C-Suite discussion can help limit data hoarding: Diana Kelley, cybersecurity field CTO, Microsoft

Diana Kelley is the cybersecurity field CTO for Microsoft. What is a field CTO, you may ask. The Economic Times asked her precisely that, and also about the future of the password and the importance of limiting the amount of data that is stored. Edited excerpts:

You’ve talked about the need for corporations to limit the amount of data that is stored. That requires a cultural shift, considering at the moment it is all about hoarding data lest it become useful sometime in the future. How do you enable such a shift?
Very often by talking through what the impact (of data hoarding) can be, (and) by having very open conversations with business executives. The technical team for the most part understands this. It is now about having a conversation with the C-Suite and the boards, as they look at the overall business risk, because that is the job of the board. It is about looking at the business and organisational risk, discussing what keeping too much data mean, or if that data falls into the wrong hands, what it means. Some other examples are if there is an e-discovery and if there is a lawsuit and if someone goes through e-mails from the past, is there something in an e-mail from four years ago that the company may not want out. It may not be something illegal, just something that they didn’t want out. Now if the company is going through e-discovery, it could become public. It is something that could have been deleted a few years ago. So, it is important to have these discussions and make very important decisions about data lifecycle management. I worked at a company once where every e-mail that was 90 days old was deleted — that was their policy. E-mails that were related to certain projects that had to be retained were retained, but all others were deleted.

How are you seeing the advent of password-less interfacing in enterprise versus consumer?
Enterprise is going in a different direction, especially around password-less adoption. This is because enterprises own the system and have close relationships with their partners, so you can start to solidify and normalise certain technologies. That’s why you are seeing some of the early password-less adoption (in enterprises). When you get into a more disparate community — you and me as a person on the Internet interacting with multiple different retailers and travel sites and others, it is different. Where you have seen a definite shift towards password-less in consumer is in biometric unlocks in smart devices. I hope there is going to be a convergence in making it easier for people to log in. It has to be password-less, with another focus of risk management in the background in terms of access and monitoring access.

You’ve talked about a drop in ransomware during 2018. What gives?This is what we can see and report on. The encounter rate within Microsoft systems has seen a 60% drop in 2018. The attackers don’t tell us why they launched more or less of a certain type of attack. We infer that it is because it is less successful. Organisations are upgrading to the latest versions of OS; they are patching; there is segmentation in their networks; they’ve got good backups they can restore from — all of these make ransomware less effective.

What are the different security signals thrown up by the systems you have visibility over and how exactly are you using machine learning to classify them?Signals that we see are about things that can potentially impact security. When we say signals, people think that means attack. That is not the case. (For example) One e-mail could have different signals — the IP address gives you intelligence about what machine sent the mail. Another signal could be the attachments. When we talk about the number of signals, we are talking about multiple different dimensions. We use multiple-layered machine-learning models to parse through different security signals and to identify things that may indicate unwanted or malicious behaviour. If you get an e-mail from a known bad IP address, it is a signal that could have a damaging impact on an organisation.

Cybersecurity field CTO. That is a new designation altogether. What does it mean?It is a good title for what it is. Rather than being an internally focussed, engineering kind of CTO, I focus externally. I talk to CIOs and CISOs and security directors about some of their biggest challenges. I learn from the teams that I am talking to and then take it back to my engineering team. I have not yet met other field CTOs in cybersecurity (laughs).

You’ve mentioned earlier that the broad industry has now started to learn about cybersecurity. What was the tipping point?
I don’t know if there has been a tipping point. Overall, we have started to mature as an industry. We have seen what works and what doesn’t, and that’s what has got people to think in new directions. I personally experienced this (transition) very early in my career when I recommended a stronger security solution rather than what was the best fit for the company. My thinking at that time was that the most secure has to be the best. I think the change is that mindset. How do you get security that works for people — that’s the way to think about it.