, I use a tool called goblins, 00:24:41.349 --> 00:24:45.900 goblin .tools to, change the way that I'm saying 00:24:45.900 --> 00:24:48.839 something and the tone of what I'm saying it 00:24:48.839 --> 00:24:53.880 in so that it's friendlier or more social or 00:24:53.880 --> 00:24:57.599 more professional because I need that in my life. 00:24:57.700 --> 00:25:02.299 I just try to speak directly and sometimes that 00:25:02.299 --> 00:25:07.079 comes off aggressively, I guess. I was actually 00:25:07.079 --> 00:25:08.859 just having a conversation the other day with 00:25:08.859 --> 00:25:13.119 someone because When someone learns English as 00:25:13.119 --> 00:25:16.200 a second language, the first words you learn 00:25:16.200 --> 00:25:18.180 in English, because there's usually five or ten 00:25:18.180 --> 00:25:21.099 ways of saying anything in English, are the most 00:25:21.099 --> 00:25:23.380 direct and clear and simple ones. And sometimes 00:25:23.380 --> 00:25:26.700 those are interpreted as rude or overly direct 00:25:26.700 --> 00:25:30.039 as well. And so this actually hits English as 00:25:30.039 --> 00:25:33.690 a second language speakers extra hard. Yeah, 00:25:33.710 --> 00:25:35.569 because, well, it's a regional thing, right? 00:25:35.730 --> 00:25:40.289 It's based off of, like, if you grew up in the 00:25:40.289 --> 00:25:42.049 Midwest, there are certain things that you can 00:25:42.049 --> 00:25:45.869 say that you can't say elsewhere and vice versa, 00:25:46.109 --> 00:25:50.170 right? You can't, in some cultures, right, someone 00:25:50.170 --> 00:25:53.329 will refuse something. For example, if you offer 00:25:53.329 --> 00:25:55.170 something to them, they'll refuse it and they'll 00:25:55.170 --> 00:25:58.410 refuse it like three times. And you have to keep 00:25:58.410 --> 00:26:00.269 on offering it because that's the expectation, 00:26:00.529 --> 00:26:03.200 even though they said they didn't want it. they 00:26:03.200 --> 00:26:05.619 were being polite. And if they do the same thing 00:26:05.619 --> 00:26:09.259 to you, you have to do it in the reverse, right? 00:26:09.880 --> 00:26:12.539 I can give you a great example of this, which 00:26:12.539 --> 00:26:16.240 is from my part, well, from my part of the world. 00:26:16.359 --> 00:26:20.660 So in the UK, and for our UK -based listeners, 00:26:20.839 --> 00:26:23.660 you can feel, you can agree or disagree with 00:26:23.660 --> 00:26:28.390 me, but What we do is if you are, and I realize 00:26:28.390 --> 00:26:30.450 I'm stereotyping here, but if you've gone around 00:26:30.450 --> 00:26:33.750 to someone's house and you've got tea and biscuits, 00:26:34.069 --> 00:26:37.769 if you say, would you like the last biscuit? 00:26:39.150 --> 00:26:41.309 Basically, you're not asking if anyone would 00:26:41.309 --> 00:26:43.250 like the last biscuit. You're basically saying, 00:26:43.410 --> 00:26:46.829 do you care if I have the last biscuit? Or it's 00:26:46.829 --> 00:26:49.390 really more of a statement of I'm going to take 00:26:49.390 --> 00:26:52.740 the last biscuit. FYI, but it's phrased as a 00:26:52.740 --> 00:26:58.519 question. And I would be very upset. Well, I'd 00:26:58.519 --> 00:27:00.839 get over it. But I would be very upset if I said, 00:27:00.859 --> 00:27:03.000 hey, does anyone want the last biscuit? Because 00:27:03.000 --> 00:27:05.680 the correct, correct, I say in inverted commas 00:27:05.680 --> 00:27:09.420 answer to that is no, you have it. But I think 00:27:09.420 --> 00:27:11.680 it's something you would only know probably if 00:27:11.680 --> 00:27:14.119 you grew up in the UK. Yeah, if someone took 00:27:14.119 --> 00:27:15.980 my last biscuit when I've asked that question, 00:27:16.039 --> 00:27:18.720 I'd be. A little bit disappointed. Yeah, because 00:27:18.720 --> 00:27:22.599 I would totally say, oh, yeah, I would love it, 00:27:22.640 --> 00:27:25.299 especially if, like, I would love it. But, you 00:27:25.299 --> 00:27:27.920 know, like, I've learned also that when somebody 00:27:27.920 --> 00:27:30.319 offers you something, that they're being polite, 00:27:30.420 --> 00:27:33.339 and so you should accept it. So that would totally 00:27:33.339 --> 00:27:37.420 not work in that situation. I actually taught 00:27:37.420 --> 00:27:39.000 my daughter, and this is probably an example 00:27:39.000 --> 00:27:41.619 of bad parenting more than anything else, but 00:27:41.619 --> 00:27:43.539 I taught my daughter to not ask that question 00:27:43.539 --> 00:27:46.470 because if you want that biscuit, one of the 00:27:46.470 --> 00:27:49.789 US cookie, and you want it, then if you say, 00:27:49.829 --> 00:27:52.910 you know, whatever you just said, Sarah, that 00:27:52.910 --> 00:27:56.069 you run the risk of someone actually saying yes, 00:27:56.130 --> 00:27:58.650 someone like Ryan saying, yes, I want the biscuit. 00:27:59.309 --> 00:28:02.009 Whereas, so I taught her to say, no one wants 00:28:02.009 --> 00:28:04.569 that biscuit, do they? Because that's a more 00:28:04.569 --> 00:28:07.950 direct way of saying, I want the biscuit. No, 00:28:07.970 --> 00:28:10.390 it is. And you're not wrong, Michael. But yeah, 00:28:10.490 --> 00:28:12.450 I was definitely brought up to be like, would 00:28:12.450 --> 00:28:15.900 anybody like the last biscuit? I don't actually 00:28:15.900 --> 00:28:18.460 want you to take the biscuit. Why can't you just 00:28:18.460 --> 00:28:21.900 say, I would like the last biscuit. Would anybody 00:28:21.900 --> 00:28:26.440 like to share it with me? Would you mind if I 00:28:26.440 --> 00:28:32.279 had it? Yeah, I wouldn't mind. Still rude. The 00:28:32.279 --> 00:28:34.720 correct response is, oh, no, no, no, you have 00:28:34.720 --> 00:28:38.079 it. That's the correct response. So, Ryan, so. 00:28:38.950 --> 00:28:41.549 This has been a really, really fun conversation 00:28:41.549 --> 00:28:43.529 where we kind of wandered a little bit away from 00:28:43.529 --> 00:28:45.750 the, I'm trying to think of a baseball analogy, 00:28:45.910 --> 00:28:48.470 but I will fail. But off of the point, can you 00:28:48.470 --> 00:28:50.509 talk a little bit about where you see this happening 00:28:50.509 --> 00:28:51.829 in the real world and industry? I'd love to hear 00:28:51.829 --> 00:28:55.029 some stories, if you could share. So I've worked 00:28:55.029 --> 00:28:59.529 with literally hundreds of customers across various 00:28:59.529 --> 00:29:04.609 different industries, markets, all over the world. 00:29:05.019 --> 00:29:08.140 And some of that was in identity when I was working 00:29:08.140 --> 00:29:10.619 in identity. Some of that was when I was working 00:29:10.619 --> 00:29:15.359 on Microsoft Defender team. And so I've worked 00:29:15.359 --> 00:29:19.740 with all of these different companies and different 00:29:19.740 --> 00:29:23.059 teams within their organizations. It's so funny 00:29:23.059 --> 00:29:27.160 when you get security and IT and security and 00:29:27.160 --> 00:29:30.579 legal or all three of them all in the same room 00:29:30.579 --> 00:29:35.009 because they all have what? at the surface level, 00:29:35.069 --> 00:29:38.069 is the same requirements. But then when you start 00:29:38.069 --> 00:29:40.890 digging deep into it, they completely do not 00:29:40.890 --> 00:29:43.549 understand what each other's requirements are. 00:29:43.750 --> 00:29:46.210 Because security is looking at things from a 00:29:46.210 --> 00:29:49.109 hardening point of view, right? Compliance is 00:29:49.109 --> 00:29:53.009 looking at things from a proof and attestation 00:29:53.009 --> 00:29:56.440 point of view. Right. Legal is is looking at 00:29:56.440 --> 00:29:59.099 things from a how do I keep my company out of 00:29:59.099 --> 00:30:02.279 hot water type of view? And then you've got privacy, 00:30:02.420 --> 00:30:04.880 which is like, OK, we need to make sure that 00:30:04.880 --> 00:30:08.279 we are in compliance with GDPR so that four percent 00:30:08.279 --> 00:30:12.140 of our our global annual turnover is not something 00:30:12.140 --> 00:30:16.079 that is on the table for, you know, fines and 00:30:16.079 --> 00:30:20.720 penalties. And and so like the language that 00:30:20.720 --> 00:30:23.759 they're using internally, though. completely 00:30:23.759 --> 00:30:27.259 conflicts with each other uh because the definitions 00:30:27.259 --> 00:30:30.319 of the language that they're using the words 00:30:30.319 --> 00:30:34.579 that they're using is not centralized right and 00:30:34.579 --> 00:30:38.980 and that's that's been at whatever company i've 00:30:38.980 --> 00:30:42.019 been uh working at and also whatever company 00:30:42.019 --> 00:30:44.339 i've been working with like i can even tell you 00:30:44.339 --> 00:30:47.140 like in the army where things are supposed to 00:30:47.140 --> 00:30:52.220 be you know um distilled down to the the lowest 00:30:52.220 --> 00:30:57.880 level so that you know even a a private can understand 00:30:57.880 --> 00:31:01.940 the language like you will get a reuse of terms 00:31:01.940 --> 00:31:05.700 and reuse of acronyms and you'll get language 00:31:05.700 --> 00:31:11.099 that is used in different ways but it is the 00:31:11.099 --> 00:31:15.839 same word or the same acronym and so now you 00:31:15.839 --> 00:31:18.829 have different requirements based off of the 00:31:18.829 --> 00:31:21.029 understanding of what that word is within that 00:31:21.029 --> 00:31:24.930 organization, within that business unit at that 00:31:24.930 --> 00:31:28.650 company. And I have yet to see centralized taxonomy 00:31:28.650 --> 00:31:33.609 that has actually been saturated. throughout 00:31:33.609 --> 00:31:36.549 a company. I mean, even at Microsoft, you have 00:31:36.549 --> 00:31:39.009 so many different glossaries, you have the security 00:31:39.009 --> 00:31:41.869 glossary, and then the Microsoft glossary and, 00:31:41.910 --> 00:31:46.130 and each, you know, organization, the sales organization 00:31:46.130 --> 00:31:50.319 has their own glossary. And And that makes it 00:31:50.319 --> 00:31:52.960 really difficult for us to all speak the same 00:31:52.960 --> 00:31:55.720 language and reach the same goals, I think, because 00:31:55.720 --> 00:31:59.980 we're not understanding exactly what each other 00:31:59.980 --> 00:32:02.579 is saying. Isn't the open group working on some 00:32:02.579 --> 00:32:04.519 of that stuff, Mark? Funny you should mention 00:32:04.519 --> 00:32:08.019 that. Yes, we have a security roles and glossary 00:32:08.019 --> 00:32:11.180 standard that should be, all things going well, 00:32:11.200 --> 00:32:13.440 should be out by the end of October. We're going 00:32:13.440 --> 00:32:16.579 to be talking about it at the open group conference 00:32:16.579 --> 00:32:19.799 in early November. So we should at least have 00:32:19.799 --> 00:32:23.619 some basic baseline out there for a clear glossary 00:32:23.619 --> 00:32:26.259 on what a lot of these meant. And it honestly 00:32:26.259 --> 00:32:30.420 took a lot of work to get some of these things 00:32:30.420 --> 00:32:32.099 locked in. Risk was one of the ones that was 00:32:32.099 --> 00:32:34.640 interesting. We found that there's risk as a 00:32:34.640 --> 00:32:37.099 noun, which is a very specific thing because 00:32:37.099 --> 00:32:39.799 it has to be measurable. So probable loss, probable 00:32:39.799 --> 00:32:43.799 frequency, I think something like that. But then 00:32:43.799 --> 00:32:47.079 risk is also an adjective. And so we ended up 00:32:47.079 --> 00:32:50.279 doing... a lot of work to just make sure there's 00:32:50.279 --> 00:32:52.019 clarity. We look through the NIST definitions 00:32:52.019 --> 00:32:54.819 and the dictionary and a number of other different 00:32:54.819 --> 00:32:58.460 sources as well to, to resolve it. So, you know, 00:32:58.460 --> 00:33:00.680 we were, I can't guarantee that every word that, 00:33:00.700 --> 00:33:02.960 that, that you need is in there, but we are, 00:33:02.980 --> 00:33:05.819 we are making some progress on, on burning down 00:33:05.819 --> 00:33:08.700 that problem. So Ryan, if you could rewrite every 00:33:08.700 --> 00:33:11.700 company's security policy, what would be the 00:33:11.700 --> 00:33:16.579 first thing that you would fix? I think that's 00:33:16.579 --> 00:33:19.000 going back to the word production that I was 00:33:19.000 --> 00:33:24.180 talking about because we have, I think, a responsibility. 00:33:25.259 --> 00:33:27.900 Not just Microsoft as a company, but like all 00:33:27.900 --> 00:33:31.279 companies that are in any way a SaaS provider 00:33:31.279 --> 00:33:34.000 or a cloud solution provider, right? To fulfill 00:33:34.000 --> 00:33:37.779 the promises that we have made to our customers 00:33:37.779 --> 00:33:40.839 and the expectations that we have aligned on 00:33:40.839 --> 00:33:45.559 how we set things up internally. And again, I'm 00:33:45.559 --> 00:33:48.319 not talking about Microsoft. I'm talking about 00:33:48.319 --> 00:33:53.359 like generally speaking, in my experience. If 00:33:53.359 --> 00:33:58.079 you don't have the same definition being used 00:33:58.079 --> 00:34:01.779 of production of, and when I say production, 00:34:01.940 --> 00:34:05.140 okay, I'm saying the environment that is customer 00:34:05.140 --> 00:34:07.920 facing and is hosting your first party apps, 00:34:08.039 --> 00:34:10.380 services, and tools that you are offering to 00:34:10.380 --> 00:34:13.400 your customers. That's production. That's your 00:34:13.400 --> 00:34:17.150 production environment. And then you have your 00:34:17.150 --> 00:34:19.409 enterprise environment and that's where you conduct 00:34:19.409 --> 00:34:22.150 all of your operations. That's where all of your 00:34:22.150 --> 00:34:26.590 business is going on. Right. But that's probably 00:34:26.590 --> 00:34:28.829 the first thing that I would fix is just that 00:34:28.829 --> 00:34:33.809 that word. It's it's it's a thorn in my side. 00:34:34.329 --> 00:34:37.030 So Ryan, the last last couple of things that 00:34:37.030 --> 00:34:40.210 we ask are, you know, first, you know, what's 00:34:40.210 --> 00:34:42.949 a day in the life look like for you? Kind of, 00:34:42.949 --> 00:34:45.119 you know, just. average annual life aggregate 00:34:45.119 --> 00:34:48.340 whatever works for you and then any final thoughts 00:34:48.340 --> 00:34:52.820 you have for our listeners sure um that's actually 00:34:52.820 --> 00:34:56.619 that's pretty neat um a day in the my life for 00:34:56.619 --> 00:35:00.380 for work usually involves a lot of research. 00:35:00.639 --> 00:35:06.960 I actually use Copilot a lot when I'm trying 00:35:06.960 --> 00:35:11.400 to put together my thoughts and put together 00:35:11.400 --> 00:35:16.940 my research into a cohesive message because I 00:35:16.940 --> 00:35:22.369 suffer very greatly from the... blank page syndrome 00:35:22.369 --> 00:35:25.369 so like if I don't have something to edit then 00:35:25.369 --> 00:35:28.690 it's really difficult for me to get started so 00:35:28.690 --> 00:35:32.389 I would say like doing a lot of research a lot 00:35:32.389 --> 00:35:37.389 of writing but also just communicating with with 00:35:37.389 --> 00:35:40.130 folks and trying to get them to understand what 00:35:40.130 --> 00:35:43.429 the different meanings of things are and and 00:35:43.429 --> 00:35:46.530 convince them a lot like a lot of my job is really 00:35:46.530 --> 00:35:50.659 influencing without authority And taking what 00:35:50.659 --> 00:35:54.699 I know to be true and distilling it into the 00:35:54.699 --> 00:35:57.719 language and not just the language, but also 00:35:57.719 --> 00:36:01.599 the factors that are important to that person 00:36:01.599 --> 00:36:06.980 and how it pertains to what their KPIs are, what 00:36:06.980 --> 00:36:10.320 their objectives are. So that's my day to day. 00:36:11.440 --> 00:36:15.280 In terms of final thoughts, I would say that 00:36:15.280 --> 00:36:19.800 whatever it is that we... we are doing whatever 00:36:19.800 --> 00:36:23.260 it is that we are experts in like we can't expect 00:36:23.260 --> 00:36:25.739 other people to be experts in the same thing 00:36:25.739 --> 00:36:30.380 and if we really want other people to to be successful 00:36:30.380 --> 00:36:33.599 in doing the things that they are experts in 00:36:33.599 --> 00:36:37.500 when it comes to the things that we are experts 00:36:37.500 --> 00:36:41.159 in we put up the the guardrails for them so that 00:36:41.159 --> 00:36:44.800 there isn't an option of straying outside of 00:36:45.320 --> 00:36:50.019 outside of the left and right boundaries, right? 00:36:50.139 --> 00:36:53.920 Because we have used our own expertise to make 00:36:53.920 --> 00:36:58.400 it easy for them. So for those folks who... Yeah, 00:36:58.420 --> 00:37:00.920 everyone should be security conscious and security 00:37:00.920 --> 00:37:04.039 aware, but everyone should not have to be a security 00:37:04.039 --> 00:37:07.760 expert in order to do their jobs securely. As 00:37:07.760 --> 00:37:10.320 security professionals, we should make it easy. 00:37:10.380 --> 00:37:14.260 We should enable and empower end users to do 00:37:14.260 --> 00:37:18.619 their jobs securely. Instead of being the department 00:37:18.619 --> 00:37:23.079 of no, we should be the department of yes, and 00:37:23.079 --> 00:37:27.030 here is how you do it securely. That would be 00:37:27.030 --> 00:37:31.329 my final thought and kind of what I live my professional 00:37:31.329 --> 00:37:34.409 life by. How can I make this easier on folks? 00:37:35.269 --> 00:37:37.070 Yeah, I think that's really important. I mean, 00:37:37.090 --> 00:37:40.929 it's such a dynamic area full of three -letter 00:37:40.929 --> 00:37:43.369 acronyms, full of code names, full of products, 00:37:43.489 --> 00:37:46.769 full of technical jargon. You just can't expect 00:37:46.769 --> 00:37:49.150 everyone to understand those sorts of things. 00:37:49.230 --> 00:37:51.650 I had a similar problem when I was in Azure Data. 00:37:52.269 --> 00:37:55.769 They would throw around database acronyms. things 00:37:55.769 --> 00:37:59.010 and technology and code names. I had to keep 00:37:59.010 --> 00:38:01.530 going to my boss to say, you know, what the heck's 00:38:01.530 --> 00:38:04.650 this thing? I have no clue. So yeah, I agree 00:38:04.650 --> 00:38:06.429 100%. This has been a really interesting episode, 00:38:06.489 --> 00:38:08.610 actually. We've never really spoken much about 00:38:08.610 --> 00:38:12.570 sort of security language, whether spoken or 00:38:12.570 --> 00:38:15.309 written down. So I think this is a very interesting 00:38:15.309 --> 00:38:19.250 episode. So yeah, so thanks for joining us, Ryan. 00:38:19.349 --> 00:38:21.030 I think this has been really, really cool. So 00:38:21.030 --> 00:38:25.510 yeah, so let's wrap this episode up. As I said, 00:38:25.510 --> 00:38:27.750 thank you so much for joining us again, Ryan. 00:38:27.849 --> 00:38:30.570 Thank you for coming back. And to all our listeners 00:38:30.570 --> 00:38:32.289 out there, we hope you found this episode of 00:38:32.289 --> 00:38:36.110 use. Do the outtake. Yeah. Stick around and we'll 00:38:36.110 --> 00:38:40.130 do the outtake from five years ago where I terribly 00:38:40.130 --> 00:38:42.349 messed up Ryan's last name. I just couldn't get 00:38:42.349 --> 00:38:45.230 it right. Can you get it right now? Mark Ababad. 00:38:45.630 --> 00:38:49.690 Hey, there you go. I learn quickly. All right. 00:38:49.710 --> 00:38:51.769 Again, thank you for joining us. Stay safe and 00:38:51.769 --> 00:38:56.800 we'll see you next time. Makubabad. Makubabad. 00:38:57.800 --> 00:39:05.820 No. No. Makubabad. Makubabad. Makubabad. What 00:39:05.820 --> 00:39:10.260 is wrong with me? Makubabad. Makubabad. I'm just 00:39:10.260 --> 00:39:14.380 slower. Makubabad. Makubabad. There's no R there. 00:39:16.760 --> 00:39:20.699 Makubabad. Did I say Makubabad? It's not bar. 00:39:21.019 --> 00:39:25.360 It's ba. Like Bah Humbug. Like Baa Baa Black 00:39:25.360 --> 00:39:29.699 Sheep. Yes. Marku Babad. Marku Babad. Marku Babad. 00:39:29.780 --> 00:39:31.119 Why don't we just have the whole podcast, me 00:39:31.119 --> 00:39:33.760 just saying your last name? Thanks for listening 00:39:33.760 --> 00:39:36.699 to the Azure Security Podcast. You can find show 00:39:36.699 --> 00:39:40.980 notes and other resources at our website, azsecuritypodcast 00:39:40.980 --> 00:39:44.760 .net. If you have any questions, please find 00:39:44.760 --> 00:39:48.190 us on Twitter at AzureSecPod. Background music 00:39:48.190 --> 00:39:51.570 is from ccmixter .com and licensed under the 00:39:51.570 --> 00:39:52.909 Creative Commons License.