1 00:00:00,000 --> 00:00:06,200 Welcome to the Azure Security Podcast, 2 00:00:06,200 --> 00:00:09,360 where we discuss topics relating to security, privacy, 3 00:00:09,360 --> 00:00:13,720 reliability, and compliance on the Microsoft Cloud Platform. 4 00:00:13,720 --> 00:00:16,520 Hey, everybody. Welcome to Episode 72. 5 00:00:16,520 --> 00:00:18,280 This week's a little different. 6 00:00:18,280 --> 00:00:21,960 The podcast has been going now for almost three years. 7 00:00:21,960 --> 00:00:23,520 This week, we're just going to interview everyone. 8 00:00:23,520 --> 00:00:25,040 We're just going to talk between ourselves, 9 00:00:25,040 --> 00:00:27,040 discuss what we've done at Microsoft. 10 00:00:27,040 --> 00:00:28,600 Things have changed for all of us 11 00:00:28,600 --> 00:00:30,640 career-wise within the company. 12 00:00:30,640 --> 00:00:34,720 I think it would just be really useful to get an idea of what we're doing, 13 00:00:34,720 --> 00:00:36,120 what drives us. 14 00:00:36,120 --> 00:00:38,640 But before we get to our little discussion, 15 00:00:38,640 --> 00:00:41,400 let's have a little lap around the news. I'll kick things off. 16 00:00:41,400 --> 00:00:46,320 The first one is IPv6 support is coming to Azure AD. 17 00:00:46,320 --> 00:00:49,800 That includes things like conditional access policies 18 00:00:49,800 --> 00:00:51,920 and all sorts of policies like that, 19 00:00:51,920 --> 00:00:54,240 where you can actually not just use IPv4 addresses, 20 00:00:54,240 --> 00:00:57,280 but you can also use IPv6 addresses. 21 00:00:57,280 --> 00:01:00,560 The other item is I wrote a blog post. 22 00:01:00,560 --> 00:01:02,960 There's a feature which we talked about a lot 23 00:01:02,960 --> 00:01:04,760 from this podcast called Ledger. 24 00:01:04,760 --> 00:01:07,480 That's in Azure SQL DB and in SQL Server. 25 00:01:07,480 --> 00:01:11,480 It's all about validating that transactions have not been tampered with. 26 00:01:11,480 --> 00:01:16,240 What turns out is that it's really useful for repudiation of receipt threats. 27 00:01:16,240 --> 00:01:18,240 If you're familiar with building threat models, 28 00:01:18,240 --> 00:01:19,920 the R in stride, 29 00:01:19,920 --> 00:01:23,200 which is how we think about what an attacker wants to do to assist them. 30 00:01:23,200 --> 00:01:24,720 For example, S is spoofing. 31 00:01:24,720 --> 00:01:28,840 If you've got a process, how do you know that's the real process and not a rogue? 32 00:01:28,840 --> 00:01:30,240 That's a spoofing threat. 33 00:01:30,240 --> 00:01:34,040 Well, one of them is repudiation and that's the R in stride. 34 00:01:34,040 --> 00:01:38,040 It turns out that Ledger is actually really good at mitigating repudiation threats, 35 00:01:38,040 --> 00:01:39,880 or at least repudiation of receipt. 36 00:01:39,880 --> 00:01:44,360 I actually wrote a blog post on repudiation of transmission, 37 00:01:44,360 --> 00:01:47,280 repudiation of origin, and repudiation of receipt, 38 00:01:47,280 --> 00:01:50,800 and talk about things like immutable blood storage, 39 00:01:50,800 --> 00:01:54,960 and especially the compliance requirements around that. 40 00:01:54,960 --> 00:01:58,480 It's a slightly different read in as much as it's talking about an area 41 00:01:58,480 --> 00:02:00,960 that a lot of people don't really think about much. 42 00:02:00,960 --> 00:02:02,400 So yeah, take a look. 43 00:02:02,400 --> 00:02:06,120 Next one is we're moving full steam ahead, 44 00:02:06,120 --> 00:02:08,560 and I know that Mark will have an opinion on this, 45 00:02:08,560 --> 00:02:12,600 but we're moving full steam ahead with using 46 00:02:12,600 --> 00:02:16,720 number matching for multi-factor authentication. 47 00:02:16,720 --> 00:02:19,000 This is going to be huge. 48 00:02:19,000 --> 00:02:21,400 It's a really important part of MFA, I think. 49 00:02:21,400 --> 00:02:23,520 So yes, keep an eye out on that. 50 00:02:23,520 --> 00:02:29,080 And the last one is a colleague of mine, Buck Woody and David Seiss, 51 00:02:29,080 --> 00:02:31,960 have written Soup to Nuts, Zero to Hero, 52 00:02:31,960 --> 00:02:36,960 Introduction to Security in SQL Server and in Azure SQL DB. 53 00:02:36,960 --> 00:02:40,240 Really well worth it, very well written, completely in-depth, 54 00:02:40,240 --> 00:02:41,920 covers absolutely everything. 55 00:02:41,920 --> 00:02:43,480 It's well worth the read. 56 00:02:43,480 --> 00:02:46,400 So that's what I have this week. 57 00:02:46,400 --> 00:02:49,120 Yeah, it's funny you mention that because I actually just did 58 00:02:49,120 --> 00:02:51,960 a in-person event, first one in a while, 59 00:02:51,960 --> 00:02:56,600 with Buck Woody in the Tampa office for Microsoft, Tampa, Florida. 60 00:02:56,600 --> 00:02:58,640 And so it was just kind of funny. 61 00:02:58,640 --> 00:03:00,080 It was all about security. 62 00:03:00,080 --> 00:03:01,680 So I did the overall security thing, 63 00:03:01,680 --> 00:03:03,680 and then there's a bunch of other sessions 64 00:03:03,680 --> 00:03:08,200 that Buck and some others did on securing your data. 65 00:03:08,200 --> 00:03:10,360 So it's kind of funny that you mention it. 66 00:03:10,360 --> 00:03:12,760 It's a small world, right? 67 00:03:12,760 --> 00:03:15,920 It is a small community, yes. 68 00:03:15,920 --> 00:03:18,320 I think the world is still physically as big as it ever was. 69 00:03:18,320 --> 00:03:20,640 It's just we're connected better. 70 00:03:20,640 --> 00:03:25,120 So on my news side, the big news for me is, 71 00:03:25,120 --> 00:03:27,960 and I think for Gladys and Sarah as well, 72 00:03:27,960 --> 00:03:33,640 as well as Yuri Diogenes, is that the exam reference for SC100, 73 00:03:33,640 --> 00:03:37,160 the cybersecurity architect, the book, the exam reference book, 74 00:03:37,160 --> 00:03:38,160 is out. 75 00:03:38,160 --> 00:03:40,280 Really excited about that. 76 00:03:40,280 --> 00:03:42,040 I think I put my LinkedIn post the first time 77 00:03:42,040 --> 00:03:44,160 my name has appeared on the front of a book, which 78 00:03:44,160 --> 00:03:45,200 is kind of cool. 79 00:03:45,200 --> 00:03:46,640 So that was pretty exciting. 80 00:03:46,640 --> 00:03:51,760 And we put a lot into that one around really practical, 81 00:03:51,760 --> 00:03:55,920 no-holds-barred advice on what an architect is and does, 82 00:03:55,920 --> 00:03:58,960 as well as all the topics related to the exam. 83 00:03:58,960 --> 00:04:02,080 Compliance really kind of called out the great things 84 00:04:02,080 --> 00:04:03,760 about compliance, as well as the things 85 00:04:03,760 --> 00:04:06,040 that compliance is not security. 86 00:04:06,040 --> 00:04:09,280 And here are some examples of how it doesn't do that. 87 00:04:09,280 --> 00:04:11,760 So really meant to make that as practical as possible 88 00:04:11,760 --> 00:04:14,120 for both the exam and the real world. 89 00:04:14,120 --> 00:04:15,880 This one, I don't have really any links or anything 90 00:04:15,880 --> 00:04:18,200 to announce, but we're working hard on the zero trust 91 00:04:18,200 --> 00:04:20,080 standards at the Open Group so that there 92 00:04:20,080 --> 00:04:22,200 is a standard way of expressing zero trust 93 00:04:22,200 --> 00:04:24,600 security, which is really just modern security 94 00:04:24,600 --> 00:04:26,760 without the whole, it's behind the firewall, 95 00:04:26,760 --> 00:04:30,000 so therefore it's a kind of flawed assumption. 96 00:04:30,000 --> 00:04:33,440 So we're working on getting that standardized and released. 97 00:04:33,440 --> 00:04:36,880 The first one out will be kind of a combination 98 00:04:36,880 --> 00:04:39,120 of the core principles and the zero trust commandments 99 00:04:39,120 --> 00:04:40,680 that are out there today. 100 00:04:40,680 --> 00:04:43,240 A little bit of new elements and insights on it, 101 00:04:43,240 --> 00:04:47,840 but mostly kind of a release those as an actual standard. 102 00:04:47,840 --> 00:04:50,480 Another thing that I've been putting a lot of work into 103 00:04:50,480 --> 00:04:53,360 that just finished was the architecture design 104 00:04:53,360 --> 00:04:57,120 session module three, which is basically a security operations 105 00:04:57,120 --> 00:05:00,160 or SOC module for the workshops that we put out 106 00:05:00,160 --> 00:05:02,120 through Microsoft Unified. 107 00:05:02,120 --> 00:05:09,120 And so this is in the normal Microsoft Unified catalog. 108 00:05:09,120 --> 00:05:12,240 And so if you look for security architecture workshop in there, 109 00:05:12,240 --> 00:05:15,600 you'll find that module one and module three are now available. 110 00:05:15,600 --> 00:05:18,520 And if you don't have access to the portal or what have you, 111 00:05:18,520 --> 00:05:21,240 just reach out to your account person or your CSAM 112 00:05:21,240 --> 00:05:24,080 or customer service account manager, 113 00:05:24,080 --> 00:05:25,480 I think they're called. 114 00:05:25,480 --> 00:05:28,240 But yeah, that one's available, and we are scheduling 115 00:05:28,240 --> 00:05:29,440 our first deliveries now. 116 00:05:29,440 --> 00:05:31,900 The other thing I've been doing a lot of research and work on 117 00:05:31,900 --> 00:05:33,360 for a number of different reasons 118 00:05:33,360 --> 00:05:37,720 is how do roles in security actually evolve, 119 00:05:37,720 --> 00:05:40,820 and when do the specialties or specializations actually 120 00:05:40,820 --> 00:05:45,560 get created, and why and when, and who 121 00:05:45,560 --> 00:05:47,640 does the specialization of the job 122 00:05:47,640 --> 00:05:52,840 if you don't have a 20, 30, 50, 100-person team? 123 00:05:52,840 --> 00:05:55,460 Who inherits that and does that work 124 00:05:55,460 --> 00:05:58,080 until there is someone dedicated to it? 125 00:05:58,080 --> 00:06:00,520 And so including a couple of links in the show notes 126 00:06:00,520 --> 00:06:03,600 to some of the work there to try and discover that and validate 127 00:06:03,600 --> 00:06:04,100 it. 128 00:06:04,100 --> 00:06:05,320 If you all have a strong opinion there, 129 00:06:05,320 --> 00:06:06,760 go forth and check them out if you're 130 00:06:06,760 --> 00:06:08,320 interested in learning it. 131 00:06:08,320 --> 00:06:09,960 We've got one for security operations, 132 00:06:09,960 --> 00:06:12,680 and then the sort of general technical roles as well. 133 00:06:12,680 --> 00:06:15,600 So that's all I got on the new side today. 134 00:06:15,600 --> 00:06:18,400 Let's switch gears into kind of interviewing 135 00:06:18,400 --> 00:06:19,560 each other type of mode. 136 00:06:19,560 --> 00:06:21,880 We should probably start with just introducing ourselves 137 00:06:21,880 --> 00:06:23,640 and kind of what we currently do, 138 00:06:23,640 --> 00:06:26,240 and then we can kind of get into some questions 139 00:06:26,240 --> 00:06:28,440 and interview each other. 140 00:06:28,440 --> 00:06:29,480 My name is Mark Simos. 141 00:06:29,480 --> 00:06:32,840 I'm lead cybersecurity architect at Microsoft. 142 00:06:32,840 --> 00:06:35,080 Not a lot has changed from a job role for me. 143 00:06:35,080 --> 00:06:36,500 I mean, I've actually changed where 144 00:06:36,500 --> 00:06:38,800 I happen to report to within the organization, 145 00:06:38,800 --> 00:06:40,960 but I've been doing the lead cybersecurity architect thing 146 00:06:40,960 --> 00:06:42,160 for a number of years now. 147 00:06:42,160 --> 00:06:45,680 And so in that role, I basically build guidance 148 00:06:45,680 --> 00:06:47,960 to help various different roles of customers, 149 00:06:47,960 --> 00:06:51,360 everything from CISOs and business leaders and board 150 00:06:51,360 --> 00:06:54,320 members on occasion, and security architects 151 00:06:54,320 --> 00:06:57,320 and security analysts and engineers and operations folks 152 00:06:57,320 --> 00:06:58,580 in IT, et cetera. 153 00:06:58,580 --> 00:07:03,000 Take a look at the broad swath of Microsoft's cyber 154 00:07:03,000 --> 00:07:05,320 capabilities and features and technology. 155 00:07:05,320 --> 00:07:08,680 Take a look at the changing technical platforms. 156 00:07:08,680 --> 00:07:11,480 Take a look at the changing business priorities 157 00:07:11,480 --> 00:07:12,920 and initiatives that are going on, 158 00:07:12,920 --> 00:07:15,720 the changing threat landscape, and build reference 159 00:07:15,720 --> 00:07:19,720 architectures, reference strategies, top 10 lists, 160 00:07:19,720 --> 00:07:23,320 workshops, et cetera, to help people kind of make sense 161 00:07:23,320 --> 00:07:26,120 of all of this stuff that most people don't have time 162 00:07:26,120 --> 00:07:27,600 to kind of keep up on themselves. 163 00:07:27,600 --> 00:07:29,880 So really kind of that's my job is putting out 164 00:07:29,880 --> 00:07:33,320 that reference stuff and then helping our folks that 165 00:07:33,320 --> 00:07:34,960 help our customers train them up, 166 00:07:34,960 --> 00:07:37,560 get them ready to deliver those and take 167 00:07:37,560 --> 00:07:39,240 care of our customers. 168 00:07:39,240 --> 00:07:41,120 So my name is Gladys Rodriguez. 169 00:07:41,120 --> 00:07:46,800 I've been in Microsoft for 16 years last week, actually. 170 00:07:46,800 --> 00:07:51,160 14 years, I was mostly a customer-facing resource, 171 00:07:51,160 --> 00:07:55,320 helping a customer implement architect solutions. 172 00:07:55,320 --> 00:07:57,720 And the last two years, I've been in what 173 00:07:57,720 --> 00:08:00,520 is called strategic mission-side technologies. 174 00:08:00,520 --> 00:08:04,760 This is our organization that puts many solutions 175 00:08:04,760 --> 00:08:07,880 or many services within Microsoft in order 176 00:08:07,880 --> 00:08:11,280 to provide business solutions to customers. 177 00:08:11,280 --> 00:08:13,120 And what I'm going to explain actually 178 00:08:13,120 --> 00:08:18,440 is 180 degrees from what I used to do two years ago. 179 00:08:18,440 --> 00:08:21,880 We are using all the Azure services in order 180 00:08:21,880 --> 00:08:26,720 to bring, for example, telecommunications capabilities 181 00:08:26,720 --> 00:08:28,000 to customers. 182 00:08:28,000 --> 00:08:31,160 And some of this is using satellites, 183 00:08:31,160 --> 00:08:32,720 using ground stations. 184 00:08:32,720 --> 00:08:36,360 And these services, you may have heard it as Azure Orbital 185 00:08:36,360 --> 00:08:38,000 or Azure Space. 186 00:08:38,000 --> 00:08:42,000 There is a work that we're doing with quantum. 187 00:08:42,000 --> 00:08:44,280 There's a lot of different things. 188 00:08:44,280 --> 00:08:50,120 It's a lot of learning, but it's really cool trying to secure 189 00:08:50,120 --> 00:08:52,520 all these capabilities. 190 00:08:52,520 --> 00:08:57,520 And like Mark mentioned, I just had my first time, my name 191 00:08:57,520 --> 00:08:58,560 also in the book. 192 00:08:58,560 --> 00:09:00,880 So I'm really excited about that. 193 00:09:00,880 --> 00:09:04,120 I am Sarah Young. 194 00:09:04,120 --> 00:09:05,640 I've had a couple of roles in Microsoft 195 00:09:05,640 --> 00:09:07,440 since we started this podcast. 196 00:09:07,440 --> 00:09:10,520 But I am now a cloud security advocate. 197 00:09:10,520 --> 00:09:16,760 So what that means is I am in the advocacy team. 198 00:09:16,760 --> 00:09:19,880 You may also know it has other names. 199 00:09:19,880 --> 00:09:23,240 But some organizations call it developer relations. 200 00:09:23,240 --> 00:09:25,180 But of course, because I'm doing security, 201 00:09:25,180 --> 00:09:26,780 I don't just talk to devs. 202 00:09:26,780 --> 00:09:35,240 And the idea is that we advocate to and on behalf of communities. 203 00:09:35,240 --> 00:09:38,280 So for me, of course, it's the security community. 204 00:09:38,280 --> 00:09:42,680 So that means that I'm trying to talk to the community, 205 00:09:42,680 --> 00:09:45,980 attend events, see people, meet people, 206 00:09:45,980 --> 00:09:49,880 give you lots of stickers, but also take any feedback you have 207 00:09:49,880 --> 00:09:51,880 back into our engineering teams. 208 00:09:51,880 --> 00:09:55,080 Because Microsoft is a bit of a big beast. 209 00:09:55,080 --> 00:09:58,440 And it can be really difficult to get feedback 210 00:09:58,440 --> 00:09:59,840 into the right places. 211 00:09:59,840 --> 00:10:02,520 So that's the kind of things that I do. 212 00:10:02,520 --> 00:10:05,840 I also try and look for gaps in our content. 213 00:10:05,840 --> 00:10:09,000 I use content in the loosest sense of the word, so blogs, 214 00:10:09,000 --> 00:10:11,880 documents, videos, whatever it is. 215 00:10:11,880 --> 00:10:15,760 If there are gaps and we're not addressing a particular 216 00:10:15,760 --> 00:10:18,720 community's needs, we'll try help with that too. 217 00:10:18,720 --> 00:10:21,280 And on that note, if anyone has any ideas, 218 00:10:21,280 --> 00:10:22,800 feel free to tweet me. 219 00:10:22,800 --> 00:10:26,960 If you think you see a glaring hole that we have missed. 220 00:10:26,960 --> 00:10:29,400 But that's what I do nowadays. 221 00:10:29,400 --> 00:10:33,720 I'm also back in Australia because I have moved countries 222 00:10:33,720 --> 00:10:36,200 a few times since we've been doing this. 223 00:10:36,200 --> 00:10:38,840 So if anyone hasn't caught up with what country I'm 224 00:10:38,840 --> 00:10:41,760 currently in, that would be Australia. 225 00:10:41,760 --> 00:10:44,400 And Michael, over to you. 226 00:10:44,400 --> 00:10:45,320 Thanks for that, Sarah. 227 00:10:45,320 --> 00:10:46,320 I'm Michael Howard. 228 00:10:46,320 --> 00:10:47,520 I've been at Microsoft now. 229 00:10:47,520 --> 00:10:50,760 Actually, last June, I just hit 30 years at Microsoft. 230 00:10:50,760 --> 00:10:53,880 Right now, I'm actually working in the Azure data team. 231 00:10:53,880 --> 00:10:58,320 So I'm working on engineering for Azure SQL database, SQL 232 00:10:58,320 --> 00:11:01,760 server, Cosmos DB, Postgres SQL, and MySQL. 233 00:11:01,760 --> 00:11:04,280 So it's all the backend stuff, all the backend security 234 00:11:04,280 --> 00:11:06,520 stuff for those products. 235 00:11:06,520 --> 00:11:08,640 Interesting, fun fact. 236 00:11:08,640 --> 00:11:13,400 So when we had, for those of you who remember, so last year, 237 00:11:13,400 --> 00:11:18,680 episode 51, on April the 18th, we interviewed Thomas Weiss 238 00:11:18,680 --> 00:11:20,680 from the Cosmos DB team. 239 00:11:20,680 --> 00:11:23,920 While Thomas and I were actually, sort of, in the air 240 00:11:23,920 --> 00:11:26,000 quotes, in the green room, just discussing stuff, 241 00:11:26,000 --> 00:11:31,440 before Mark, Gladys, and Sarah joined, he actually said to me, 242 00:11:31,440 --> 00:11:34,520 he said, hey, how do you fancy moving over to Azure data? 243 00:11:34,520 --> 00:11:37,280 And I said, yeah, sounds like a great idea. 244 00:11:37,280 --> 00:11:39,880 And literally, so the balls started rolling then. 245 00:11:39,880 --> 00:11:43,760 And by the end of May, I was actually 246 00:11:43,760 --> 00:11:45,400 working for Azure data. 247 00:11:45,400 --> 00:11:48,520 Great team, fantastic team, great engineering people. 248 00:11:48,520 --> 00:11:51,240 And my main focus now is just on that. 249 00:11:51,240 --> 00:11:53,040 So it's the engineering that goes 250 00:11:53,040 --> 00:11:56,880 into securing those products, both the actual running 251 00:11:56,880 --> 00:11:58,800 products, but also the infrastructure 252 00:11:58,800 --> 00:12:00,360 on Azure in the backend. 253 00:12:00,360 --> 00:12:04,920 So yeah, it's really great to be back in engineering. 254 00:12:04,920 --> 00:12:07,000 Software engineering is my first love. 255 00:12:07,000 --> 00:12:10,640 So yeah, really excited to be back doing that. 256 00:12:10,640 --> 00:12:12,880 So with our sort of introductions out of the way, 257 00:12:12,880 --> 00:12:15,120 Mark, why don't you sort of continue the thought? 258 00:12:15,120 --> 00:12:15,920 Yeah, absolutely. 259 00:12:15,920 --> 00:12:17,960 I have a curiosity for you. 260 00:12:17,960 --> 00:12:20,760 It's actually, let me do a quick story first. 261 00:12:20,760 --> 00:12:23,320 One of our past guests, who I won't name, 262 00:12:23,320 --> 00:12:26,360 was when they came on the show, they're a great guest 263 00:12:26,360 --> 00:12:28,480 and had a really good session. 264 00:12:28,480 --> 00:12:30,840 And then afterwards, they made a comment to me, 265 00:12:30,840 --> 00:12:34,320 like, I was so intimidated and had imposter syndrome 266 00:12:34,320 --> 00:12:36,120 because you're on the podcast and whatever. 267 00:12:36,120 --> 00:12:39,160 I'm like, you know who Michael is, right? 268 00:12:39,160 --> 00:12:41,480 Because he was the guy that I was intimidated 269 00:12:41,480 --> 00:12:43,040 with when I started at Microsoft, 270 00:12:43,040 --> 00:12:46,720 because I've only been at Microsoft only 23 years. 271 00:12:46,720 --> 00:12:49,440 And Michael was the big name in security. 272 00:12:49,440 --> 00:12:53,760 So dialing the time machine back to that era, 273 00:12:53,760 --> 00:12:57,440 I love to hear, because I know the software development 274 00:12:57,440 --> 00:13:01,120 lifecycle was kicked off by that famous Bill Gates memo 275 00:13:01,120 --> 00:13:02,680 that got things going. 276 00:13:02,680 --> 00:13:04,920 But one of the things I'm kind of curious about 277 00:13:04,920 --> 00:13:08,160 is sort of the program side of it. 278 00:13:08,160 --> 00:13:10,000 I know there's a lot of technical training. 279 00:13:10,000 --> 00:13:11,880 They stopped development of Windows for, 280 00:13:11,880 --> 00:13:14,320 I don't know, a couple months or something like that. 281 00:13:14,320 --> 00:13:15,920 And the thing I was kind of curious about is, 282 00:13:15,920 --> 00:13:19,560 how did they end up doing the program side of it 283 00:13:19,560 --> 00:13:23,040 in terms of, do they set up a group that did that? 284 00:13:23,040 --> 00:13:24,280 Because I remember there was this trustworthy 285 00:13:24,280 --> 00:13:26,600 computing group that was around for a while. 286 00:13:26,600 --> 00:13:28,520 I'm just kind of curious how they approached that. 287 00:13:28,520 --> 00:13:32,680 And did each team do their own kind of security? 288 00:13:32,680 --> 00:13:35,480 Or was there a central center of excellence? 289 00:13:35,480 --> 00:13:37,400 Or was it kind of a hybrid? 290 00:13:37,400 --> 00:13:39,280 I'd love to hear more about that, 291 00:13:39,280 --> 00:13:40,480 because I know a lot of organizations 292 00:13:40,480 --> 00:13:42,360 are getting an application security. 293 00:13:42,360 --> 00:13:45,080 And I'd love to hear how we went through that. 294 00:13:45,080 --> 00:13:49,200 Yeah, I wish there was a really simple answer, 295 00:13:49,200 --> 00:13:51,120 and there really isn't. 296 00:13:51,120 --> 00:13:53,680 Everything you said was true, though. 297 00:13:53,680 --> 00:13:55,840 So in the very early days of the Microsoft SDL, 298 00:13:55,840 --> 00:13:57,880 the security development lifecycle, 299 00:13:57,880 --> 00:13:59,680 we actually didn't have an SDL to start off with. 300 00:13:59,680 --> 00:14:02,240 Like the team that I was in, which is run by a guy 301 00:14:02,240 --> 00:14:04,280 by the name of Mike Nash, 302 00:14:04,280 --> 00:14:06,360 was called the Secure Windows Initiative. 303 00:14:06,360 --> 00:14:08,720 We also had, at the time, 304 00:14:08,720 --> 00:14:10,280 the head of sort of security in Windows 305 00:14:10,280 --> 00:14:11,560 was a guy called Doug Baer. 306 00:14:11,560 --> 00:14:13,720 So he was also highly influential 307 00:14:13,720 --> 00:14:15,800 in sort of what this group, 308 00:14:15,800 --> 00:14:18,480 we called SWI, Secure Windows Initiative. 309 00:14:18,480 --> 00:14:20,960 We were very much focused on Windows. 310 00:14:20,960 --> 00:14:23,720 We looked at bugs, as we saw bugs coming in, 311 00:14:23,720 --> 00:14:25,720 and then we would make recommendations, 312 00:14:25,720 --> 00:14:27,960 especially if we saw trends, right? 313 00:14:27,960 --> 00:14:30,720 If we saw, say, a specific API 314 00:14:30,720 --> 00:14:32,240 with a bunch of vulnerabilities. 315 00:14:32,240 --> 00:14:35,720 So for example, for those of you who know sort of low level C, 316 00:14:35,720 --> 00:14:38,160 there's a function called stir copy, 317 00:14:38,160 --> 00:14:40,600 and then there's mem copy, and there's a bunch of others. 318 00:14:40,600 --> 00:14:42,240 We'd already like banned the stir copy, 319 00:14:42,240 --> 00:14:44,280 but mem copy we eventually banned 320 00:14:44,280 --> 00:14:46,040 when we had a good replacement. 321 00:14:46,040 --> 00:14:49,400 But it was kind of very organic back then, 322 00:14:49,400 --> 00:14:51,560 as we sort of learned our way, 323 00:14:51,560 --> 00:14:53,560 and we sort of learned what it takes, 324 00:14:53,560 --> 00:14:55,960 especially something the size of Windows, right? 325 00:14:55,960 --> 00:14:58,640 But then we realized this is bigger than Windows. 326 00:14:58,640 --> 00:15:00,320 We've got to go much bigger than that. 327 00:15:00,320 --> 00:15:03,560 And so a whole series of things had happened. 328 00:15:05,320 --> 00:15:07,640 Nimda had happened, Code Red had happened. 329 00:15:07,640 --> 00:15:10,120 I was actually in a meeting with Bill Gates 330 00:15:10,120 --> 00:15:11,720 to go over vulnerabilities, 331 00:15:11,720 --> 00:15:14,400 and actually Doug Bale was with me, 332 00:15:14,400 --> 00:15:17,000 but I was doing most of the yap-in. 333 00:15:17,000 --> 00:15:19,880 And also Writing Secure Code had come out. 334 00:15:19,880 --> 00:15:20,720 What was interesting there, 335 00:15:20,720 --> 00:15:22,840 so David LeBlanc and I who wrote Writing Secure Code, 336 00:15:22,840 --> 00:15:25,080 the reason why we wrote it was because we realized 337 00:15:25,080 --> 00:15:26,600 we were getting asked the same questions 338 00:15:26,600 --> 00:15:27,640 time and time and time again, 339 00:15:27,640 --> 00:15:29,920 just basic engineering questions. 340 00:15:29,920 --> 00:15:32,600 So we decided to sort of codify it in a book. 341 00:15:32,600 --> 00:15:34,720 So I actually gave a copy of the book to Bill. 342 00:15:34,720 --> 00:15:38,040 And the meeting that we had was actually on a Friday afternoon, 343 00:15:38,040 --> 00:15:39,760 and on Monday morning, he emailed me to say, 344 00:15:39,760 --> 00:15:42,000 hey, I read the book and absolutely loved it 345 00:15:42,000 --> 00:15:42,840 over the weekend. 346 00:15:44,000 --> 00:15:45,920 And so there was really a whole bunch of things 347 00:15:45,920 --> 00:15:47,800 that all happened at the same time. 348 00:15:47,800 --> 00:15:49,520 The.NET framework had also gone through a thing 349 00:15:49,520 --> 00:15:52,840 they called the security push, sorry, security stand down. 350 00:15:52,840 --> 00:15:55,240 My bad, it was called the security stand down. 351 00:15:55,240 --> 00:15:56,520 And we were looking for vulnerabilities 352 00:15:56,520 --> 00:15:57,920 before we finally shipped the product. 353 00:15:57,920 --> 00:16:00,200 And there was a lot of things we learned from that too. 354 00:16:00,200 --> 00:16:02,320 So back then it was very organic. 355 00:16:02,320 --> 00:16:04,640 Now for the security push in Windows, 356 00:16:04,640 --> 00:16:06,480 there was a central team that managed it 357 00:16:06,480 --> 00:16:07,800 because it was so big, right? 358 00:16:07,800 --> 00:16:09,240 Because Windows is just so big, 359 00:16:09,240 --> 00:16:11,080 both in terms of lines of code complexity 360 00:16:11,080 --> 00:16:12,560 and engineering stuff. 361 00:16:12,560 --> 00:16:15,040 So it was very, there was a central team 362 00:16:15,040 --> 00:16:18,640 and we had a separate bug database for tracking bugs 363 00:16:18,640 --> 00:16:19,960 that were found during the security push. 364 00:16:19,960 --> 00:16:23,040 And you're right, Mark, it was about two months long. 365 00:16:23,040 --> 00:16:28,040 Actually more accurately, every group within Windows 366 00:16:29,000 --> 00:16:30,960 was going to be done when they were done. 367 00:16:31,880 --> 00:16:34,160 For some teams, that was four weeks. 368 00:16:34,160 --> 00:16:36,960 For some teams, it was more than two months. 369 00:16:36,960 --> 00:16:38,200 But you were done when you were done. 370 00:16:38,200 --> 00:16:39,760 And we define what done was, 371 00:16:39,760 --> 00:16:42,520 which is basically you've got essentially flatlining 372 00:16:42,520 --> 00:16:45,080 on incoming vulnerabilities that are being found. 373 00:16:45,080 --> 00:16:48,400 But the average was about two months, plus or minus. 374 00:16:48,400 --> 00:16:51,280 Then we realized that we can't just build products 375 00:16:51,280 --> 00:16:53,480 and then do a security push to find the bugs. 376 00:16:53,480 --> 00:16:55,480 That's more like the wild, wild west 377 00:16:55,480 --> 00:16:58,720 as opposed to actually engineering. 378 00:16:58,720 --> 00:16:59,880 And so we decided to change things 379 00:16:59,880 --> 00:17:02,400 and that became the SDL, the Microsoft SDL. 380 00:17:02,400 --> 00:17:04,440 And as you mentioned, I was one of the guys behind it 381 00:17:04,440 --> 00:17:07,760 with a gentleman who was my boss at the time, Steve Lipner. 382 00:17:07,760 --> 00:17:09,760 He's since retired from Microsoft. 383 00:17:09,760 --> 00:17:13,760 He and I, there's a lot of other people involved, obviously. 384 00:17:14,640 --> 00:17:17,200 We started to sort of really codify what it means 385 00:17:17,200 --> 00:17:20,120 around designing, developing, testing, coding constructs, 386 00:17:20,120 --> 00:17:23,040 crypto requirements, threat modeling, fuzz testing, 387 00:17:23,040 --> 00:17:26,360 static analysis, dynamic analysis, final security review, 388 00:17:26,360 --> 00:17:28,160 security training, the whole nine yards, right? 389 00:17:28,160 --> 00:17:29,760 And that became the SDL. 390 00:17:29,760 --> 00:17:31,560 Now you could argue there's nothing new under the sun 391 00:17:31,560 --> 00:17:33,120 and that's completely true. 392 00:17:33,120 --> 00:17:35,520 But we documented a lot of that. 393 00:17:35,520 --> 00:17:37,560 In fact, Steve and I went on to write the book 394 00:17:37,560 --> 00:17:40,040 called the Microsoft Security Development Lifecycle. 395 00:17:40,040 --> 00:17:41,840 Very, very proud of that book. 396 00:17:41,840 --> 00:17:45,760 And at that point, we moved the SDL team out of Windows 397 00:17:45,760 --> 00:17:47,200 and it became, actually it's funny as you say, 398 00:17:47,200 --> 00:17:49,040 TWC, Trustworthy Computing, 399 00:17:49,040 --> 00:17:52,000 because we ended up moving out of Windows 400 00:17:52,000 --> 00:17:54,560 and into Scott Charney's team, 401 00:17:54,560 --> 00:17:56,720 which was the Trustworthy Computing team. 402 00:17:56,720 --> 00:18:00,080 So it became a corporate entity 403 00:18:00,080 --> 00:18:01,720 as opposed to a product group entity. 404 00:18:01,720 --> 00:18:04,160 And that has its own pros and cons. 405 00:18:04,160 --> 00:18:05,760 But most importantly, funding, right? 406 00:18:05,760 --> 00:18:07,400 Because if we wanted to fund an engineer, 407 00:18:07,400 --> 00:18:08,520 we're not funding an engineer 408 00:18:08,520 --> 00:18:10,440 that isn't going to Windows, right? 409 00:18:10,440 --> 00:18:11,920 So it's not a decision like, 410 00:18:11,920 --> 00:18:15,120 do we hire a security engineer 411 00:18:15,120 --> 00:18:18,680 or do we hire someone who can fix device drivers 412 00:18:18,680 --> 00:18:19,600 in the kernel? 413 00:18:19,600 --> 00:18:22,560 That conversation never happened 414 00:18:22,560 --> 00:18:24,720 because we were a corporate entity. 415 00:18:24,720 --> 00:18:26,200 But then there's a problem of scale, right? 416 00:18:26,200 --> 00:18:28,080 So there's no way that a hundred of us 417 00:18:28,080 --> 00:18:30,120 could actually manage the whole of Microsoft. 418 00:18:30,120 --> 00:18:32,040 And so one thing we ended up doing 419 00:18:32,040 --> 00:18:34,440 was introducing this notion of security champs, 420 00:18:34,440 --> 00:18:36,480 which was security experts 421 00:18:36,480 --> 00:18:40,240 or people who had a passion or an interest in security 422 00:18:40,240 --> 00:18:41,960 within the individual product groups. 423 00:18:41,960 --> 00:18:43,560 And then we would liaise with them 424 00:18:43,560 --> 00:18:46,080 to be the sort of the conduit of communication. 425 00:18:46,080 --> 00:18:48,240 And then you sort of start breeding the skills 426 00:18:48,240 --> 00:18:49,520 within the product groups. 427 00:18:49,520 --> 00:18:51,000 And then it became a point where 428 00:18:51,000 --> 00:18:53,200 the teams would actually just do their own thing. 429 00:18:53,200 --> 00:18:55,920 So the SDL team became like a sort of a, 430 00:18:57,200 --> 00:18:58,640 kind of a governance body. 431 00:18:58,640 --> 00:19:00,400 And we would change the SDL. 432 00:19:00,400 --> 00:19:03,080 We would update the SDL originally every six months 433 00:19:03,080 --> 00:19:05,480 and then finally every 12 months. 434 00:19:05,480 --> 00:19:06,960 We would add new requirements 435 00:19:06,960 --> 00:19:09,000 or change things from requirements to recommendations 436 00:19:09,000 --> 00:19:09,880 or vice versa. 437 00:19:09,880 --> 00:19:12,240 But we became the central sort of governance team 438 00:19:12,240 --> 00:19:15,960 helping all the engineering staff achieve their goals. 439 00:19:15,960 --> 00:19:18,200 I don't know if that actually answered your question, Mark, 440 00:19:18,200 --> 00:19:22,000 but that's kind of the history of it. 441 00:19:22,000 --> 00:19:23,400 Yeah, that definitely helps. 442 00:19:24,520 --> 00:19:26,880 Yeah, it sounds like we had to learn a lot of it as we go, 443 00:19:26,880 --> 00:19:28,720 but like we definitely see a lot of organizations 444 00:19:28,720 --> 00:19:30,400 having success with that champs, 445 00:19:30,400 --> 00:19:32,840 kind of finding the interested and the willing 446 00:19:32,840 --> 00:19:36,520 among their different kind of constituent teams. 447 00:19:36,520 --> 00:19:38,960 You know, that sort of almost like a hub and spoke 448 00:19:38,960 --> 00:19:41,960 type of approach where there's like the central authority 449 00:19:41,960 --> 00:19:45,800 that's, you know, has knowledge, engineers depth, et cetera. 450 00:19:45,800 --> 00:19:47,880 But then, you know, the folks that are closest 451 00:19:47,880 --> 00:19:49,520 to the product, closest to the teams. 452 00:19:49,520 --> 00:19:52,240 And we even do this with our security operations or SOC, 453 00:19:52,240 --> 00:19:54,360 you know, using our CDOC approach, you know, 454 00:19:54,360 --> 00:19:58,920 keeping those experts close to the actual products 455 00:19:58,920 --> 00:20:01,080 and environments and then having that, you know, 456 00:20:01,080 --> 00:20:02,920 the central thing they can rely on. 457 00:20:03,920 --> 00:20:07,080 So yeah, that really helped. 458 00:20:07,080 --> 00:20:08,360 I appreciate it, man. 459 00:20:08,360 --> 00:20:10,480 And Gladys, I think you had a follow up question, right? 460 00:20:10,480 --> 00:20:15,080 Yes, one of the things that I heard is that 461 00:20:15,080 --> 00:20:18,040 there was a lot of training put together 462 00:20:18,040 --> 00:20:22,480 for the different developers, for project managers 463 00:20:22,480 --> 00:20:27,480 in order to learn how to embed security from the get-go. 464 00:20:27,480 --> 00:20:29,440 Security threats are always evolving. 465 00:20:29,440 --> 00:20:34,440 And now when we have cloud services, it just much more, 466 00:20:36,040 --> 00:20:39,240 I would say bigger what you have to know. 467 00:20:39,240 --> 00:20:43,520 And this is, I guess I would say it is more personal, 468 00:20:43,520 --> 00:20:46,280 although I think it will impact, your answer, 469 00:20:46,280 --> 00:20:48,560 it will impact many other people. 470 00:20:48,560 --> 00:20:50,120 One of the things that I mentioned 471 00:20:50,120 --> 00:20:52,320 when I introduced myself is I'm working 472 00:20:52,320 --> 00:20:54,960 on strategic missions and technology. 473 00:20:54,960 --> 00:20:59,960 And one of the things that I am doing is helping engineers, 474 00:20:59,960 --> 00:21:04,960 the engineers or developers to embed security. 475 00:21:05,200 --> 00:21:09,200 When they're building solutions across 476 00:21:09,200 --> 00:21:14,200 the whole Azure infrastructure or Microsoft services, 477 00:21:14,520 --> 00:21:18,720 overall services, in order for them to make sure 478 00:21:18,720 --> 00:21:22,520 that they take into account all the security capabilities 479 00:21:22,520 --> 00:21:25,360 that they could use, they have to know 480 00:21:25,360 --> 00:21:28,000 about all these different services, right? 481 00:21:28,000 --> 00:21:32,000 And Microsoft has hundreds of services. 482 00:21:32,000 --> 00:21:35,600 So it's impossible to keep up and make sure 483 00:21:35,600 --> 00:21:40,120 that you know about all the nitty gritty capabilities 484 00:21:40,120 --> 00:21:44,080 that are being released, like continuous access evaluation, 485 00:21:44,080 --> 00:21:46,560 that identity just released. 486 00:21:46,560 --> 00:21:51,480 And I like that a lot because it's a way 487 00:21:51,480 --> 00:21:55,520 to keep up because it's continuing 488 00:21:55,520 --> 00:21:57,520 authenticating yourself. 489 00:21:57,520 --> 00:22:01,720 There's workload identities, which now applications 490 00:22:01,720 --> 00:22:06,720 that are authenticating to each other now can use 491 00:22:06,720 --> 00:22:09,960 with that IP and if the request is not coming 492 00:22:09,960 --> 00:22:13,280 from a particular IP, it would speed it up. 493 00:22:13,280 --> 00:22:18,280 So my question is this, how would you see 494 00:22:18,280 --> 00:22:23,280 the Azure organization keeping up in training 495 00:22:23,280 --> 00:22:28,280 and enabling their developers to embed zero trust capabilities 496 00:22:29,000 --> 00:22:34,000 or security and principles in the development? 497 00:22:34,000 --> 00:22:36,360 What are your thoughts around that area? 498 00:22:36,360 --> 00:22:38,320 Yeah, it's funny you should bring that up. 499 00:22:38,320 --> 00:22:40,680 I've been doing a lot of threat models just recently 500 00:22:40,680 --> 00:22:45,680 for SQLDB, SQL MI and Cosmos DB. 501 00:22:45,680 --> 00:22:48,280 It's interesting because the threat model process, 502 00:22:48,280 --> 00:22:52,360 even though the moving parts are different, 503 00:22:52,360 --> 00:22:54,160 the questions are still the same. 504 00:22:54,160 --> 00:22:55,320 The technology may be different. 505 00:22:55,320 --> 00:22:57,240 So here's an example. 506 00:22:57,240 --> 00:22:59,560 So back in the old days, we'd see an end user, 507 00:22:59,560 --> 00:23:01,120 say it's in Windows, and we say, 508 00:23:01,120 --> 00:23:02,880 it's a threat modeling question, 509 00:23:02,880 --> 00:23:04,560 how do you authenticate that user? 510 00:23:04,560 --> 00:23:05,880 Well, back then people would have said, 511 00:23:05,880 --> 00:23:07,600 user username and password. 512 00:23:07,600 --> 00:23:08,760 But what are you actually using? 513 00:23:08,760 --> 00:23:12,320 Is it NTLM, is it Kerberos, is it basic, is it Digest? 514 00:23:12,320 --> 00:23:13,240 What is it? 515 00:23:13,240 --> 00:23:16,480 We still ask exactly the same question today, 516 00:23:16,480 --> 00:23:18,920 the exact same question, but the big difference is, 517 00:23:18,920 --> 00:23:19,920 is it AAD? 518 00:23:19,920 --> 00:23:22,800 And by the way, the correct answer is yes, it's AAD. 519 00:23:22,800 --> 00:23:25,720 Because that way I can apply things like conditional access 520 00:23:25,720 --> 00:23:27,320 and that sort of stuff to it. 521 00:23:27,320 --> 00:23:29,440 So it's interesting, the questions are kind of the same 522 00:23:29,440 --> 00:23:32,200 that they were 20 something years ago, 523 00:23:32,200 --> 00:23:34,160 but some of the mechanics are different. 524 00:23:34,160 --> 00:23:36,600 But knowing those mechanics is really, really important. 525 00:23:36,600 --> 00:23:38,360 So when I'm looking at a threat model 526 00:23:38,360 --> 00:23:41,600 for some sort of Azure backend service, 527 00:23:41,600 --> 00:23:44,080 basically the correct answer for server authentication 528 00:23:44,080 --> 00:23:48,720 is TLS, today is always, absolutely is TLS. 529 00:23:48,720 --> 00:23:51,520 Back in the old Windows sort of AAD environment, 530 00:23:51,520 --> 00:23:54,560 it would have been Kerberos and potentially TLS, 531 00:23:54,560 --> 00:23:56,680 because that gives you server authentication. 532 00:23:56,680 --> 00:23:58,920 And then for channel protections, it's still the same, right? 533 00:23:58,920 --> 00:24:00,640 It's TLS, and then for client authentication, 534 00:24:00,640 --> 00:24:03,720 that's certainly changed from NTLM, Kerberos, 535 00:24:03,720 --> 00:24:05,640 or whatever to AAD. 536 00:24:05,640 --> 00:24:07,200 But again, the questions are still the same. 537 00:24:07,200 --> 00:24:08,760 But to answer your question about how do you keep people 538 00:24:08,760 --> 00:24:11,480 on board and up to date with what's going on, 539 00:24:11,480 --> 00:24:16,320 this is something that the organization has to embrace. 540 00:24:16,320 --> 00:24:18,400 The threats are constantly evolving. 541 00:24:18,400 --> 00:24:20,080 They're just always evolving. 542 00:24:20,080 --> 00:24:23,000 So for example, one thing that's raised its ugly head 543 00:24:23,000 --> 00:24:26,160 a lot more over the last few years with cloud environments 544 00:24:26,160 --> 00:24:28,560 has been what's called server-side request forgery 545 00:24:28,560 --> 00:24:30,000 vulnerabilities. 546 00:24:30,000 --> 00:24:32,600 And so there's a lot of tooling going on 547 00:24:32,600 --> 00:24:34,840 and education going on and sample code 548 00:24:34,840 --> 00:24:36,720 and this, that, and the other. 549 00:24:36,720 --> 00:24:38,400 We're making sure that we can make sure 550 00:24:38,400 --> 00:24:41,800 the engineering staff are well aware of server-side request 551 00:24:41,800 --> 00:24:43,040 forgery vulnerabilities. 552 00:24:43,040 --> 00:24:44,120 And there's lots of others as well. 553 00:24:44,120 --> 00:24:44,960 Don't get me wrong. 554 00:24:44,960 --> 00:24:46,720 That's just one example. 555 00:24:46,720 --> 00:24:48,720 So yeah, I think it's incredibly important 556 00:24:48,720 --> 00:24:52,480 that organizations do make it a point of training 557 00:24:52,480 --> 00:24:54,720 their engineering staff. 558 00:24:54,720 --> 00:24:58,760 What about your thoughts regarding developers 559 00:24:58,760 --> 00:25:02,840 also taking into account any verifications 560 00:25:02,840 --> 00:25:08,040 that they can do within the code instead of relying just 561 00:25:08,040 --> 00:25:12,440 on Azure AD or endpoint protection 562 00:25:12,440 --> 00:25:15,400 or all the other security, but the application 563 00:25:15,400 --> 00:25:18,000 itself doing the verifications? 564 00:25:18,000 --> 00:25:21,040 Yeah, actually, so it depends on the definition 565 00:25:21,040 --> 00:25:22,000 of verification, right? 566 00:25:22,000 --> 00:25:25,520 So one of the big ones that developers have control over 567 00:25:25,520 --> 00:25:27,640 is the data that's coming into the system, right? 568 00:25:27,640 --> 00:25:31,000 So if you've got some data coming in through a REST 569 00:25:31,000 --> 00:25:34,520 endpoint or something, it's like you can't trust that data. 570 00:25:34,520 --> 00:25:36,160 You've got to validate it. 571 00:25:36,160 --> 00:25:37,200 So how do you validate it? 572 00:25:37,200 --> 00:25:39,000 The funny thing is there's a comment 573 00:25:39,000 --> 00:25:42,000 that David and I wrote in writing secure code 20-something 574 00:25:42,000 --> 00:25:45,760 years ago, which is all input is evil. 575 00:25:45,760 --> 00:25:49,160 When Simone Heinrich and I wrote designing and developing 576 00:25:49,160 --> 00:25:51,480 secure Azure solutions, and I wrote. 577 00:25:51,480 --> 00:25:54,400 Is that like the predecessor to zero trust? 578 00:25:54,400 --> 00:25:56,080 Well, I mean, zero trust is obviously much bigger 579 00:25:56,080 --> 00:25:57,480 than just that. 580 00:25:57,480 --> 00:26:01,840 But it's the exact same concept of essentially assume evil 581 00:26:01,840 --> 00:26:03,400 unless otherwise proven. 582 00:26:03,400 --> 00:26:05,000 Yeah, and that's the mistake we're seeing. 583 00:26:05,000 --> 00:26:06,280 We're still seeing it today. 584 00:26:06,280 --> 00:26:08,600 And again, just getting back to the book, this new book, 585 00:26:08,600 --> 00:26:10,480 I wrote the secure coding chapter. 586 00:26:10,480 --> 00:26:12,520 And within the first paragraph I've said, 587 00:26:12,520 --> 00:26:15,040 I actually say, hey, all input is evil 588 00:26:15,040 --> 00:26:16,720 until proven otherwise. 589 00:26:16,720 --> 00:26:19,000 It's the same that it was 20 years ago. 590 00:26:19,000 --> 00:26:23,920 It doesn't matter if you're programming in Go, Rust, 591 00:26:23,920 --> 00:26:29,040 or whatever today versus C, C++, and heaven forbid, VB, 592 00:26:29,040 --> 00:26:30,400 back in the day. 593 00:26:30,400 --> 00:26:33,400 That issue still exists today. 594 00:26:33,400 --> 00:26:35,600 So there are some sorts of skills 595 00:26:35,600 --> 00:26:40,080 that sort of transcend the programming 596 00:26:40,080 --> 00:26:42,240 fashions of the day. 597 00:26:42,240 --> 00:26:44,240 And I still believe strongly that we 598 00:26:44,240 --> 00:26:46,520 should be teaching developers just that one skill, 599 00:26:46,520 --> 00:26:48,000 if nothing else. 600 00:26:48,000 --> 00:26:51,360 Do not trust any input into your system, 601 00:26:51,360 --> 00:26:53,200 because that's where problems are going 602 00:26:53,200 --> 00:26:54,440 to sort of manifest themselves. 603 00:26:54,440 --> 00:26:56,440 Now with that said, that's a coding thing. 604 00:26:56,440 --> 00:26:57,840 It's not a design thing. 605 00:26:57,840 --> 00:27:00,240 You would not catch that as part of a threat model. 606 00:27:00,240 --> 00:27:02,160 But I think from your perspective, Gladys, 607 00:27:02,160 --> 00:27:04,920 about validating stuff, I think doing things 608 00:27:04,920 --> 00:27:08,880 like authorization checks and authentication checks, 609 00:27:08,880 --> 00:27:11,480 the threat model should show you the whole end-to-end, 610 00:27:11,480 --> 00:27:13,120 like where you're doing the authentication 611 00:27:13,120 --> 00:27:14,720 and where you're doing the authorization, 612 00:27:14,720 --> 00:27:17,880 and more importantly, how it's being done. 613 00:27:17,880 --> 00:27:19,960 But that should be in the threat model. 614 00:27:19,960 --> 00:27:20,720 Thank you. 615 00:27:20,720 --> 00:27:23,520 All right, so I've got a question for Sarah. 616 00:27:23,520 --> 00:27:28,080 All right, so you've moved to the Antipodes, to Australia. 617 00:27:28,080 --> 00:27:30,520 And I know you and I have spoken about some 618 00:27:30,520 --> 00:27:33,240 of the differences between the countries, the US, 619 00:27:33,240 --> 00:27:35,680 predominantly, and Australia. 620 00:27:35,680 --> 00:27:37,440 But from your perspective, do you 621 00:27:37,440 --> 00:27:43,240 find that the people you deal with in customers 622 00:27:43,240 --> 00:27:46,560 have issues that are unique to their geography? 623 00:27:46,560 --> 00:27:52,800 Or is there an approach to the way they handle cybersecurity? 624 00:27:52,800 --> 00:27:55,680 What are the differences between the two countries? 625 00:27:55,680 --> 00:27:58,120 Yeah, it's a super interesting question. 626 00:27:58,120 --> 00:28:02,600 And I'd say probably this side of the world 627 00:28:02,600 --> 00:28:04,560 is a shout out to the Antipodes. 628 00:28:04,560 --> 00:28:06,280 Hello, Australia. 629 00:28:06,280 --> 00:28:08,640 Well, it'd be cheesy to say good day, Australia, 630 00:28:08,640 --> 00:28:10,680 and Kyoto, New Zealand. 631 00:28:10,680 --> 00:28:15,480 I think something, and research does back this up. 632 00:28:15,480 --> 00:28:16,840 And I think we're getting better. 633 00:28:16,840 --> 00:28:18,920 But in Australia and New Zealand, for those of you 634 00:28:18,920 --> 00:28:21,320 who have not traveled to this lovely part of the world, 635 00:28:21,320 --> 00:28:25,760 and you should do at some point, people are very trusting, 636 00:28:25,760 --> 00:28:30,040 definitely more trusting than other parts of the world. 637 00:28:30,040 --> 00:28:32,880 And so for example, I know in New Zealand, 638 00:28:32,880 --> 00:28:37,400 research shows that if you do a fishing exercise, generally, 639 00:28:37,400 --> 00:28:41,160 maybe you'll get a 10%, 15% click through rate on, say, 640 00:28:41,160 --> 00:28:43,040 your typical everyday workforce. 641 00:28:43,040 --> 00:28:47,400 Whereas in New Zealand, it's more like 25%, 30%. 642 00:28:47,400 --> 00:28:49,600 And that's because people are very trusting. 643 00:28:49,600 --> 00:28:52,360 And they're not so used to scams, 644 00:28:52,360 --> 00:28:55,520 because I think people who are doing scamming and trying 645 00:28:55,520 --> 00:28:58,800 to breach things haven't traditionally always gone 646 00:28:58,800 --> 00:29:01,600 for Australia and New Zealand, just because there are bigger 647 00:29:01,600 --> 00:29:05,000 fish to fry, like the US and Europe. 648 00:29:05,000 --> 00:29:09,160 But as time goes on and the awareness increases in the US 649 00:29:09,160 --> 00:29:11,880 and in Europe, I think you definitely 650 00:29:11,880 --> 00:29:15,800 are getting people targeting probably more Australia, 651 00:29:15,800 --> 00:29:17,240 because there's more people here. 652 00:29:17,240 --> 00:29:18,520 For those of you who don't know, I 653 00:29:18,520 --> 00:29:21,280 think the population of Australia is about 25 million. 654 00:29:21,280 --> 00:29:23,160 New Zealand is only 5 million. 655 00:29:23,160 --> 00:29:24,960 New Zealand's a very small country. 656 00:29:24,960 --> 00:29:26,640 I've been surprised at the difference 657 00:29:26,640 --> 00:29:30,280 between when I was living in Australia before COVID 658 00:29:30,280 --> 00:29:34,400 and now that I'm getting a lot more scam text messages 659 00:29:34,400 --> 00:29:38,760 and emails than I remember here before. 660 00:29:38,760 --> 00:29:40,880 It's more comparable with the US. 661 00:29:40,880 --> 00:29:44,240 So I do think that I wouldn't say there's anything unique, 662 00:29:44,240 --> 00:29:48,520 but I think down this part of the world, people perhaps, 663 00:29:48,520 --> 00:29:50,880 to a point, have been less exposed to it. 664 00:29:50,880 --> 00:29:54,800 But that's changing quite quickly. 665 00:29:54,800 --> 00:29:56,480 And for those of you who are in Australia, 666 00:29:56,480 --> 00:29:59,000 you'll know there's been a couple of quite high profile 667 00:29:59,000 --> 00:30:02,560 breaches recently with some big companies. 668 00:30:02,560 --> 00:30:05,200 So I think it's definitely top of mind. 669 00:30:05,200 --> 00:30:09,960 And Australia has been making some really interesting inroads 670 00:30:09,960 --> 00:30:13,840 into making cybersecurity a priority. 671 00:30:13,840 --> 00:30:15,800 I mean, all countries are doing that right. 672 00:30:15,800 --> 00:30:19,640 But I think given, let's say, the last six months, 673 00:30:19,640 --> 00:30:22,280 it's something that's very much top of mind. 674 00:30:22,280 --> 00:30:25,760 So I would say this part of the world 675 00:30:25,760 --> 00:30:29,800 is definitely catching up very quickly with the awareness 676 00:30:29,800 --> 00:30:30,640 and the knowledge. 677 00:30:30,640 --> 00:30:32,320 It's not that it wasn't there at all. 678 00:30:32,320 --> 00:30:35,160 I don't want anyone to take away from what I'm saying here. 679 00:30:35,160 --> 00:30:38,160 It's just that probably the general public consciousness 680 00:30:38,160 --> 00:30:39,680 perhaps wasn't as high. 681 00:30:39,680 --> 00:30:42,960 But we're definitely getting there now because we have to. 682 00:30:42,960 --> 00:30:46,400 Because as we know, even if we're just talking about scams 683 00:30:46,400 --> 00:30:48,200 and people scamming people out of money, 684 00:30:48,200 --> 00:30:50,200 it still does damage to people, right, 685 00:30:50,200 --> 00:30:51,440 even if it's individuals. 686 00:30:51,440 --> 00:30:54,880 So that awareness piece is definitely going up. 687 00:30:54,880 --> 00:30:56,840 Michael, you've been down here. 688 00:30:56,840 --> 00:30:58,440 You spent a little bit of time down here. 689 00:30:58,440 --> 00:30:59,840 What's your take? 690 00:30:59,840 --> 00:31:01,640 Yeah, actually, one thing that I've found 691 00:31:01,640 --> 00:31:03,480 is that in Australia and New Zealand, 692 00:31:03,480 --> 00:31:06,000 they're usually very, very quick to pick up new technologies 693 00:31:06,000 --> 00:31:07,680 and new ideas as well. 694 00:31:07,680 --> 00:31:09,440 There seems to be a little less resistance 695 00:31:09,440 --> 00:31:12,320 to coming up with the reasons why not to deploy something 696 00:31:12,320 --> 00:31:12,800 new. 697 00:31:12,800 --> 00:31:14,360 For example, back in the day when 698 00:31:14,360 --> 00:31:18,200 I was working in the IIS team, the first company 699 00:31:18,200 --> 00:31:21,840 to reach out to me to try to help them with some cross-site 700 00:31:21,840 --> 00:31:25,280 scripting vulnerabilities was actually an Australian bank. 701 00:31:25,280 --> 00:31:27,600 They understood very quickly the ramifications 702 00:31:27,600 --> 00:31:29,720 of cross-site scripting for their online presence. 703 00:31:29,720 --> 00:31:31,880 They were using IIS at the time. 704 00:31:31,880 --> 00:31:35,320 So I helped them out with sort of get rid of a few 705 00:31:35,320 --> 00:31:36,400 that they had. 706 00:31:36,400 --> 00:31:37,480 Because honestly, it wasn't really 707 00:31:37,480 --> 00:31:39,160 a problem that was really known about. 708 00:31:39,160 --> 00:31:41,440 And it was a bit of a mystery to a lot of people. 709 00:31:41,440 --> 00:31:43,680 But the fact that the very first people 710 00:31:43,680 --> 00:31:46,280 to come to me recognizing, hey, this is bad, 711 00:31:46,280 --> 00:31:48,400 was actually an Australian bank. 712 00:31:48,400 --> 00:31:50,840 So yeah, that's my observation. 713 00:31:50,840 --> 00:31:53,600 Actually, just so you know, some of my very earliest days 714 00:31:53,600 --> 00:31:55,000 at Microsoft in New Zealand, I actually 715 00:31:55,000 --> 00:32:00,120 did support for Windows 3.x and then Windows NT, 716 00:32:00,120 --> 00:32:01,840 but also the C compiler. 717 00:32:01,840 --> 00:32:04,680 So I needed a lot of support for C and C++. 718 00:32:04,680 --> 00:32:08,200 And I was always amazed at the level of expertise 719 00:32:08,200 --> 00:32:10,240 of the New Zealand software developers who 720 00:32:10,240 --> 00:32:11,560 were using C and C++. 721 00:32:11,560 --> 00:32:14,040 They were really pushing the compiler. 722 00:32:14,040 --> 00:32:16,160 And I did not expect that. 723 00:32:16,160 --> 00:32:18,880 And I think that whole sort of can-do attitude, 724 00:32:18,880 --> 00:32:21,840 which I know has been thrown around a lot in New Zealand, 725 00:32:21,840 --> 00:32:23,320 is very real. 726 00:32:23,320 --> 00:32:25,680 I'm going to switch gears here for a moment. 727 00:32:25,680 --> 00:32:30,560 And I'm always trying to become a better ally and advocate 728 00:32:30,560 --> 00:32:34,840 for women in technology and other underrepresented 729 00:32:34,840 --> 00:32:36,240 minorities. 730 00:32:36,240 --> 00:32:40,760 And Sarah and Gladys, I'd love to get your perspective on, 731 00:32:40,760 --> 00:32:43,640 I know in my early days of that journey, 732 00:32:43,640 --> 00:32:46,120 that it was very intimidating and very scary 733 00:32:46,120 --> 00:32:48,440 to try and do the right thing, because I didn't 734 00:32:48,440 --> 00:32:50,800 know what to do or what not to do. 735 00:32:50,800 --> 00:32:53,400 And so I'd love to get your perspective on, 736 00:32:53,400 --> 00:32:55,640 what are the things that you would recommend for men 737 00:32:55,640 --> 00:32:57,960 that want to be an ally and an advocate 738 00:32:57,960 --> 00:33:01,800 and help their female colleagues, what to do, 739 00:33:01,800 --> 00:33:06,520 what not to do to sort of help in that space? 740 00:33:06,520 --> 00:33:08,640 Oh, I have so many thoughts on this. 741 00:33:08,640 --> 00:33:11,240 But my take on this is that we've still got a long way 742 00:33:11,240 --> 00:33:11,760 to go. 743 00:33:11,760 --> 00:33:15,440 But in fact, the majority of people 744 00:33:15,440 --> 00:33:17,320 don't discriminate against minorities. 745 00:33:17,320 --> 00:33:22,040 But I think because it has become socially unacceptable 746 00:33:22,040 --> 00:33:27,760 to be overtly racist, sexist, is of any kind, what we see now 747 00:33:27,760 --> 00:33:30,280 is it's pushed under the table a little bit. 748 00:33:30,280 --> 00:33:33,080 So unless you're the recipient of that, 749 00:33:33,080 --> 00:33:36,320 you wouldn't necessarily notice it was a thing. 750 00:33:36,320 --> 00:33:38,360 And so the thing that I've taken away 751 00:33:38,360 --> 00:33:41,920 from having many conversations with different men, 752 00:33:41,920 --> 00:33:44,200 and I'm talking about this, and I'll just caveat, 753 00:33:44,200 --> 00:33:48,000 I'm talking about this in the sense of being a woman in tech 754 00:33:48,000 --> 00:33:50,600 only because that's the experience I can speak to. 755 00:33:50,600 --> 00:33:54,640 I do realize that being a minority in tech 756 00:33:54,640 --> 00:33:57,840 actually takes many forms, whether it's ethnicity, 757 00:33:57,840 --> 00:33:59,800 religion, gender, et cetera. 758 00:33:59,800 --> 00:34:02,280 So like I said, I'm just talking to my experience. 759 00:34:02,280 --> 00:34:07,040 But I think this does apply to others as well. 760 00:34:07,040 --> 00:34:10,960 Is that it's often that we need to just talk about it. 761 00:34:10,960 --> 00:34:14,680 In fact, I'm doing a webinar tomorrow 762 00:34:14,680 --> 00:34:17,400 with a colleague of mine called Jess Dodson, who's 763 00:34:17,400 --> 00:34:21,800 been on the show, about women's stories from the tech trenches. 764 00:34:21,800 --> 00:34:24,320 And we talk about recent examples 765 00:34:24,320 --> 00:34:27,200 of where women have been discriminated against 766 00:34:27,200 --> 00:34:28,880 or they've been talked down to. 767 00:34:28,880 --> 00:34:31,760 But it's not as overt as someone just standing there and saying, 768 00:34:31,760 --> 00:34:33,400 hey, sorry, you don't know anything 769 00:34:33,400 --> 00:34:34,480 because you're a woman. 770 00:34:34,480 --> 00:34:37,080 It's much more subtle nowadays. 771 00:34:37,080 --> 00:34:39,320 And unless you're really looking out for it, 772 00:34:39,320 --> 00:34:40,600 you wouldn't realize. 773 00:34:40,600 --> 00:34:42,200 And I'm really surprised. 774 00:34:42,200 --> 00:34:44,120 And I think we need to talk about this more, 775 00:34:44,120 --> 00:34:46,520 because something that's always surprised me 776 00:34:46,520 --> 00:34:50,160 is when I tell most ordinary people that I work with, hey, 777 00:34:50,160 --> 00:34:51,840 yeah, this still happens. 778 00:34:51,840 --> 00:34:55,280 Here's an example that's happened to me. 779 00:34:55,280 --> 00:34:57,840 Just in the last week or two or whatever it is, 780 00:34:57,840 --> 00:35:00,640 they're like, no, that doesn't happen anymore. 781 00:35:00,640 --> 00:35:04,080 And it's not that they are consciously ignoring it. 782 00:35:04,080 --> 00:35:06,080 It's because it's a little bit more subtle, 783 00:35:06,080 --> 00:35:08,280 it's under the table, that a lot of folks 784 00:35:08,280 --> 00:35:12,240 don't realize that this still does happen. 785 00:35:12,240 --> 00:35:16,520 And so I think that awareness piece is really important. 786 00:35:16,520 --> 00:35:21,160 So I'd encourage you, if they want to talk about it, 787 00:35:21,160 --> 00:35:23,000 don't shove it down their throat. 788 00:35:23,000 --> 00:35:25,040 Listen to the stories. 789 00:35:25,040 --> 00:35:27,320 I can guarantee you that there will 790 00:35:27,320 --> 00:35:30,520 be things that have happened in your workplace 791 00:35:30,520 --> 00:35:35,440 or in your community where someone has said something 792 00:35:35,440 --> 00:35:37,920 that's not appropriate, but you might not 793 00:35:37,920 --> 00:35:42,680 have realized it, because, yeah, it happens. 794 00:35:42,680 --> 00:35:44,760 But if you're not at the receiving end of it, 795 00:35:44,760 --> 00:35:47,320 it can sometimes be very difficult to notice. 796 00:35:47,320 --> 00:35:51,120 So I think being very aware is a thing. 797 00:35:51,120 --> 00:35:54,360 The other one, and I could go on for a long time, but I won't. 798 00:35:54,360 --> 00:35:59,000 My other pet peeve is that when we're talking about diversity, 799 00:35:59,000 --> 00:36:01,120 and this has happened to me, you'll be like, oh, 800 00:36:01,120 --> 00:36:04,480 minorities in the team, can you go do the diversity event, 801 00:36:04,480 --> 00:36:08,000 please, or go and work on a diversity initiative, 802 00:36:08,000 --> 00:36:09,880 when in fact, everyone in the team 803 00:36:09,880 --> 00:36:12,840 should be working on the diversity initiative. 804 00:36:12,840 --> 00:36:15,680 Don't just make it the women or, again, 805 00:36:15,680 --> 00:36:17,120 whatever other minority. 806 00:36:17,120 --> 00:36:18,960 It's not just their initiative. 807 00:36:18,960 --> 00:36:22,240 We should all be doing it as good allies. 808 00:36:22,240 --> 00:36:24,960 They're probably my two main bits. 809 00:36:24,960 --> 00:36:28,320 And just as a final thought on this, because, as I said, 810 00:36:28,320 --> 00:36:30,400 I could do a whole podcast on this, 811 00:36:30,400 --> 00:36:34,600 is don't be naive in thinking that it doesn't still happen, 812 00:36:34,600 --> 00:36:36,520 because it definitely does. 813 00:36:36,520 --> 00:36:37,600 We're getting better. 814 00:36:37,600 --> 00:36:39,760 There's a lot of initiatives, a lot of great people 815 00:36:39,760 --> 00:36:41,280 out there working on it. 816 00:36:41,280 --> 00:36:43,360 But if you're sitting there thinking, 817 00:36:43,360 --> 00:36:45,600 oh, yeah, that's not a problem in my workplace, 818 00:36:45,600 --> 00:36:48,920 I would definitely reassess, look again, 819 00:36:48,920 --> 00:36:51,440 with maybe a bit of a closer lens. 820 00:36:51,440 --> 00:36:54,240 Yeah, Gladys, how about you? 821 00:36:54,240 --> 00:36:57,720 I have to agree that most people do not 822 00:36:57,720 --> 00:37:02,400 realize when things like that happen unless it's really 823 00:37:02,400 --> 00:37:04,240 happening to them. 824 00:37:04,240 --> 00:37:08,400 And I have to say, there's companies 825 00:37:08,400 --> 00:37:12,360 that do not really care about diversity inclusion. 826 00:37:12,360 --> 00:37:16,960 Microsoft is heavily into diversity inclusion. 827 00:37:16,960 --> 00:37:21,240 So I think whatever happens in Microsoft 828 00:37:21,240 --> 00:37:27,280 happens less than many other organizations. 829 00:37:27,280 --> 00:37:32,200 But it's something definitely important. 830 00:37:32,200 --> 00:37:38,080 Look, I think even this podcast, I think Michael, 831 00:37:38,080 --> 00:37:41,760 he was the original one that was put on us together. 832 00:37:41,760 --> 00:37:44,800 He wanted somebody with diversity 833 00:37:44,800 --> 00:37:47,760 and tried to think about, OK, how can I 834 00:37:47,760 --> 00:37:49,680 bring that diversity here? 835 00:37:49,680 --> 00:37:51,360 I'm hoping. 836 00:37:51,360 --> 00:37:55,840 I never have asked, but I think that's the truth. 837 00:37:55,840 --> 00:38:00,200 We are from different times zones, different experience, 838 00:38:00,200 --> 00:38:02,480 different ages. 839 00:38:02,480 --> 00:38:05,080 So I think that's the number one thing 840 00:38:05,080 --> 00:38:10,720 that we need to do in order to make sure that we advocate, 841 00:38:10,720 --> 00:38:14,440 not only for women, but diverse backgrounds. 842 00:38:14,440 --> 00:38:20,880 The other thing that I think is really important, 843 00:38:20,880 --> 00:38:28,000 I have this slide that I extracted from a Microsoft 844 00:38:28,000 --> 00:38:31,520 presentation that it was talking about behaviors. 845 00:38:31,520 --> 00:38:37,720 And it's 10 behaviors for diversity inclusion, 846 00:38:37,720 --> 00:38:44,480 but I always love the first five or six that it mentions 847 00:38:44,480 --> 00:38:49,360 because I think that helps to make sure that you include 848 00:38:49,360 --> 00:38:54,080 everyone or advocate for those people, for everyone. 849 00:38:54,080 --> 00:38:58,320 The first one is examine your assumptions. 850 00:38:58,320 --> 00:39:04,040 When you're listening to people, sometimes we have assumptions 851 00:39:04,040 --> 00:39:07,760 and we take decisions based on those assumptions. 852 00:39:07,760 --> 00:39:11,320 The second one, make a habit of asking questions. 853 00:39:11,320 --> 00:39:13,880 Third one, ensure all voices are heard. 854 00:39:13,880 --> 00:39:17,160 That's really important because many times, Mark, 855 00:39:17,160 --> 00:39:21,800 like you mentioned, everyone else also feels the same way. 856 00:39:21,800 --> 00:39:25,080 We don't know what to do, when to do it. 857 00:39:25,080 --> 00:39:28,440 There's something wrong, but we're not sure if we 858 00:39:28,440 --> 00:39:31,200 should be raising our voice. 859 00:39:31,200 --> 00:39:34,320 So there's people that stay quiet. 860 00:39:34,320 --> 00:39:35,680 They're more timid. 861 00:39:35,680 --> 00:39:38,400 So ensure that all voices are heard. 862 00:39:38,400 --> 00:39:41,800 And there's a lot of women that stay quiet. 863 00:39:41,800 --> 00:39:44,640 For example, when I first joined Microsoft, 864 00:39:44,640 --> 00:39:49,080 I was in a room of 30 people and I was the only woman. 865 00:39:49,080 --> 00:39:52,000 You know how intimidated that was? 866 00:39:52,000 --> 00:39:55,640 Actually, I remember I was being in a meeting 867 00:39:55,640 --> 00:39:59,800 that I was presenting in this company 868 00:39:59,800 --> 00:40:03,600 and there were about 20 guys in technology. 869 00:40:03,600 --> 00:40:07,320 And one of the guys said to me, Gladys, 870 00:40:07,320 --> 00:40:11,400 it doesn't matter what ideas you bring. 871 00:40:11,400 --> 00:40:13,080 We're not going to do any of them. 872 00:40:13,080 --> 00:40:15,800 Imagine something like that. 873 00:40:15,800 --> 00:40:20,000 So I have had experience in all areas. 874 00:40:20,000 --> 00:40:23,320 And by the way, there were a lot of managers, 875 00:40:23,320 --> 00:40:25,000 a lot of people in there. 876 00:40:25,000 --> 00:40:26,560 And nobody did anything. 877 00:40:26,560 --> 00:40:27,840 Nobody said anything. 878 00:40:27,840 --> 00:40:29,000 And I stayed quiet. 879 00:40:29,000 --> 00:40:32,360 It's something that I always think about. 880 00:40:32,360 --> 00:40:35,880 The other one that it says, listening carefully 881 00:40:35,880 --> 00:40:41,120 to the person speaking until she or he feels understood. 882 00:40:41,120 --> 00:40:43,880 Because sometimes, me, I speak Spanish. 883 00:40:43,880 --> 00:40:47,000 So probably some people that speak Spanish, 884 00:40:47,000 --> 00:40:50,480 they understand me, but not everyone understands me. 885 00:40:50,480 --> 00:40:57,200 I may use some wording that is not really 886 00:40:57,200 --> 00:41:00,600 used in Australia, in New Zealand, et cetera. 887 00:41:00,600 --> 00:41:03,600 Address misunderstanding and resolve disagreement. 888 00:41:03,600 --> 00:41:08,480 Those are the five top behaviors that Microsoft 889 00:41:08,480 --> 00:41:13,520 has in this slide that I think is really important. 890 00:41:13,520 --> 00:41:18,440 And the last one is make sure you involve 891 00:41:18,440 --> 00:41:20,440 different perspectives. 892 00:41:20,440 --> 00:41:23,360 For the most part, the other day, I was in a project, 893 00:41:23,360 --> 00:41:26,240 and I was like, oh, you know, I have this friend 894 00:41:26,240 --> 00:41:28,800 and this other friend that could help out. 895 00:41:28,800 --> 00:41:30,520 But then I was like, OK. 896 00:41:30,520 --> 00:41:33,240 But we have similar perspectives, 897 00:41:33,240 --> 00:41:35,680 similar experience, similar. 898 00:41:35,680 --> 00:41:37,240 We were in the same team. 899 00:41:37,240 --> 00:41:40,320 We did similar projects. 900 00:41:40,320 --> 00:41:42,520 So we're not bringing that diversity in. 901 00:41:42,520 --> 00:41:46,920 So just make sure that you include the woman as part 902 00:41:46,920 --> 00:41:50,040 of the teams, as part of the group, 903 00:41:50,040 --> 00:41:54,000 as part of the communication, meetings, et cetera. 904 00:41:54,000 --> 00:41:56,040 Yes, in the interest of full disclosure, 905 00:41:56,040 --> 00:41:58,360 when Mark and I were first talking about the podcast, 906 00:41:58,360 --> 00:42:01,120 which was about now three years ago, 907 00:42:01,120 --> 00:42:06,080 we met in a pub in downtown Seattle to talk about it. 908 00:42:06,080 --> 00:42:09,560 And the decision was made almost from day one 909 00:42:09,560 --> 00:42:13,600 to basically have as diverse a lineup as possible. 910 00:42:13,600 --> 00:42:15,800 And I think the podcast is much better because of it. 911 00:42:15,800 --> 00:42:17,960 So yeah, in case anyone doesn't realize, 912 00:42:17,960 --> 00:42:20,760 there was always a decision very early on 913 00:42:20,760 --> 00:42:23,280 to be as varied as possible. 914 00:42:23,280 --> 00:42:25,840 And again, I think the podcast is much better because of it. 915 00:42:25,840 --> 00:42:27,040 100% agree. 916 00:42:27,040 --> 00:42:27,520 Yeah. 917 00:42:27,520 --> 00:42:28,880 Yeah, and the other part of that, 918 00:42:28,880 --> 00:42:31,960 and sort of more on the I side of D&I, 919 00:42:31,960 --> 00:42:34,160 is I gave a presentation this weekend. 920 00:42:34,160 --> 00:42:37,400 It's a thing called SQL Saturday in the Austin, 921 00:42:37,400 --> 00:42:38,880 Microsoft office in Austin. 922 00:42:38,880 --> 00:42:40,800 I discovered there's a new feature in PowerPoint 923 00:42:40,800 --> 00:42:44,040 that actually does live subtitles as you're speaking. 924 00:42:44,040 --> 00:42:45,240 It will even translate. 925 00:42:45,240 --> 00:42:46,640 So if you're doing, say for example, 926 00:42:46,640 --> 00:42:48,240 to a Spanish audience, it would actually 927 00:42:48,240 --> 00:42:50,760 translate as well while you're speaking English. 928 00:42:50,760 --> 00:42:52,920 But what was interesting is, so my slides were coming up, 929 00:42:52,920 --> 00:42:55,800 and there was my almost perhaps a half a second delay, 930 00:42:55,800 --> 00:43:00,760 maybe a second delay transcription of my audio. 931 00:43:00,760 --> 00:43:02,680 And it was interesting because at the end, 932 00:43:02,680 --> 00:43:03,720 these two people came up and actually 933 00:43:03,720 --> 00:43:05,320 said to me, they said, hey, first of all, 934 00:43:05,320 --> 00:43:06,640 what the heck just happened? 935 00:43:06,640 --> 00:43:07,760 How did you manage to do that? 936 00:43:07,760 --> 00:43:08,360 And I showed them. 937 00:43:08,360 --> 00:43:10,240 I said, hey, it's this new feature in PowerPoint. 938 00:43:10,240 --> 00:43:12,240 Then they said they actually really appreciated it 939 00:43:12,240 --> 00:43:13,920 because both of them were hard of hearing. 940 00:43:13,920 --> 00:43:17,280 And it made everything so much easier for them. 941 00:43:17,280 --> 00:43:19,520 And the amount of effort required from my point of view, 942 00:43:19,520 --> 00:43:21,600 from my standpoint, was exactly zero. 943 00:43:21,600 --> 00:43:23,960 I clicked on a button, and that's basically it. 944 00:43:23,960 --> 00:43:26,080 So yeah, I'm a big fan of that kind of stuff. 945 00:43:26,080 --> 00:43:27,840 The other thing that I wanted to mention 946 00:43:27,840 --> 00:43:31,520 is just mentor women out there. 947 00:43:31,520 --> 00:43:35,600 We would like to be part of that, include us, 948 00:43:35,600 --> 00:43:39,320 be part of the hiring process, bring us in. 949 00:43:39,320 --> 00:43:43,880 I think it's becoming better in recent years. 950 00:43:43,880 --> 00:43:47,160 And last, connecting communities. 951 00:43:47,160 --> 00:43:50,600 Most of the time when I go to a community event, 952 00:43:50,600 --> 00:43:52,400 there's all these guys together. 953 00:43:52,400 --> 00:43:54,000 So I'm going in there. 954 00:43:54,000 --> 00:43:56,520 I'm the only woman. 955 00:43:56,520 --> 00:44:00,520 But there's time that I see a woman walking around, 956 00:44:00,520 --> 00:44:02,240 and they don't know who to connect. 957 00:44:02,240 --> 00:44:05,160 So just be conscious of that. 958 00:44:05,160 --> 00:44:08,440 Yes, thank you very, very much for those perspectives. 959 00:44:08,440 --> 00:44:09,160 That was awesome. 960 00:44:09,160 --> 00:44:09,680 Thank you. 961 00:44:09,680 --> 00:44:11,440 So Mark, you have mentioned that you 962 00:44:11,440 --> 00:44:15,800 have worked on many different resources, like CISO workshop, 963 00:44:15,800 --> 00:44:20,120 the NCR, Microsoft Well, architected framework, 964 00:44:20,120 --> 00:44:21,320 and many others. 965 00:44:21,320 --> 00:44:24,800 For somebody that is starting brand new, 966 00:44:24,800 --> 00:44:28,080 what is a learning roadmap that you would recommend? 967 00:44:28,080 --> 00:44:30,360 That's a really good question. 968 00:44:30,360 --> 00:44:34,440 And that code for there's no simple answer. 969 00:44:34,440 --> 00:44:37,320 So I'll start it with a standard consulting answer of it 970 00:44:37,320 --> 00:44:42,600 depends, and then offers the way I think about that. 971 00:44:42,600 --> 00:44:45,480 Because it really does depend on what your background 972 00:44:45,480 --> 00:44:47,560 and experience are. 973 00:44:47,560 --> 00:44:49,400 Do you have a technical background or not? 974 00:44:49,400 --> 00:44:51,200 Or are you just straight into cyber? 975 00:44:51,200 --> 00:44:54,640 Have you been in technology for a while, early in career, 976 00:44:54,640 --> 00:44:59,040 or later in career, depth of technical experience and breadth, 977 00:44:59,040 --> 00:44:59,880 et cetera? 978 00:44:59,880 --> 00:45:01,160 Part of it is your background experience, 979 00:45:01,160 --> 00:45:03,240 but part of it is also what you're looking for 980 00:45:03,240 --> 00:45:04,960 and what you're trying to get. 981 00:45:04,960 --> 00:45:06,600 The interesting thing about cybersecurity 982 00:45:06,600 --> 00:45:08,840 is such a broad field. 983 00:45:08,840 --> 00:45:11,920 We work on some of the deepest technology things, 984 00:45:11,920 --> 00:45:14,600 like reverse engineering and the like. 985 00:45:14,600 --> 00:45:16,520 But we also work with user education 986 00:45:16,520 --> 00:45:19,240 and touching hearts and minds and trying 987 00:45:19,240 --> 00:45:21,520 to convince people to do things, whether it's a developer 988 00:45:21,520 --> 00:45:24,360 to follow secure coding practices through a CHAMS 989 00:45:24,360 --> 00:45:27,720 program, or educating users so they understand 990 00:45:27,720 --> 00:45:30,960 what the right answer is, or looking for insider threats, 991 00:45:30,960 --> 00:45:34,720 which again is very human in nature. 992 00:45:34,720 --> 00:45:37,440 And not as technical, but there's 993 00:45:37,440 --> 00:45:40,520 a lot of what is the person's motivation, disgruntled, 994 00:45:40,520 --> 00:45:41,800 et cetera. 995 00:45:41,800 --> 00:45:45,440 So there's so, so many different areas of cybersecurity. 996 00:45:45,440 --> 00:45:48,960 It really depends on what you're interested in. 997 00:45:48,960 --> 00:45:53,360 So we did put together, if you're a technical person 998 00:45:53,360 --> 00:45:55,880 and you're new to cyber, we created these things called 999 00:45:55,880 --> 00:45:57,400 interactive guides. 1000 00:45:57,400 --> 00:46:00,440 And we use the MCRA, the Microsoft Cyber Reference 1001 00:46:00,440 --> 00:46:02,440 Architecture, as sort of the slide 1002 00:46:02,440 --> 00:46:04,360 backdrop for these videos. 1003 00:46:04,360 --> 00:46:08,600 But we completely changed the talk track from the normal one 1004 00:46:08,600 --> 00:46:12,080 to, hey, let me explain what the heck this part of security 1005 00:46:12,080 --> 00:46:14,280 is, or that part of security is. 1006 00:46:14,280 --> 00:46:16,200 And so that's sort of one of the things 1007 00:46:16,200 --> 00:46:18,320 that we put together for folks that just 1008 00:46:18,320 --> 00:46:19,920 have a basic technical background, 1009 00:46:19,920 --> 00:46:23,020 but need to learn more about security. 1010 00:46:23,020 --> 00:46:24,760 If you're more experienced in cyber 1011 00:46:24,760 --> 00:46:26,800 and you're just trying to understand the Microsoft 1012 00:46:26,800 --> 00:46:29,240 technologies, the newest and latest techniques, 1013 00:46:29,240 --> 00:46:31,760 the cyber reference videos, the Microsoft Cyber Security 1014 00:46:31,760 --> 00:46:35,020 Reference Architecture videos, those 1015 00:46:35,020 --> 00:46:37,200 are probably the right place to start. 1016 00:46:37,200 --> 00:46:39,480 If you have a specific thing like, hey, we just 1017 00:46:39,480 --> 00:46:42,000 bought Sentinel, or we just bought Defender for IoT, 1018 00:46:42,000 --> 00:46:45,440 or some other specific product technology, 1019 00:46:45,440 --> 00:46:48,640 I really, really like the Ninja training videos, 1020 00:46:48,640 --> 00:46:54,680 because they're kind of like going to a workshop focused on, 1021 00:46:54,680 --> 00:46:56,840 OK, I now need to know everything about that 1022 00:46:56,840 --> 00:46:58,440 particular product. 1023 00:46:58,440 --> 00:47:02,560 And so those are kind of the first ones that pop into mind, 1024 00:47:02,560 --> 00:47:06,240 depending kind of on your needs and backgrounds. 1025 00:47:06,240 --> 00:47:10,120 So I wanted to kind of close us on a couple of questions. 1026 00:47:10,120 --> 00:47:12,240 And the questions are, what are your favorite things 1027 00:47:12,240 --> 00:47:15,480 to talk about in security, and why? 1028 00:47:15,480 --> 00:47:16,520 So that's the first one. 1029 00:47:16,520 --> 00:47:19,040 And then the second one is any career advice 1030 00:47:19,040 --> 00:47:20,920 that you would offer for folks that 1031 00:47:20,920 --> 00:47:24,320 are looking to advance their careers in cybersecurity. 1032 00:47:24,320 --> 00:47:27,240 My personal favorite thing to talk about in cybersecurity 1033 00:47:27,240 --> 00:47:30,680 is how connected it is to everything else. 1034 00:47:30,680 --> 00:47:34,320 So security isn't just a technical discipline. 1035 00:47:34,320 --> 00:47:36,920 As I mentioned earlier, it's a human discipline. 1036 00:47:36,920 --> 00:47:41,440 It's got elements of economics and human behavior 1037 00:47:41,440 --> 00:47:44,360 and psychology, not just of our own users, 1038 00:47:44,360 --> 00:47:45,440 but also the attackers. 1039 00:47:45,440 --> 00:47:46,860 And how do they make the most money? 1040 00:47:46,860 --> 00:47:50,200 And what's their return on investment for an attack? 1041 00:47:50,200 --> 00:47:53,640 And so the thing that I love to talk about and to explore 1042 00:47:53,640 --> 00:47:57,760 about cybersecurity is how much of the greater 1043 00:47:57,760 --> 00:48:02,080 body of human knowledge that we can bring to our industry, 1044 00:48:02,080 --> 00:48:06,520 and things like group dynamics and economics and finance 1045 00:48:06,520 --> 00:48:10,040 and just anything about just what we've 1046 00:48:10,040 --> 00:48:12,240 learned as humans as a species. 1047 00:48:12,240 --> 00:48:15,440 And so that's my favorite thing to connect to it. 1048 00:48:15,440 --> 00:48:18,720 And the big career advice I would give folks 1049 00:48:18,720 --> 00:48:22,720 is to really kind of explore the full breadth of cybersecurity 1050 00:48:22,720 --> 00:48:24,280 and understand it, because there's 1051 00:48:24,280 --> 00:48:26,040 a lot of opportunities out there. 1052 00:48:26,040 --> 00:48:32,200 And a lot of them aren't the normal sort of well-paved paths 1053 00:48:32,200 --> 00:48:35,440 of, hey, I have to learn and master network technology 1054 00:48:35,440 --> 00:48:37,680 in order to be a good cybersecurity person. 1055 00:48:37,680 --> 00:48:39,680 Yes, you definitely want background information. 1056 00:48:39,680 --> 00:48:41,320 You need sort of a breadth of understanding 1057 00:48:41,320 --> 00:48:42,480 of technology and others. 1058 00:48:42,480 --> 00:48:44,560 But ultimately, there's so many things 1059 00:48:44,560 --> 00:48:46,060 that we're doing in cybersecurity, 1060 00:48:46,060 --> 00:48:48,440 but there's also so many things that we're not doing. 1061 00:48:48,440 --> 00:48:50,400 And so there's a lot of opportunities 1062 00:48:50,400 --> 00:48:51,800 to sort of forge new paths. 1063 00:48:51,800 --> 00:48:54,280 And so really bringing your creativity 1064 00:48:54,280 --> 00:48:57,160 and bringing your ideas to it and bringing 1065 00:48:57,160 --> 00:48:59,440 your diverse backgrounds to it, I mean, 1066 00:48:59,440 --> 00:49:01,160 that's what's going to make cybersecurity 1067 00:49:01,160 --> 00:49:01,960 a better discipline. 1068 00:49:01,960 --> 00:49:03,160 It's not doing the same stuff we've 1069 00:49:03,160 --> 00:49:04,320 been doing for the past 10 years, 1070 00:49:04,320 --> 00:49:07,120 although there is some consistency, as Mike pointed out. 1071 00:49:07,120 --> 00:49:09,480 But it's also about what can we bring to it 1072 00:49:09,480 --> 00:49:12,360 to address the things that haven't been done. 1073 00:49:12,360 --> 00:49:15,480 Maybe there's a psychological dynamic that explains 1074 00:49:15,480 --> 00:49:16,560 why we keep doing things. 1075 00:49:16,560 --> 00:49:19,800 And if we have the right motivation for it 1076 00:49:19,800 --> 00:49:23,120 or the right perspective on it or the right visual that 1077 00:49:23,120 --> 00:49:25,800 clarifies a particular topic, all of a sudden, 1078 00:49:25,800 --> 00:49:27,960 instead of 10 people out of 100 in a room 1079 00:49:27,960 --> 00:49:31,680 that would understand it, maybe 70 people in a room of 100 1080 00:49:31,680 --> 00:49:33,360 would understand that topic. 1081 00:49:33,360 --> 00:49:35,740 So there's just so many opportunities in cybersecurity 1082 00:49:35,740 --> 00:49:38,600 to bring yourself and your background, 1083 00:49:38,600 --> 00:49:39,520 your unique skills. 1084 00:49:39,520 --> 00:49:42,640 So that's the big thing is bring your whole self to cyber. 1085 00:49:42,640 --> 00:49:46,400 For me, I would say that my favorite thing 1086 00:49:46,400 --> 00:49:51,920 to talk about security would be the graph, APIs, 1087 00:49:51,920 --> 00:49:53,440 interconnections. 1088 00:49:53,440 --> 00:49:57,360 And mainly, it is the ability of interconnecting services 1089 00:49:57,360 --> 00:49:58,400 together. 1090 00:49:58,400 --> 00:50:02,600 And the reason for this is that many of the Microsoft tools 1091 00:50:02,600 --> 00:50:07,400 or security services take into account the interconnectivity 1092 00:50:07,400 --> 00:50:08,760 of different services. 1093 00:50:08,760 --> 00:50:11,280 And this is not just Microsoft services, 1094 00:50:11,280 --> 00:50:14,400 but it could be third party services. 1095 00:50:14,400 --> 00:50:17,280 And it enables it a lot through the graph 1096 00:50:17,280 --> 00:50:20,640 and through many of the other APIs. 1097 00:50:20,640 --> 00:50:25,960 And these, in turn, allows for automation orchestration 1098 00:50:25,960 --> 00:50:31,120 to be done in heritance in the toolset, in the services, 1099 00:50:31,120 --> 00:50:36,640 which in turns speed up resolution, I guess, 1100 00:50:36,640 --> 00:50:41,560 detects and responds all this through these services. 1101 00:50:41,560 --> 00:50:46,720 So I love talking about that and how Microsoft enables this. 1102 00:50:46,720 --> 00:50:49,680 Because once I start talking about that, 1103 00:50:49,680 --> 00:50:56,240 and then I show it like in the XDR tool or Microsoft 365 tool, 1104 00:50:56,240 --> 00:50:58,640 the light bulb lights up. 1105 00:50:58,640 --> 00:51:03,360 And you see their eyes open up and say, oh, hold on a second. 1106 00:51:03,360 --> 00:51:04,880 We are in a different world. 1107 00:51:04,880 --> 00:51:09,160 It's no longer about collecting logs in a scene. 1108 00:51:09,160 --> 00:51:13,800 It's no longer about having somebody manually write 1109 00:51:13,800 --> 00:51:15,640 automation orchestration. 1110 00:51:15,640 --> 00:51:20,200 So I like when people just realize something. 1111 00:51:20,200 --> 00:51:24,680 It differentiates the regular work that they're doing. 1112 00:51:24,680 --> 00:51:29,520 Career advice, I would say that the number one thing that 1113 00:51:29,520 --> 00:51:33,640 has helped me at Microsoft and in many places 1114 00:51:33,640 --> 00:51:39,120 is networking, networking with people, getting mentorships. 1115 00:51:39,120 --> 00:51:44,800 I actually today was asking somebody to mentor me. 1116 00:51:44,800 --> 00:51:47,280 That is a never ending type of thing. 1117 00:51:47,280 --> 00:51:52,000 Learning from others, meeting new people, doing community, 1118 00:51:52,000 --> 00:51:55,240 I think this is the most important thing. 1119 00:51:55,240 --> 00:51:58,000 Because when I don't know something, 1120 00:51:58,000 --> 00:52:01,040 I know who knows that thing. 1121 00:52:01,040 --> 00:52:04,080 So I'm able to accomplish a lot of things. 1122 00:52:04,080 --> 00:52:07,720 And it is funny to say this, but when I first 1123 00:52:07,720 --> 00:52:11,800 came into strategic mission and technologies, 1124 00:52:11,800 --> 00:52:16,640 everyone was saying that Gladys was a yellow page for the team. 1125 00:52:16,640 --> 00:52:19,400 If they had a question, who can answer this? 1126 00:52:19,400 --> 00:52:20,600 I had the answer. 1127 00:52:20,600 --> 00:52:25,080 I had somebody for them to find the answer from. 1128 00:52:25,080 --> 00:52:31,840 So I heavily recommend keep up with networking and mentoring. 1129 00:52:31,840 --> 00:52:38,000 The last thing that I have started doing in the last three 1130 00:52:38,000 --> 00:52:45,000 years or so is every day I take an hour just to learn something, 1131 00:52:45,000 --> 00:52:48,640 read something, watch a video, something like that. 1132 00:52:48,640 --> 00:52:51,560 Especially in security, if you're not 1133 00:52:51,560 --> 00:52:56,200 able to do something like that, just stay behind. 1134 00:52:56,200 --> 00:52:59,960 I don't say with this that I know everything, 1135 00:52:59,960 --> 00:53:03,480 but at least I'm able to keep up a little bit 1136 00:53:03,480 --> 00:53:08,080 and show that I am up to date on what is happening out there. 1137 00:53:08,080 --> 00:53:11,040 Yeah, I just want to concur with the whole learning thing. 1138 00:53:11,040 --> 00:53:13,840 So I actually keep, when I come across topics 1139 00:53:13,840 --> 00:53:16,520 that I'm interested in that I want to learn more about, 1140 00:53:16,520 --> 00:53:19,200 I actually have a Microsoft to do list. 1141 00:53:19,200 --> 00:53:20,440 I just add it to the list. 1142 00:53:20,440 --> 00:53:21,400 That way I don't forget. 1143 00:53:21,400 --> 00:53:22,760 Because I know full well if I don't write it down, 1144 00:53:22,760 --> 00:53:24,040 I'll forget. 1145 00:53:24,040 --> 00:53:26,880 Then what I do is every day is I'll pick something 1146 00:53:26,880 --> 00:53:29,240 from the list and I'll look at it. 1147 00:53:29,240 --> 00:53:30,800 I actually have it set aside like you. 1148 00:53:30,800 --> 00:53:33,600 I have some time set aside in my calendar to learn something. 1149 00:53:33,600 --> 00:53:35,640 It literally is called learn something. 1150 00:53:35,640 --> 00:53:39,080 I'll go to do pick something and just, as you say, 1151 00:53:39,080 --> 00:53:41,720 read a document or read a research paper 1152 00:53:41,720 --> 00:53:43,320 or watch a video or something. 1153 00:53:43,320 --> 00:53:45,280 That's how I stay on top of things. 1154 00:53:45,280 --> 00:53:49,240 So getting back to the original question that Mark raised. 1155 00:53:49,240 --> 00:53:51,280 So the thing that I like to talk about the most, 1156 00:53:51,280 --> 00:53:53,120 obviously anyone who knows me knows that I'm 1157 00:53:53,120 --> 00:53:55,080 a big fan of software development, 1158 00:53:55,080 --> 00:53:57,360 I'm a big fan of cryptography and cryptographic controls 1159 00:53:57,360 --> 00:53:58,440 in general. 1160 00:53:58,440 --> 00:54:01,200 But to take it one level higher than that, 1161 00:54:01,200 --> 00:54:03,280 I'm a big fan of telling stories. 1162 00:54:03,280 --> 00:54:06,240 I think that the area of security 1163 00:54:06,240 --> 00:54:10,360 can be very complex and quite intimidating. 1164 00:54:10,360 --> 00:54:12,440 But sometimes if you can bring it back 1165 00:54:12,440 --> 00:54:16,360 to a simple human story, then it starts to make sense. 1166 00:54:16,360 --> 00:54:18,960 I've had people say, well, we can't do that because blah, 1167 00:54:18,960 --> 00:54:19,520 blah, blah. 1168 00:54:19,520 --> 00:54:23,280 I'm like, well, let me tell you how another customer did that 1169 00:54:23,280 --> 00:54:27,200 and how they realized it wasn't the best idea. 1170 00:54:27,200 --> 00:54:28,680 Obviously without naming names. 1171 00:54:28,680 --> 00:54:31,480 And if I can jump in there for a second, 1172 00:54:31,480 --> 00:54:33,520 because storytelling is I changed 1173 00:54:33,520 --> 00:54:36,920 my personal version of my professional identity 1174 00:54:36,920 --> 00:54:39,040 about 10, 12 years ago. 1175 00:54:39,040 --> 00:54:40,520 That I'm no longer a technologist, 1176 00:54:40,520 --> 00:54:42,880 I'm a storyteller that tells technical and security 1177 00:54:42,880 --> 00:54:44,080 stories. 1178 00:54:44,080 --> 00:54:46,560 And the world got so much clearer for me. 1179 00:54:46,560 --> 00:54:47,600 Yeah, 100%. 1180 00:54:47,600 --> 00:54:48,400 100% agree. 1181 00:54:48,400 --> 00:54:48,920 Yep. 1182 00:54:48,920 --> 00:54:49,560 Yep. 1183 00:54:49,560 --> 00:54:51,960 In fact, when I moved from Redmond to Austin, 1184 00:54:51,960 --> 00:54:53,640 I got like three emails from people saying, 1185 00:54:53,640 --> 00:54:57,680 I'm really going to miss story time with Michael. 1186 00:54:57,680 --> 00:55:00,080 I think you have to be able to tell things as stories, 1187 00:55:00,080 --> 00:55:02,320 because I think that can be a lot more compelling 1188 00:55:02,320 --> 00:55:03,560 for a lot of people. 1189 00:55:03,560 --> 00:55:05,400 And then second one about career advice. 1190 00:55:05,400 --> 00:55:07,280 I think learning is big. 1191 00:55:07,280 --> 00:55:08,680 I think learning is absolutely huge. 1192 00:55:08,680 --> 00:55:10,680 In fact, when I hit the 30 years, 1193 00:55:10,680 --> 00:55:14,000 I was kind of interviewed by the head of our group 1194 00:55:14,000 --> 00:55:15,320 in front of everybody. 1195 00:55:15,320 --> 00:55:18,280 And one of the questions was, how do you stay fresh 1196 00:55:18,280 --> 00:55:19,600 after 30 years? 1197 00:55:19,600 --> 00:55:21,160 And the big thing is just learning. 1198 00:55:21,160 --> 00:55:22,240 You've just got to keep learning. 1199 00:55:22,240 --> 00:55:24,080 And you've got to be willing to reinvent yourself as well, 1200 00:55:24,080 --> 00:55:25,080 if needed. 1201 00:55:25,080 --> 00:55:28,080 I'll give you an example, by way of a story. 1202 00:55:28,080 --> 00:55:30,000 When David and I wrote Running Secure Code, 1203 00:55:30,000 --> 00:55:32,560 even though David was in office and I was in Windows, 1204 00:55:32,560 --> 00:55:34,840 we were still writing stuff about Windows code. 1205 00:55:34,840 --> 00:55:37,480 So we were known as the security, so the Windows 1206 00:55:37,480 --> 00:55:39,360 security guys, right? 1207 00:55:39,360 --> 00:55:42,160 And then this thing came along, which about 10 years ago, 1208 00:55:42,160 --> 00:55:44,360 which I thought, this is going to be a big deal, this cloud 1209 00:55:44,360 --> 00:55:45,360 thing. 1210 00:55:45,360 --> 00:55:48,200 I ended up spending a lot more time learning about cloud 1211 00:55:48,200 --> 00:55:51,760 threats, cloud mitigations, cloud risks, and so on. 1212 00:55:51,760 --> 00:55:54,280 And then lo and behold, another book 1213 00:55:54,280 --> 00:55:56,760 comes out called Designing and Developing Secure Azure 1214 00:55:56,760 --> 00:55:57,800 Solutions. 1215 00:55:57,800 --> 00:56:00,320 So essentially, over the years, I sort of reinvented myself 1216 00:56:00,320 --> 00:56:03,120 as essentially an Azure security guy, right? 1217 00:56:03,120 --> 00:56:05,600 Now, what's ultimately and beautifully ironic, however, 1218 00:56:05,600 --> 00:56:08,760 is because I'm working on the back end of Azure now. 1219 00:56:08,760 --> 00:56:10,840 I'm working inside of, in many cases, 1220 00:56:10,840 --> 00:56:14,360 say an Azure SQL DB or a Cosmos DB instance or other things 1221 00:56:14,360 --> 00:56:15,920 hosted in VMs. 1222 00:56:15,920 --> 00:56:19,840 So I'm still working at the operating system level, 1223 00:56:19,840 --> 00:56:22,360 even though I'm talking about cloud threats and so on. 1224 00:56:22,360 --> 00:56:24,320 A lot of the work that I do on a day-to-day basis 1225 00:56:24,320 --> 00:56:27,560 is actually still Windows, essentially, at the back end. 1226 00:56:27,560 --> 00:56:30,520 But yeah, you've got to be willing to essentially not, 1227 00:56:30,520 --> 00:56:32,360 I'm not going to say throw things away, 1228 00:56:32,360 --> 00:56:36,960 but you may have to reboot your career at some point. 1229 00:56:36,960 --> 00:56:40,280 And you have to be willing to take those risks, I think. 1230 00:56:40,280 --> 00:56:44,320 So my favorite thing to talk about in security 1231 00:56:44,320 --> 00:56:48,560 is actually just talking to everyday people 1232 00:56:48,560 --> 00:56:53,560 and making them realize that security is relevant to them 1233 00:56:53,680 --> 00:56:55,160 and their everyday life. 1234 00:56:55,160 --> 00:56:56,600 I'll give you an example. 1235 00:56:56,600 --> 00:57:01,080 A couple of weeks ago, I was getting a blowout at a salon 1236 00:57:01,080 --> 00:57:05,800 and I was talking to the lady who was doing my hair. 1237 00:57:05,800 --> 00:57:08,000 And she was a law student. 1238 00:57:08,000 --> 00:57:10,760 She did the blowouts in her spare time. 1239 00:57:10,760 --> 00:57:13,360 And we ended up talking about security. 1240 00:57:13,360 --> 00:57:16,680 And she said her boyfriend was studying it. 1241 00:57:16,680 --> 00:57:19,280 And anyway, we just ended up for the whole time, 1242 00:57:19,280 --> 00:57:21,920 me getting my hair done, talking about security 1243 00:57:21,920 --> 00:57:24,080 and all the different parts to it 1244 00:57:24,080 --> 00:57:28,280 and how it's relevant to absolutely everybody. 1245 00:57:28,280 --> 00:57:30,680 Even if you're not a security professional 1246 00:57:30,680 --> 00:57:33,000 and you're getting paid to look at it, 1247 00:57:33,000 --> 00:57:36,040 we all have to take security precautions in our lives 1248 00:57:36,040 --> 00:57:39,920 and the effects of what happens in security 1249 00:57:39,920 --> 00:57:41,320 affects everybody. 1250 00:57:41,320 --> 00:57:45,760 And even if you're very anti, 1251 00:57:45,760 --> 00:57:48,800 I don't think anti-establishment or just anti-society. 1252 00:57:48,800 --> 00:57:53,280 And even if you don't even use a bank or anything 1253 00:57:53,280 --> 00:57:55,240 and you try and go off grid, 1254 00:57:55,240 --> 00:57:58,400 the fact is that someone somewhere has some information 1255 00:57:58,400 --> 00:58:01,840 on you on a computer in an electronic format 1256 00:58:01,840 --> 00:58:03,240 no matter how much you try. 1257 00:58:03,240 --> 00:58:06,560 And for those of us who don't choose that lifestyle, 1258 00:58:06,560 --> 00:58:09,760 there's a lot of information about us on computers. 1259 00:58:09,760 --> 00:58:13,000 So security really is everybody's problem. 1260 00:58:13,000 --> 00:58:15,120 And I really enjoy, 1261 00:58:15,120 --> 00:58:18,960 I love talking to security professionals 1262 00:58:18,960 --> 00:58:20,760 and people in the IT industry, 1263 00:58:20,760 --> 00:58:23,960 but I think just through the course of me 1264 00:58:23,960 --> 00:58:27,080 chatting with people, making people understand 1265 00:58:27,080 --> 00:58:30,840 just how much security affects absolutely everybody, 1266 00:58:30,840 --> 00:58:34,680 I find a really fun thing to do. 1267 00:58:34,680 --> 00:58:37,680 And obviously people's reactions are like, 1268 00:58:37,680 --> 00:58:40,680 wow, oh wow, like I didn't realize 1269 00:58:40,680 --> 00:58:43,240 that was going to affect me too. 1270 00:58:43,240 --> 00:58:47,440 So yeah, that's probably one of my favorite things. 1271 00:58:47,440 --> 00:58:52,040 My career advice is not too dissimilar 1272 00:58:52,040 --> 00:58:55,480 from what some of my other lovely colleagues have said here, 1273 00:58:55,480 --> 00:58:58,600 but you do have to keep learning. 1274 00:58:58,600 --> 00:59:03,280 I mean, this is the same for all IT technology careers 1275 00:59:03,280 --> 00:59:06,880 because technology goes out of date very quickly. 1276 00:59:07,880 --> 00:59:10,760 And security and the attackers and the techniques 1277 00:59:10,760 --> 00:59:13,360 and what they do also changes really quickly. 1278 00:59:13,360 --> 00:59:16,640 So of course that's a really important one, 1279 00:59:16,640 --> 00:59:21,640 but also stick with it because I have had many times, 1280 00:59:24,840 --> 00:59:29,840 many times in my career where it's hard work what we do. 1281 00:59:29,840 --> 00:59:33,480 It can be hard work, not just from a technical perspective, 1282 00:59:33,480 --> 00:59:35,680 but also emotionally. 1283 00:59:35,680 --> 00:59:38,000 We don't have easy jobs. 1284 00:59:38,000 --> 00:59:40,200 And I was always taught by my dad, 1285 00:59:40,200 --> 00:59:44,400 he was said, well, Sarah, you didn't sign up 1286 00:59:44,400 --> 00:59:46,120 to do an easy job. 1287 00:59:46,120 --> 00:59:48,800 What you do as a job is actually really difficult, 1288 00:59:48,800 --> 00:59:51,440 but that's why you get to do some really interesting work. 1289 00:59:51,440 --> 00:59:54,160 You get to travel and you get to do all these other cool 1290 00:59:54,160 --> 00:59:56,520 things alongside that. 1291 00:59:56,520 --> 01:00:01,320 So I think as well making sure work is not the only thing 1292 01:00:01,320 --> 01:00:02,160 in your life. 1293 01:00:02,160 --> 01:00:06,320 I mean, with working from home and all of those boundaries, 1294 01:00:06,320 --> 01:00:11,240 we don't, it can be that's dissolved the work life boundary, 1295 01:00:11,240 --> 01:00:13,240 I think even more, at least for some of us. 1296 01:00:13,240 --> 01:00:16,560 I know I certainly did more work during the pandemic, 1297 01:00:16,560 --> 01:00:19,320 but make sure you've got other things going on outside 1298 01:00:19,320 --> 01:00:24,320 as well because it's tough and it's a hard job. 1299 01:00:24,920 --> 01:00:27,680 It's interesting and rewarding, but it's not easy, 1300 01:00:27,680 --> 01:00:32,680 but you need to balance that with things going on outside. 1301 01:00:32,680 --> 01:00:37,680 All right, so with that, we've been going for nearly an hour. 1302 01:00:37,760 --> 01:00:39,480 Let's wrap this thing up. 1303 01:00:39,480 --> 01:00:40,440 This has been actually a lot of fun. 1304 01:00:40,440 --> 01:00:42,080 It's a little bit different. 1305 01:00:42,080 --> 01:00:44,680 It certainly makes a change from interviewing somebody 1306 01:00:44,680 --> 01:00:47,560 from a product team about the security implications 1307 01:00:47,560 --> 01:00:49,160 of their products or some security features. 1308 01:00:49,160 --> 01:00:52,160 So thanks everyone for taking the time 1309 01:00:52,160 --> 01:00:53,880 and to all our listeners out there, 1310 01:00:53,880 --> 01:00:54,800 we hope you found it useful. 1311 01:00:54,800 --> 01:00:56,320 Again, a little bit different, 1312 01:00:56,320 --> 01:00:58,880 stay safe and we'll see you next time. 1313 01:00:58,880 --> 01:01:01,760 Thanks for listening to the Azure Security Podcast. 1314 01:01:01,760 --> 01:01:04,320 You can find show notes and other resources 1315 01:01:04,320 --> 01:01:07,680 at our website, azsecuritypodcast.net. 1316 01:01:08,600 --> 01:01:10,120 If you have any questions, 1317 01:01:10,120 --> 01:01:12,440 please find us on Twitter at Azure Setpod. 1318 01:01:13,360 --> 01:01:16,280 Background music is from ccmixtor.com 1319 01:01:16,280 --> 01:01:31,920 and licensed under the Creative Commons license.