Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 101
Afternoon Cyber Tea with Ann Johnson 2.25.25
Ep 101 | 2.25.25

The Power of Partnership in Cyber Defense

Show Notes
Transcript

Ann Johnson: Welcome to Afternoon Cyber Tea. I am your host, Ann Johnson. On Afternoon Cyber Tea, we focus on where innovation and security intersect. From the front lines of digital defense to the groundbreaking advancements shaping our digital future, we bring the latest insights, expert interviews, and captivating stories to help cyber leaders and defenders stay one step ahead. Today, we are excited to welcome Igor Tsyganskiy, Microsoft Chief Information Security Officer. With a remarkable career in technology, cybersecurity, and enterprise defense, Igor has led transformative security initiatives across industries like finance, healthcare, and technology. Now at the helm of Microsoft's global security strategy, Igor is navigating some of the most complex challenges in a rapidly evolving cyber landscape. In this episode, we are going to dive into the key threats shaping 2025, the strategies security leaders need to stay ahead, and what the future holds for cybersecurity at one of the world's largest technology companies. Welcome to Afternoon Cyber Tea, Igor.

Igor Tsyganskiy: Glad to be here.

Ann Johnson: So you've had a really diverse career, from startups to large organizations to financial companies to Microsoft, and Microsoft has an incredibly complex security environment. What drew you to cybersecurity and what drew you to Microsoft?

Igor Tsyganskiy: Well, all my life, I've been extremely interested in dealing with complex synthetic events and signal processing. So although my career has been extremely diverse, you kind of have to figure out how to listen to signals and figure out signals from all over the markets to basically figure out better ways of doing complex signal processing, complex event processing, which, at the end of the day, is what security is about, cybersecurity. From the standpoint of your what drew me to Microsoft, if you care about signal processing, complex signal processing, and cybersecurity, there's probably no better place to be than Microsoft, given the portfolio of products and services that it has. And so I've been closely collaborating with Microsoft and Satya in helping me renovate all the infrastructure, not just cybersecurity side of things, but also our core investment processing. And it was just a natural next step.

Ann Johnson: You know, I talk frequently that cybersecurity is a big data problem. You talk about complex signal processing. I've also heard you say many times that attackers think in graphs and we think in lists. Can you just talk about how all that comes together to build a better defense for not just Microsoft, but for the community?

Igor Tsyganskiy: Yeah, well, first of all, I think it takes a village, right? So at the end of the day, when one attacks and you have to think about it as an attacker, they don't think about managerial boundaries, organizational boundaries, corporate boundaries. All they want to do is get to the target, whatever the target is, to achieve success. And it's very hard when you are on the defense side to think about defense than just as my department or as my company and not some other company. You kind of have to think holistically to defend. Holistic attacks require holistic defense. That's the first piece. And there is a second piece, you know, which -- and it's just not only cybersecurity. I mean, when you think about a battle plan, if you think about the map of the battle, it's a complex map. It's not a list. When you go to battle, just not cybersecurity, you look at a map, you know where your troops are, you understand where the adversary's troops are, and you position yourself for success. Well, the best way one can represent a map of the battlefield in computers is by exposing it as a complex graph. And especially with ascent of AI, the combination of graph-based defense that is empowered by AI gives me hope.

Ann Johnson: So, Igor, we've done a lot in the past nine to 12 months under our Secure Futures Initiative umbrella. And you talked about how you think about the map, right? That's one of your mental models and how you think about adversaries. But when you're thinking about what we prioritize next, can you talk a little bit about risk? How do you think about it in terms of a risk framework?

Igor Tsyganskiy: Well, the way I think about risk framework is we want to elevate the cost of an attack for any attackers at Microsoft, right? So at the end of the day, there's a very big difference if the attack costs a dollar, $10, a million dollars, $100 million, or a billion dollars. The higher cost to mount an attack on Microsoft, the better off we are. Then the next thing is how do you increase the cost. One of the ways to increase the cost is to do joint defense because then you can defend on behalf of everyone, and therefore, you have more opportunities to increase the cost.

Ann Johnson: That makes a lot of sense. I hear our customers talk about the same way, right? Increasing the cost of the attacker is becoming a pretty straightforward industry paradigm. We also talk a lot about how security is everyone's job at Microsoft. And Satya published what we call either the do security or security above all else memo. But how does that translate for you, right? In your day-to-day job, how do you work with other leaders across Microsoft to make certain they are prioritizing security and that they understand what actually needs to be prioritized?

Igor Tsyganskiy: Well, first, I want to say that I'm blessed for the fact that Satya is the CEO, and I have such an amazing partner in securing Microsoft, our ecosystem, and the world. When you have the wind of the company behind you, it makes it a lot easier to succeed. And having Satya prioritize the effort, having him being my partner from day one on this effort across every corporate process is amazing. Second thing is I work with all the leaders across the company, mostly, I don't need to check on them. I mean, it's not just Satya, I would say that for every leader in the company, the notion that their product needs to be trustworthy and secure is the number one priority because it's just common sense. And so basically, from that standpoint of view, I would say it's more of a partnership and collaboration versus I need to check on someone, which we also do. We have plenty of processes across the organization to check for how we could get better, where could the mistakes happen. If the mistakes happen, we fix the mistakes. There's plenty of work to do. The cybersecurity space is ever-evolving, so whatever was right yesterday is not right today. That's one of the mistakes many people make. They say, "Well, this happened now, why didn't you deal with it in 2015?" Well, because a lot of times state of art changes. And so that's an important thing. I would say that the other thing that is very important is ultimately you make anything extremely secure by just shutting it down. We can just turn everything off and it will be ultimately secure. But we have huge operational responsibilities in front of the world. So what I would say we spend a lot of time on is balancing, optimizing operations while prioritizing security.

Ann Johnson: Because we have to do both, right? We have to keep the lights on, the systems running for our customers and our critical systems, but they also need to run securely.

Igor Tsyganskiy: Not only run securely, but evolve securely. And that's what, like, you know, no one, there are industries where a product that they sell does not change for decades. You know, a bottle of water, plastic bottle of water that I bought 10 years ago may be the same plastic bottle of water that I have today. This is not our industry. Our industry is ever-evolving. Our industry is rapidly changing. Our industry is constantly growing, both on the good side, meaning the side where we add value to the world, but also on the adversary side. And so nothing is static. So you have to evolve cybersecurity practices as you evolve operational practices. You know, AI did not exist three years ago, 17, 20 years ago, cloud did not exist, right? Now basically, you have across a number of vendors pretty much everything that is important is running in the cloud with exception of certain industries. That's not the same way in kinetic warfare. In kinetic warfare, you have glacial steps. Now we have drones coming up, but that's something brand new and it may take a decade, two decades to introduce new way to do warfare. That's just not the case in cyber.

Ann Johnson: I think that's a really important point to make. And we talk to customers even who are running, like, large refinery plants and that equipment has this massive life cycle, right? Whereas cyber itself is evolving every day, threats are evolving and changing. And I don't think that people appreciate sometimes that the job can be -- I don't want to use the word "hard," Igor. But the job can be challenging because you're trying to predict what the next threat is going to be in an industry that's moving incredibly fast. So can we talk about that just for a minute? How do you think about being actually predictive and being proactive instead of being just responding to threats?

Igor Tsyganskiy: Well, one of the things I use -- I'll give you a trick that I use. I call it depreciation mismatch, right? So how quickly does the software that attacker use depreciates versus how quickly does the attack surface depreciates and how uneven the mismatches are between different parts of the attack surface versus the techniques and tools that the attacker uses? So you've mentioned, you know, industrial plants, depreciation for an oil refinery for some equipment might be 27 years, 30 years, 50 years. Caterpillar trucks are made to last for a hundred years. Computers, on average, we will change infrastructure, supposed to change infrastructure every three to seven years. That's how we depreciate it. But frequently, you have infrastructure where you still have running mainframes from, you know, 20, 30 years ago. Then modern infrastructure, let's say everything is perfect and you refresh stuff every three to four years. If you're in a good -- like at Microsoft, it's funny when I joined Microsoft, everyone talks about legacy at Microsoft. Microsoft has no legacy. Microsoft's legacy is like seven to 10-year-old systems. You know, Microsoft legacy is mostly when it needs to support its customers. You need to still support printers from 1990s. We still have Token Ring drivers. You know, there's a lot of different things, right? But not from the standpoint of view of what we run. By and large, it's a modern company, comparatively speaking. But still, let's say you swap your hardware out three to four years. Well, what happens if the software that you use to attack swaps out every month, every month to month and a half? And now with AI, it's going to probably be even faster. The techniques and software that is used and hardware may be swapped. So what you want to see is you want to see the delta of if I would have everything today, versus I'm running on something circa three years ago, five years ago, whatever. And what is the progress that has been made in computer science across the board over the last, let's say, three years, five years? So basically, the average between your average depreciation cycle of mission-critical systems to state-of-the-art for the attackers. And that's what you need to focus on. And it's not that hard to predict on what the technology will be there over the next month to month and a half to two months for cyber. Right. A little harder right now with AI, but generally speaking, not as hard.

Ann Johnson: You know, I'm old enough, Igor. You may or may not know this about me, but very early in my career, I was a network architect. And I remember when we evolved from doing Token Ring networks, which were very costly, to going to Ethernet, which changed the flow of traffic but was also less expensive. And it's funny to me that today, we're still pretty much on Ethernet. It may have evolved some, but we're still in that paradigm. So we're still securing what was a very old technology.

Igor Tsyganskiy: Yeah, it's funny you say that because I still remember the debates because Token Ring was 16 megabits and Ethernet was 10 megabits. And people were saying, "Well, Ethernet will never go above 10 megabits." Like Token Ring is the future. And basically, that went out of the door pretty fast.

Ann Johnson: Yeah. I don't remember if it was Steve Jobs or one of the folks at Apple who said PCs were never going to catch on. I think it was around the same time. And here we are. Anyway.

Igor Tsyganskiy: That was like -- I remember that conversation in 2005. That was just insane to me. I can't go into the details of it, but I was at this lecture and a very established lecturer was saying Ethernet is not going to go above 10 megabits. And at work, we were already implementing something bigger than that. And I just stood up and left and never came back to that class of lecture.

Ann Johnson: I don't blame you. A couple other things. So I always think it's important because you said that cybersecurity is an ecosystem. How do you think about your community and how you tap into CISOs and what's important to you? And I'm going to ask the second question because it's in parallel. And as you think about that, giving advice to other people in cyber that want to also make sure they have the right community surround them to help support them, what advice would you give?

Igor Tsyganskiy: Well, first thing is empathy. You know, that's the first thing that came to my mind. Many colleagues that I have, their circumstances are very different than mine, you know, if you think about it. And at Microsoft, cybersecurity, like, I have a huge development job, right? Have lots of developers working for me. They just don't do cybersecurity. They do security software, parts to secure Microsoft. We have an R&D arm. We have a research arm. Many of the folks that I work with don't have that benefit. And yet they have to protect their states. And so having empathy, what their circumstances are, understanding what their circumstances are, and helping them is extremely important. And so then it comes down to having the coverage of understanding the colleagues across the world -- what their sensitivities are, what their requirements are, what their corporate -- governance situation is, because it might be different country by country -- is very important. Now, internet itself and adversaries are a great equalizer, right? So they won't care that one company or one division is in, let's say, Europe with one set of regulatory requirements. Another one is in United States and third one is somewhere in Asia. And that company deals with a bunch of other companies who have a different set of regulatory requirements. What they'll do is they'll just take advantage of that. So understanding the context of my partners across the industry, both from CISO standpoint of view, all the CISOs are partners because we're all trying to do the same thing. We only compete with threat actors. And also understanding the security landscape, that is, our third-party partners who provide enablement sometimes for us to deal with the threat actors. They might call each other competitors, but at the end of the day, everyone is partnering to do one thing, which is protect ourselves from the bad guys. And just understanding that landscape, having empathy for all the players involved, including our attackers, is paramount.

Ann Johnson: I love that. I actually really love that because I think sometimes we lose that, right? We get very self-critical and we're criticized externally, which leads me to my last question for you. Afternoon Cyber Tea always ends the same way, which is the fact that I'm a cyber optimist because I know that we have real warriors on the front lines defending organizations around the world, and those folks are doing heroes' work and doing an exceptionally good job despite the fact that you're going to occasionally hear of some big event in the news. So, Igor, I'm going to ask you, what makes you optimistic about cybersecurity?

Igor Tsyganskiy: Well, that's a hard question. I think what makes me optimistic about cybersecurity is good guys always prevail.

Ann Johnson: Love that. That is so simple and it's exactly right. You know, I have the best job in cybersecurity and I'm not just saying that partially because I work at Microsoft, partially because I work for you, and you -- even though I'm older in my career, I learn from you all the time, but also because we are optimists here. And thank you so much, Igor, for making the time. I know, because I work for you, how extraordinarily busy you are. So thank you for just carving out this time to do the podcast. This is our relaunch of Afternoon Cyber Tea. We've been on hiatus a few months. So many thanks for being on and thanks to everyone who helped support you being on.

Igor Tsyganskiy: Yeah. Well, and thank you. You've done -- I'm thankful for the partnership and thankful for all the support that you provide, and I'm thankful we've known each other before I came to Microsoft, the fact that we're working with each other. As someone told me yesterday, I was reporting to you, today I'm reporting -- you're reporting to me. It almost doesn't matter. What matters is great people across the world working together on the cause that's worth it.

Ann Johnson: Exactly. Well, thank you, Igor. And many thanks to our audience for listening. Join us next time on Afternoon Cyber Tea.

Igor Tsyganskiy: Thank you. [ Music ]

Ann Johnson: I invited Igor to join me on Afternoon Cyber Tea because he is such a dynamic visionary security leader who really changes the paradigm of the industry and how we think about cybersecurity. He joined Microsoft during a time of crisis. He resolved that crisis and brought a whole new way of thinking about cybersecurity and how Microsoft will approach this growing problem. I know the industry can learn a lot from him and I know you will enjoy this episode. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President and Deputy Chief Information Security Officer at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft