We had the chance to sit down with Retired Chief Security Officer of Microsoft, Mike Howard, before he takes the stage as our Keynote Speaker at the Transformational CISO and Digital Enterprise Assembly. In this interview, Mike gives his insights on the successful CSO, defending physical security worldwide, measuring risk and reward, and much more.
Security of an organization is the central challenge of our digital age, especially in large corporations like Microsoft. What areas of security operations do you focus on when looking to make corporations safer and more efficient in their security and physical security practices, especially when traditional threats still remain a big challenge?
Mike Howard: I like to look at enterprise security in a holistic manner. When I look at operations at say, my former organization, Microsoft Global Security, I and my team make sure we don’t silo ourselves. The traditional answer to a question like this would be e.g. Access Controls, Travel Security, Intelligence, Executive Protection, Threats of Violence, Upgraded Technology (cameras for instance) etc. These are all important in and of themselves of course. But from my optic, I focus on making sure that all of these essential operations that are in a physical security organization’s remit, are coordinated properly with all elements of “security” in the company. That means we work hand-in-hand with the CISO’s org, Business Continuity/Enterprise Risk folks, as well as those security elements that reside in Business Units. I focus on what we called “Strategic Integration.” Meaning that not only are we strategically aligned within my own organization’s verticals, but that we are strategically aligning with our partners in the enterprise so that together, we can look at “enterprise risk” end-to-end. The days of any security entity in an enterprise riding solo are long gone. Traditional threats do indeed remain a big challenge but in this digital age, with the sophisticated tools that say, terrorist groups use to communicate with each other and coordinate operations, traditional physical security operations has to be aligned to enterprise risk.
You managed all physical security operations worldwide for Microsoft for almost 20 years as their CSO. As a leader with tremendous responsibility, you have probably seen it all. What were some of the biggest problems you have encountered at Microsoft when defending physical security worldwide?
Good question! One big challenge was the growth of Microsoft itself. When I first joined the company in 2002, the company had perhaps, 40,000 employees worldwide. We had very little footprint in places like India and China. Within a few years, the number of employees grew to 80,000 and were starting to have a significant presence around the world. We were a very U.S. centric organization back then and I knew that in order for the security organization to keep up with Microsoft’ growth, we had to regionalize our operations. We hired security professionals from the regions where we had a presence, versus placing U.S. nationals out there. A major challenge was to find the right leaders for these regional positions, as well as convincing some of our legacy security personnel that we could no longer afford to be U.S. centric. We are an international corporation so had to start thinking with that mindset. I came to Microsoft from CIA so I had that mindset already but some in the old “Corporate Security” as we called it back then, didn’t want to change. Today, we have a robust network of regional security leaders, each from their own region, speaking the language and understanding the culture of their regions.
Another problem was the ability to monitor world events and to respond effectively and rapidly. We had a very U.S. centric and manual process when it came to that many years ago. Plus, not only did we have a control center in our Redmond Campus (headquarters) but over the years, many satellite “ops/control centers” were allowed to organically grow around the country. There was no coordination per se with any of these centers (no strategic or tactical integration) nor was there the technology to make our monitoring and response capabilities adapt to the growth of Microsoft. We invested in a multi-year effort to build a business plan for a state-of-the-art Global Security Operations Centers (GSOC). Not just one, but three around the world that would not only have the best of the Microsoft platform and partner products to make us more efficient in response and coordinating information, but would also have technology that allowed true interoperability/redundancy. If, for instance, our GSOC in Redmond went down due to some catastrophic event, either one of our GSOCs in Hyderabad or the UK, could take over all of Redmond’s Americas operations (e.g. lock down doors, dispatch officers via radio over IP, leverage any cameras etc. ) True continuity of operations. We were successful at this and our GSOC became a model for the industry.
Another major problem was getting a “seat at the table.” Back then (and in some cases, even in today’s world), corporate security entities in many cases were looked at as the “corporate cops.” Break glass in case of emergency but having no real seat at the table. We set out to change that optic among the C Suite. We worked on business acumen and becoming the trusted advisors to the business. We learned to understand the major strategic initiatives of the main business units of the organization so that we could align our operations accordingly. We started reading the company’s 10K – a report to the SEC that publicly traded corporations must file regularly. The report details not only the major business strategies of these companies, but also risks that the companies faced. We aligned our operations with the 10K, invited C Suite executives to the GSOCs to see our capabilities, and over time, became that trusted advisor to the business. Our DNA was that we are “business people first – our business just happens to be security!” Over a period of time, the perception of our org changed within the company and in the security industry. We were business enablers with excellent security capabilities.
When you become a CSO, you take on a wide-scope role, covering everything that touches your security risk as an organization. How do you measure risks and rewards, and what makes a CSO successful?
As a CSO, I would measure risks and rewards based on the priorities of the company and the C Suite’s priorities. Any CSO who says they can protect everything in an enterprise is lying to you. Even as robust as our organization at Microsoft is, with excellent personnel, technology, processes, executive support etc., we cannot protect everything all the time. But we can maximize our resources to protect those assets that the company deems its most important ones, starting with the people. Continuous feedback from the executives is one way to measure how well we are doing our job. This means globally. My regional leaders and I would see feedback from our execs here in the U.S. as well as around the world to include our partners in Legal, HR, Facilities and Business Units. This allowed my org to stay relevant, and to be able to plan on what our priorities should be, how best to align to the business and where we needed to improve. That was the best way for us to measure risk and rewards.
To be successful as a CSO, you have to understand your role in a company. In my case, I was the head of all the physical security in the company worldwide. In other cases, a CSO may have the remit for both physical and cyber security. Either way, to be successful, you have to have a business mindset first. You have to be seen as not only a subject matter expert in security matters, but someone who understands what moves the business. You cannot get funding for major initiatives, additional personnel, technology upgrades etc. if you are not perceived as essential to the company. You are, after all, a traditional cost center. In the eyes of the company, you don’t make money for the company. So, to be successful as a CSO, you have to have a strategy in place where the C Suite looks at you and your org as a value add to the enterprise, therefore they are willing to invest the dollars and resources you ask for to push your organization forward. We were able to do this successfully, leveraging our GSOCs, to help with sales of Microsoft technology, which put us in a different light with the company. However, at the end of the day, to be a successful CSO, your organization but also be able to deliver on its core mission – life safety and protection. You have to be able to effectively deter, detect, manage/triage major physical threats to the company and its personnel.
And most importantly, you have to invest in the right people for your organization. I spent a long time vetting those folks in our organization to be part of my Leadership Team as well as the next levels of leaders in our organization. You cannot be a successful CSO unless you have the right talent in your organization – globally. You do not do it alone. Any successes a CSO has is more times than not, directly attributed to the great work of the people in his/her own organization. You have to take the time to thoroughly vet those who would be the leaders in your organization. Once you have that team in place, it allows you to concentrate on strategy while your team deals with the daily tactical issues of the day. It comes down to people first. I was successful as the CSO of Microsoft because of all the people in my organization who did the hard work day in and day out.
How can CSOs and CISOs work together to be strategically and tactically in sync with each other in all aspects of security of an organization? What prevents them from working together besides during emergency situations?
There has to be a mechanism in place in an enterprise where strategically and tactically, both the CSO and CISOs orgs are aligned. There has to be transparency with each org as to their strategic imperatives so that both orgs can align properly, deconflict where necessary and in some cases, combine strategies for the good of the enterprise. At Microsoft, we had a governance structure (committee) that included the main security leaders of the company. The CISO was the chair and it was a good mechanism to keep all the security verticals in the company aligned. It broke down silos, fostered cooperation and encouraged very positive activities such as joint exercises, combining forces to cover major Microsoft events etc.
I think what prevents CSOs/CISOs to not work together is that there is still some legacy thinking that there is “IT Security” and there is “Physical Security” and they have their own lanes and never the twain shall meet (except in emergency situations.) Some CSOs don’t want to think they have some stake in Cybersecurity and some CISOs don’t want anything to do with traditional physical security matters e.g. active shooter situations etc. We also have situations where there are personality conflicts between the two organizations so there is no cooperation between the two entities.
With disruptive technologies like AI shaking up digital transformation across multiple sectors, it is impossible to ignore the impact they have made and they continue on making. From your perspective, how are executives in the digital transformation arena optimizing the value of these technologies?
I think that executives look at these technologies in various ways. Some look at these technologies in more of a “digital solution” to a business process problem. For instance, introducing a Bot to help deal with some customer facing issue. That is one way to optimize these technologies. However, true digital transformation looks at end-to-end solutions for a business problem. I heard one Microsoft executive aptly describing digital transformation as “a manual process with a digital construct.” Executives optimize these new technologies in different ways depending on their business imperatives. However, there is a distinct difference between a digital solution and true digital transformation.
How is digital transformation affecting physical security organizations, and what recommendations would you have for them when they are looking to implement holistic security programs to secure their organization?
In some cases, digital transformation isn’t affecting them at all. Some physical security organizations are steeped in legacy solutions for security e.g. traditional access controls, use of bollards, legacy Ops Centers etc. In other organizations, digital transformation is really leveraging digital solutions to improve some aspect of a security process but not the entire process. In other organizations, digital transformation is being viewed as a way to break the traditional boundaries of physical security. Identity at the edge; Virtual Operations Centers, frictionless access etc. So depending on the CSO’s bent, there are varying degrees to how much digital transformation is being accepted and implemented in physical security organizations. Similar to many years ago when some CSOs were quick to embrace the Cloud and others didn’t want to have anything to do with it.
I would advise physical security organizations to crawl, walk then run when it comes to digital transformation. You have to have the right people and processes in place (along with great technology) to have a base from where to launch into the world of digital transformation. And you have to think strategically about every aspect of your business so that you are not just baking in digital solutions, but a true end-to-end solution.
What advice do you have for digital enterprise and security executives looking to stay one step ahead of digital transformation?
One size doesn’t fit all. Any digital transformation strategy has to be based on the strategic imperatives of any given organization. Don’t go for the bright shiny objects just because they are cool. Where do you want to go as an organization? What are the problems you are trying to solve via technology and what is the ROI to be gained if you embark on a digital transformation strategy? I would advise execs to think about these things first in order to stay ahead of the game in this era of digital transformation.