Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 116
Afternoon Cyber Tea with Ann Johnson 10.14.25
Ep 116 | 10.14.25

From Silos to Solutions: Building Trust Through Transparent Cybersecurity Communications with Microsoft's Frank Shaw

Show Notes
Transcript

Ann Johnson: Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. Today I'm excited to be joined by Frank Shaw, Chief Communications Officer at Microsoft. Welcome to Afternoon Cyber Tea, Frank.

Frank X. Shaw: It's so great to be here. It's always nice to spend time with you, Ann.

Ann Johnson: You also. We're going to have some fun today. We're going to talk about cybersecurity communication, and I'm sure we're going to talk about sourdough.

Frank X. Shaw: Okay. I'm ready.

Ann Johnson: I imagine so. So you and I both know that cybersecurity is not just a technical conversation. It's about how people understand risk and ultimately how trust is built. And I know you're an expert in that topic. It's building trust with employees, with customers, with the public. And communication is the key to that bridge to connect the technical reality and also connect human perception. So, when you look at cybersecurity through that communication lens, what role does storytelling and what role does transparency play in building resilience and in building trust?

Frank X. Shaw: Yeah. I think it's a big question because, when I think about all the different topics that we have to deal with, security and cybersecurity sort of tests us the most because they're inherently complicated topics. They come with an enormous amount of risk, and they're easily misunderstood. And so we always want to make sure we're finding the right tone and the right facts so that we give people the information they need to take action without scaring them into taking the wrong actions, which can easily happen. And, as you know, a lot of the times when we're dealing with these things we're dealing with them with a shortage of information. And so we are giving as -- the best information we can at that moment. And we have to have established trust to be able to come back and say now we're smarter than we were two hours ago, and we're going to offer additional input and guidance. And so those are some of the things that we always try to balance. And then, at the end of them, of course, when we're finished, if we're really finished with these things, we have to show transparency again by really demonstrating to our customers and to the public largely what happened, what we did, what we've learned, what the industry has learned, and then what do we do next.

Ann Johnson: I think that's right, Frank. And one of the things that we struggle with and -- because you and I have had a lot of conversations is, at the beginning of any event, we're in the fog of war. So we want to get the information out there so people can protect themselves. We want to be as accurate and as transparent as fast as possible. But these facts are changing also. So in those moments, you know, when a security issue is going to become a headline, the difference for the company is how we emerge stronger, right? And when that struggles is how we actually balance that communication. You're -- you and your team are just experts on this. What lessons have you learned about effective crisis communications in cybersecurity and how you balance that speed that I talked about, that accuracy and also the transparency when the pressure is as high as it could possibly be? And what are the biggest lessons you've learned about leadership in cybersecurity communications that you think the industry as a whole could do better?

Frank X. Shaw: Yeah. I think the biggest lesson, and it's more of an art than a science, is just coming into these situations grounded in the fact that you are never going to have as much information as you want. You're never going to have as accurate information as you want when you want it. And you're always balancing, hey; I've got 90% confidence in what I know, and the clock is ticking. Or I've got 95%, and how much longer is it going to get to 100%; and is it worth it? And so that's the piece that we spend the most amount of our time in. And, to make those decisions, you have to have great internal networks across engineering, customer, and communications because everyone has a piece of the information. And one of the things I think that we've done really well is make sure that, in these moments, there's no gaps between the different functions. And that's something I would suggest that everybody really work hard on is that, in a moment of stress on something like this, you can't allow any gaps to exist between the functions so that, if the engineering team knows something, consulting teams know something, the sales team knows something, the communication team knows something, and the loop goes around. And that's how you can get to that sense. Okay. We're going to make a decision. We're going to share it internally, and then we're going to move. And then, in terms of the biggest thing that I think for the industry and, you know, again -- and you know I've talked about this before. Transparency is absolutely the key, and our ability to -- as an industry to talk about what has happened and what we have experienced in a way that allows others to learn from it is absolutely critical. And we've seen this before where we've had an incident, and we share our information about what happens. And then what we're doing when we're doing that is we're encouraging everybody who has an incident to share what they've learned and how they've dealt with it so we all get better. Hiding it and pretending that it doesn't happen to any other company is not helpful for the industry.

Ann Johnson: I completely agree. And I think that one of the things we talk about in the industry is not making it punitive, right? The way you get transparency is if people feel like they're in an environment where they can be transparent, and it won't be horribly punitive to them. And that will encourage them to communicate more openly. And I think we still have a ways to go with regard to making sure that people feel safe to communicate in a very transparent way. But I also do think the industry has come a long way, and I do believe Microsoft has shown leadership here with our -- some of our events in the past.

Frank X. Shaw: I think so too. And first couple of times you do it, it's painful because, essentially, what you're doing is you're saying something bad happened to us; and now we're going to talk about it. And, if nobody else then picks it up, you just feel very singled out.

Ann Johnson: Exactly. Well, let's pivot a little. The year is 2025, so we're going to talk about artificial intelligence. And you've spoken often about AI, how AI is transforming communications. How do you see AI changing the way organizations handle communications, including cybersecurity communications, and the crisis response to how we shape trust?

Frank X. Shaw: Well, it's a rich topic. And I'll Caveat it by saying everything that I'm going to say now I reserve the right to be wrong about in the next couple of months as things continue to change. But there's a couple things that I think are true. One is that effective use of AI allows us to move more rapidly in moments of crisis because we have better access to information, and we have better access to, then, insights about what we might be able to do. But the only way to get there is if we spent the time beforehand thinking about our processes and revamping the processes to use these new tools so that then, when something happens, we have the new tools to use. AI is not something you can just sort of bolt on at the end. You actually have to think through the entire process and sort of almost break it into its atomic levels and then look at what can you automate now that wasn't automated before? What can you create now that you couldn't create before? You know, what is absolutely human, and AI is not going to have any impact on that? And then, once you do that, then you have the ability to move faster. But the idea that you can just say, hey. Here's some AI; run faster doesn't work very well.

Ann Johnson: No. And I actually like what you said. I reserve the right to be wrong also. I'm frequently wrong, and I'm okay with that.

Frank X. Shaw: Right.

Ann Johnson: I'm with you. Yeah. You're learning to grow, right?

Frank X. Shaw: Yes. Exactly.

Ann Johnson: So, in today's world, perception can become reality very quickly. A breach doesn't just unfold in technical terms. It trends. It's debated on social media, and sometimes misinformation will outpace the facts. What influencers, what platforms, what formats do you see as most powerful in shaping public perceptions of cybersecurity today? And how can leaders, how can we intentionally cut through the noise to make the messages land?

Frank X. Shaw: Yeah. I think the big challenge we've got from a communication standpoint broadly and then we'll dive into security is this absolute fragmentation of influence. If you look back even ten years ago or seven years ago, if we were having a security incident, there were a set of national security reporters at big publications like The Washington Post and The New York Times and the Wall Street Journal, dark reading other security analysts that you could probably count baker's dozen. And if you've got to those people and you told your story effectively, you had some degree of confidence that you were to reach the majority of the people that you wanted to reach. Now it's incredibly fragmented. So, in order to reach the people you want to reach, you have to really be crystal clear on the most important audience for you and then understand who reaches that audience. And it's going to look different today. It still might be a national security reporter, but it's going to be a collection of people who are publishing a newsletter, who have a Discord server that is spending time focused on this; who might be a consultant somewhere with a strong social signal on X or Bluesky or Instagram. And our ability to understand who those influencers are and then have relationships with them becomes critical in telling the story. And then, you know, as we think about information and disinformation, we have to think about our own channels and our own experts as avenues to tell the story, as well, because we know that people will trust those that they know. And so, if you know somebody that works at Microsoft and you hear from that person in a moment like this, you're way more likely to think that this is accurate information, even if you see something on X or Instagram or TikTok that might feel something -- might make you feel something differently. So that sense of, like, we are the experts; we need to have our own channels out there. We have to be fast and accurate on our own things. That's how we try and stay ahead of some of the misinformation, disinformation that's out there.

Ann Johnson: That's great. And I think it's important that we always have our voices out there so that people can cut through the noise. And also, as you know, communication isn't just about external, right? Security awareness at Microsoft depends on how well we engage our employees. We can patch all day long. But, at the end of the day, we need over 200,000 people to take phishing seriously. So how do you think about the role of internal communications and strengthening cybersecurity, and what approaches have you seen succeed or fail at Microsoft and other companies?

Frank X. Shaw: Yeah. I think one of the things that we've done really well is, from the top on down, we've established security as a high-order priority. And one of the ways that I know it's successful is because people complain about it. And they complain about it because they're having to do something differently. So, if you say something is a priority and we all need to change behaviors, and nobody complains that they have to change, that's an indicator that you're not getting it done. So I do look at that, that little friction in the system that says that I have to do something differently is a good sign that we're landing our messages internally and that behavior has shifted, not just rhetoric but the specific behaviors. And we've certainly seen that over the last two years as we've sort of revamped almost every process that we use.

Ann Johnson: I think that actually makes sense. It's almost like a little bit of friction means you're probably being successful because you're forcing people to change the way they work in hopefully a meaningful way.

Frank X. Shaw: Yeah. And then you see it. I mean, as it happens, I mean, I think I told you the story. I was playing around with something, with some of the vibe coding stuff. And I needed to upload something to GitHub, and I needed to create a token to do that. And it was during an exec staff meeting, so I wasn't paying as much attention to it. And so I created my token, and then I got called on. So I'm, like, oh, my God. What would I do this? So I pasted my token into OneNote, responded to the question I was being asked. And I came back and I discovered that you're not supposed to paste tokens into internal sites and resources. And, in fact, our security team had caught it and, like, disabled it. And it happened fast. And I'm like, that is a great example of security at the core. I wasn't thinking about it because I was clearly being kind of dim, but the team had actually created a process that scanned for this in real time and immediately caught it and corrected it.

Ann Johnson: That is fantastic. And I -- appreciation to our security team for creating the process and the tools. By the way, a lot of those are AI driven --

Frank X. Shaw: Right.

Ann Johnson: Tool that allows you to scan for tokens like that. But that's another conversation for another day. So I want to talk a little bit about the fact that the hard work and the best work happens before an event. And it's kind of like, as someone who's never been able to keep a sourdough starter alive, Frank, and I know you're a big baker, and I know you know that the hardest part of baking is actually everything that happens before the loaf of sourdough, which you're famous for, goes in the oven. So can you talk a little about that but also talk about how that shapes what we do with proactive storytelling, right? We have to actually be proactive in thinking about how we're going to communicate in the next breach, or we won't be effective, much like you have to be proactive in thinking about that crumb structure before you're actually baking your bread.

Frank X. Shaw: Yeah. Look. I don't know what you're doing with your starter. It shouldn't be that difficult.

Ann Johnson: I don't know if I overfeed or underfeed it, but three starters later -- I'm actually a pretty big cook. Should be a big baker.

Frank X. Shaw: Yeah.

Ann Johnson: There's something about sourdough. It's a mental block, I think.

Frank X. Shaw: Yeah. Well, I think the things I learned from sourdough, which I think is equally true to some of the work we do, is, first of all, you have to have strategic patience because it's going to operate at its schedule, not yours, right, because the environment changes all the time. If you're baking in the summertime ad and it's nice and warm, and you have all those little yeasties running around, like life is pretty easy and bread works pretty well, if you want bread by four o'clock on a Sunday in the wintertime, boy. You better get ahead of it and plan ahead and make sure that you've got everything ready to go because you're not going to rush it very successfully. And trying to fix it at the last minute is also a little bit of a fool's errand. And I think that's equally true as we think about both the proactive and the reactive work that we're going to do. On the proactive work, we have to think super hard about what is the story we want to tell and to whom and what can we say and when can we say it and be looking for things all the time because, by the time you get there and say, hey. I want to have a story. If you haven't done the work, you don't have all the elements of it. You don't know who your protagonist is. You don't know sort of the difficulties that happen along the way that made for an interesting story. And then you have to go to hunt these things back, and they're sort of pale. They don't resonate because you weren't sort of there in the moment. And the same is true as you think about the reactive stuff. You have to done -- have done all the work. You have to build the muscle. You have to have the team in place. And you have to practice what you're going to do so that, when something comes in, you're ready to catch it.

Ann Johnson: I think that makes a lot of sense. And I know that, you know, because I work a lot with your team, right? I know they spend a lot of times just strategically -- you said strategic patience. They spend a lot of time strategically thinking through things. So we have an operating model. I talk a lot with our customers about how you have to have a resilience guide and a playbook so people aren't thinking during times of crisis. They're just following a playbook. And I know your team spends a lot of time building those playbooks.

Frank X. Shaw: Right. And, you know, we've had a lot of opportunity to learn from what goes well and what doesn't go well and what we see other people do as well. So we're in a constant learning process. But, yeah. Then we document them so that you're not making it up each time. You're actually evolving a playbook as you go along.

Ann Johnson: Exactly. And you're doing post-incident reviews and putting the improvements in the process and that, you know, doing continual improvement, right? It's all important.

Frank X. Shaw: Yes. And then you go back and you look. This was the message that we wanted to land. This is what we said. Did it land?

Ann Johnson: Exactly.

Frank X. Shaw: And, if not, why not, right? Like, what could we do differently? Maybe it landed with one outlet and not with the other. Well, that's a signal that maybe this might be a good outlet for us in the future because they captured some of the nuances and difficulties.

Ann Johnson: Yeah. Exactly. So we've also had fun along the way. Look. Cybersecurity, I've been doing it for over 25 years. So it's actually, believe it or not, a fun industry at times. It's not always doom and gloom. And sometimes a creative campaign or a great story can really land and stick with people. I would love if you'd walk me through one of your favorite cybersecurity campaigns or stories that you and your team helped bring to life and what it -- made it successful in cutting through the noise.

Frank X. Shaw: So we detailed all of this in a report for the audience as, like, we ordinarily do with customers and industry analysts. And they all want the technical details, and we provided it to them. But we also know that this is something that consumers care about. AI is still relatively new for consumers. It can be seen as scary. When they hear about things like cybercriminals targeting them with AI, that's scary. So we wanted to land this in a mainstream way as well. So our Comms team and Kelly Bissell, who's the CVP of Anti-Fraud and Product Abuse, went to New York. Kelly did a bunch of great interviews with ABC, NBC, and CBS, talking to a mainstream audience. And he delivered a really clear message for ordinary human beings using our products. And he said that we are using the same AI and cutting-edge technology to protect them that some of the cybercriminals are using to target them and that integrating AI into all these defenses is helping us increase protection. And then he gave some very easy-to-follow security tips that anyone can use to guard against cybercrime. So it's a great example of where we sort of hit the technical details. We talked to customers, and then we took the opportunity to sort of pop up a level and say, this is something everybody is going to care about; and we're going to find a way to make it real for them.

Ann Johnson: That's fantastic. That's a great story because it did make it real. And it is something that every consumer, including non-cyber people, can understand, which is sometimes difficult for cybersecurity professionals like me. We forget that we actually need to communicate. In order to improve cyber, we need to make sure that we're communicating in clear terms that the average person can understand. So I love that.

Frank X. Shaw: And we're doing it in a way that is not -- we're not scaring people --

Ann Johnson: Correct.

Frank X. Shaw: -- into action. We're informing them so that they're not scared. You have to be aware. But, you know, being afraid actually makes things worse, not better.

Ann Johnson: That is correct. I want to talk about the global nature of cybersecurity because it is global, like everything else. And communication is global. And a breach in one country and messaging in one country doesn't resonate, right? What we say in the US might not land as well in parts of Asia or Europe or Australia. You have a lot of experience in navigating global communication in general. Can you talk a little bit about how you navigate across cultures to make sure we're communicating effectively but we're also being consistent and respecting the local culture and local nuance.

Frank X. Shaw: Yeah. It's a great one. And this is true for -- I mean, it's true for so many different things is that you could say something in one market and have it be effective, and then you say the exact same thing in another market without considering some of the cultural differences and just get a lot of negativity. And I think the key there is that all the markets where we operate, we have highly talented people. We have communicators. We have our engineering teams, in many cases. We have our sales leaders. And the key is they have to be the experts around how to have Microsoft be as local a company as possible. And so the idea that somebody in Redmond, Washington should be able to go and tell them exactly what to say and how to say it is not going to be effective. What you have to do is you have to have trust that they will take the message or the action that is desired, and they will ensure that it is going to land that in a culturally resonant way in their markets. And, again, that requires building trust so that they know that they have the ability to be flexible and land it. And then we have to have the trust that says, look. We're going to give you the messaging, and you are going to make it work for you. And this is true for security, it's true for privacy, and it's true for innovation. And almost all the topics that we care a lot about, we rely deeply on the local sensibilities to make sure that it makes sense for them.

Ann Johnson: Excellent. You've had a really interesting career journey. You were in the military, in the Marines. You were at a communication or advertising agency and, of course, in technology. I want to reflect just for a second on your personal journey. What is one piece of advice that you wish you had received earlier in your career? And what do you hope listeners take away from learning about that advice?

Frank X. Shaw: I know exactly the advice I would give to a young Frank, and I'm equally confident that I would have ignored the advice. So I'm not sure how useful it is. But, when I look back, the thing that I wish I would have done better is I wish I would have spent more time listening and less time talking or less time listening with the intent to argue with somebody. I come from a big family. There's four boys and my sister, which means that everything is an opportunity for an argument. And you get really good at, like, essentially waiting for somebody to take a breath so you could jump in and make sure you deliver the right point. And that's not a long-term growth and learning strategy. And there's so many times where I look back where I was talking to really smart people, and instead of asking questions that would help me be smarter, I was sort of looking to argue with them. And I just wish I hadn't done that.

Ann Johnson: Frank, I think that's consistent for a lot of people, and I want to put myself in that camp, right? I used to lead sales organizations earlier in my career. And I would tell these really young sellers, you have two ears and one mouth for a reason, right? You know, and I have a degree in communication. I know it's all about the listener, not about the sender; and I still was lousy about it because, as you said, especially when you're younger in your career and you meet really accomplished people, I always wanted to impress them with how knowledgeable I was --

Frank X. Shaw: Right.

Ann Johnson: -- where I should have been learning from them. So I think a lot of people will relate to that guidance.

Frank X. Shaw: Yeah. So, again, I'm relatively confident I wouldn't have listened to it, but here I am.

Ann Johnson: It's good guidance, regardless.

Frank X. Shaw: Yeah.

Ann Johnson: All right. I can't let you go. I have a couple more questions. But this one's actually -- in a silly way, it's actually pretty important. You have said there's a Bob Dylan quote for every occasion. And I think cybersecurity communication should have their own Bob Dylan quote. So what Dylan quote do you think captures the state of cybersecurity communications today, and why?

Frank X. Shaw: Well, there's -- one of my favorite Bob Dylan quotes a little bit of an enigmatic one, which is true of most of those things. And this is from Love Minus Zero, No Limit, where he says, There's no success like failure, and failure is no success at all. And so many times I think, when we're dealing with security issues, that is how it feels like.

Ann Johnson: I actually really like that. I may use that. You'll hear that in the future. Best ideas are copied. You know that.

Frank X. Shaw: That's totally right.

Ann Johnson: I close every Afternoon Cyber Tea with optimism. I consider myself a cyber optimist because I do know, for everything you see in the news, as an industry, we block thousands of events. So, despite the challenges, there's always something to look forward to in this field, whether it's new talent, new innovation. I truly believe AI will be innovative here, the spirit of collaboration, how we improve communications that are more effective. So I'd love to hear what you're optimistic about when it comes to future of cybersecurity.

Frank X. Shaw: Well, I think a lot of my optimism is grounded in the fact that I get to work with these incredibly smart people from across the company in the security space. And anytime I'm dealing with an incident or an outage or a new program we're putting in place to prevent these things, and you just get to talk to people here at Microsoft and I'm sure across the entire security industry who are such bright, committed people doing amazing work to stay ahead of what is just this relentless onslaught. And every day I feel like, wow. I am so glad that I have these people on the team here; and everybody should feel great about that. And I agree with you that the use of some of the new tools that are coming along from an AI standpoint that really speeds up the responses that we have in such an epic way gives us an edge that defenders did not always have before. So I know it's always going to be a game of cat and mouse. The bad guys are talented, as well. But I'll pick our side every time.

Ann Johnson: Absolutely. Frank, I want to thank you. I know how exceptionally busy you are. I have a view into it. I know how great your team is also so, you know, kudos for that. I want to thank you for joining us today and giving such great advice to the audience.

Frank X. Shaw: Yo. Thank you. It's great to be here, and I'm always available to be a sourdough coach if you need a little bit of help.

Ann Johnson: I might. And many thanks to our audience for tuning in. Join us next time on Afternoon Cyber Tea. Inviting Frank Shaw on Afternoon Cyber Tea was a little bit of a dream come true. He is such a brilliant communicator and so effective, and I have the opportunity to work with his team and with Frank quite often. So it was a wonderful experience to get his perspective, to get that view from the inside. Fabulous episode, and I know the audience is going to enjoy it.

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President and Deputy Chief Information Security Officer at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Charlynn Settlage, Producers are Rob Petrillo and Greg Ormsby. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft