Afternoon Cyber Tea with Ann Johnson 9.20.22
Ep 59 | 9.20.22

Microsoft Security CTO on Future of Cyber


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we talk with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision makers. I'm Ann Johnson, and today I am really excited because we are going to talk about current cyber trends, future technologies and one of my favorite topics, Israeli cyber innovation. I am joined by a long-time colleague and friend Michal Braverman-Blumenstyk, or MBB as we affectionately call her here at Microsoft. Michal is a top Israeli tech leader and one of the world's highest-ranked women in the cybersecurity industry. She is the corporate vice president and chief technology officer of Microsoft Security and is the general manager of Microsoft's Israeli Research and Development Center in Herzliya.

Ann Johnson: Now, before joining Microsoft, Michal served as the general manager of RSA Israel and the global leader of the cyberfraud and risk analytics product line at RSA EMC, which is now Dell. Under Michal's leadership, the revenues of the fraud and risk analytics product line at RSA grew 20-fold and the number of protected users worldwide reached over 300 million. Now before I introduce Michal, there's one other thing I wanted to say. My team has been doing an exploration to hire talent in Israel. And under Michal's leadership, Microsoft is one of the most sought-after employers in Israel. We have a - just a plethora of applicants, and every one of us talk about the tremendous culture that Michal has brought to that development team. So I am just thrilled to have her on the show to talk about all of that. Welcome to "Afternoon Cyber Tea," Michal. 

Michal Braverman-blumenstyk: Thank you, Ann. And it's really great being here, and it's always great to be with you. We go such a long time together, and we always have fun, both in technology business and just pure fun. 

Ann Johnson: Exactly. So let's have some fun and talk about Israeli innovation. You know, I was there in June, and I continue to be impressed by the startup community and the energy and the talent that's there. Israel has been a long center for cyber innovation, and some of those cutting-edge technology companies come from Israel. So tell us why that's the case. What makes Israel so special? 

Michal Braverman-blumenstyk: So first of all, you are absolutely right. There is a lot of innovation in cybersecurity and in high tech in general that comes from Israel. As a matter of fact - you know, Israel is not a big country. It's only - it's less than 9 million people, which is about 0.1% of the world population. But if we look at the investment in cyber, the investment in cyber are - in Israel are 38% of all global investments in cyber, which I find amazing. So what is the secret sauce? I actually divide it into two. One is the ecosystem, and the second one is the Israeli trait. 

Michal Braverman-blumenstyk: Let's start with the ecosystem. In Israel, it's mandatory to go to the army. And the technology units in the army bring a constant supply of young talent that - in their early 20s that already spent few years doing cyber. The second thing is the startups. There are 800 cyber startups, and the numbers keep growing. The third component is the multinationals. There are many multinationals that have their cyber excellence centers in Israel, like Microsoft. And all these create cross-pollination. And, you know, in Israel, everybody know each other, so it's one degree of separation. And where else in the world do you have people from so many international companies that all know each other and that all do cyber development? 

Michal Braverman-blumenstyk: The second thing is the Israeli trait. First of all, there is a lot of risk taking. There is also the Israeli chutzpah. Chutzpah means audacity, not to be afraid. And we are very egalitarian. We have a very egalitarian society, a very egalitarian spirit. For example, I love my team to tell me that I am wrong, because if I know that I am wrong, I can fix things very fast and move ahead. And the risk taking and the ability to say what you think openly and not be afraid of your boss and you can tell your boss you are wrong create an environment that promotes innovation and, again, cross-pollination. So to summarize, the ecosystem and the Israeli traits are the secret sauce of Israeli innovation. 

Ann Johnson: So, Michal, you know, I want to talk about our lab in a minute. But before we get to that, can you talk about, over the years, what some of your favorite examples of Israeli cyber innovation - maybe technologies or companies that come to mind? You could even talk about our favorite company, Cyota. 

Michal Braverman-blumenstyk: Of course. OK. So I have lots of current innovation, but you're right. You - we have to start first from these three. So first of all, Check Point - the first firewall ever, which was invented in the beginning of the '90s, was invented in Israel by Check Point. And second milestone - and you're absolutely right - Cyota. In the early 2000s, we founded Cyota, which was the first company ever to employ machine learning to security, to fraud detection. We later were acquired by RSA. That's how we met. Another interesting thing about, Cyota - Naftali Bennett was the CEO of Cyota, which was, until recently, the prime minister of Israel. After the RSA acquisition, he left for politics, and I replaced him. That created, by the way, the great partnership between you and me, Ann. We should thank him for that. So this is about history. 

Michal Braverman-blumenstyk: Let's do fast forward. Let's do fast forward to the 2020s. As I said, there are 800 cyber startups in Israel. A lot of them are doing amazing, innovative work. It's difficult to choose, but I will try. By the way, another important fact, which I found fascinating - 40% of all cyber unicorns are actually Israelis. Again, only 1.1% of world population is in Israel. So I will - when looking at the current startups, I divide it by fields. One interesting field, at least to me, is API Security. API Security is actually securing the API economy. API economy enable us to do - to build applications from building blocks, and to secure it is very important. So companies like Salt and Noname are leading that field in the world. Secure browsing for enterprises - companies like Talon. CNAPP - Cloud Native Application Protection - protecting cloud native application - Israel is very strong on that with companies like Aqua and Orca and Wiz. 

Michal Braverman-blumenstyk: ShiftLeft, which is important because we want to make sure that application developers develop secured application from the start. In other words, security is built in and not built in later. And ShiftLeft leaders, like Snyk, are also Israeli companies. Another emerging area, which is data security, specifically data security posture management - I just recently met a very interesting young startup named Polar that are doing amazing stuff in this field. So lots of companies to choose from, but this is the list of my favorite examples. 

Ann Johnson: You know, it's great to hear you mention all of these companies. And I'm always astonished by the statistic that you mentioned, that such a small percentage of the world's population actually lives in Israel, and yet there's all of this focus and innovation on, you know, cyber in Israel and the companies that are there. And I do, you know, agree with you that a lot of it is just because of the folks that come out of the military, right? It's this talent base that we can't leverage in other parts of the world. And it's interesting also to hear you mention Polar as a data security company. Full disclosure, I'm actually an investor in Polar on a personal basis. I saw them very early, and I thought the space was interesting. And it will be - it'll be fun to watch how they evolve, right? 

Michal Braverman-blumenstyk: Fully agree with you. 

Ann Johnson: Yeah. All that being said, let's talk about, you know, our lab. And we have this amazing lab in ILDC. It's not just security, but I want to focus on security. Talk about our research and development center. Tell us about the lab, and then tell us about how those teams are working with these really innovative software companies. 

Michal Braverman-blumenstyk: Sure. So as you mentioned, I have two hats. One hat is being in security, which is the global CTO of the security division; and the other hat is being the general manager of the Israeli R&D center. I love my two hats, and they are related because we're doing a lot of security here in ILDC. I want to talk a little bit about the Israeli R&D center. As a matter of fact, I started managing the site in February of 2020. If you recall, the other thing that happened in February 2020 is that COVID - all hell broke loose with COVID. I became the GM of the Israeli R&D center the same day that the first Israeli COVID patient was discovered. And when I entered the role, I thought, wow. I have at least three months to learn, et cetera. To make a long story short, two weeks afterwards, I had to tell everybody to work from home and to manage the biggest crisis we ever had. 

Michal Braverman-blumenstyk: But a crisis is actually not a big - not a bad thing. I'm a history buff. I love Churchill. I admire him. And Churchill always said, never waste a good crisis. And that's exactly how I felt, because when you dive into the water, you have to learn things very fast. So just entering into the role, I had to make sure that we keep people engaged while they're working remotely and they know each other, and we keep the innovating spirit, et cetera. And some of the secret sauce of ILDC is the fact that we put a lot of emphasis of technology and business impact excellency, bringing the best people, making sure that they work on the state-of-the-art technology, making sure that they lead, that they understand the customers, that they strategize. And another thing is also to care about the community, to care about each other, to create an environment that you really work with each other, and you do a lot for the community and while having fun. So all of it together create a very unique environment and also a lot of curiosity and also leveraging the Israeli trait of chutzpah and the risk taking, et cetera. And I think altogether, that's what makes this place unique. 

Michal Braverman-blumenstyk: So in addition to security - and we do a lot in security. We lead this - some of the important security products in Microsoft. We do other state-of-the-art technology, like autonomous car, digital health. Another thing that really warms my heart - and it relates to working with the community - we many times develop technologies in order to help the community. And sometimes even people doing it on their spare time. For example, an engineer that took an Xbox and adapted it to - so children with disabilities can play with Xbox. To see the smiles on those children who could hardly move on their wheelchair, and now they are able to play on Xbox, it's amazing. Another example is an hackathon project, which created, together with ALS patients, AI-based system that enable us to communicate freely with their laptop and give them capabilities they lost years ago when communicating with the computers. So that's also very important part of the Israeli ILDC, is leveraging technology, not only to make business impact, but also to make impact on the society. 

Ann Johnson: Yeah, I - you know, the Xbox example is so compelling, right? I remember the commercial model. And it came out over the holiday season in the U.S. a few years ago. And just watching those children and the joy, as you said, that it brought to them - it brought tears to my eyes. And it made me - you know, it's always proud to work at Microsoft, right? Because we're doing things to actually make the world a better place for everybody and to make the world a more secure place for everybody. So thank you for bringing up that example. As we think about then, you know, the wonderful work that you're leading in ILDC and the work that you're doing as the CTO for the cybersecurity business at Microsoft, let's talk a little bit about ecosystem 'cause I know you spent a lot of time talking to customers, partners, founders, startups, venture capitalists, etc. What are you hearing from them now? What do you think some of the trends are? And what are the leaders - you know, what is keeping our security leaders up at night? 

Michal Braverman-blumenstyk: It's interesting that when I look at the ecosystem and our customers and partners, I find that they become more and more educated on cyberthreats and on cybersecurity in general. And the more they become educated, the more worried they are, the more sleep they lose at night. And for - I understand that. And let's focus on some of the trends that batter the ecosystem. 

Michal Braverman-blumenstyk: So, first of all, attacks are becoming more sophisticated. They're becoming more sophisticated, not only because the attackers are technology savvy and they have the most amazing technology - as a matter of fact, it's almost a mirror picture of the technologies that we are using in the good part of the industry - but they're also leveraging sophisticated business models. And they create their own ecosystem. So it's really a whole - very sophisticated industry. So let's talk about the technology. As you know, we leverage a lot of AI and machine learning when we develop security products, and attackers are doing the same. They are leveraging AI in order to create more sophisticated tools. 

Michal Braverman-blumenstyk: For example, the Emotet malware, which is AI-based malware specifically for the fintech that changes its behavior and learned to be the target that it attacks in order to create more sophisticated attacks. Another trend that keeps many people awake is obviously ransomware. And ransomware also became more sophisticated, not only in the technology, but also in the business model that it operates - ransomware as a service - which enables the criminals to have a win-win because there is the criminals that are developing the service now, the technology savvy. But the people that - the criminals that are using that service can be very novice technology and still create a lot of damage to their victims. 

Michal Braverman-blumenstyk: Another trend in ransomware is human-operated ransomware, which is - was first discovered by our own MSTIC, Microsoft Security Intelligence Research Center. And the human-operated ransomware - we found it very interesting that they actually do double dip. Not only they are able to run a very sophisticated ransomware, but they also can exfiltrate all the data, sell it on the black underground market while still blackmailing their victims. So it's very economical for the people that operate. Other trends is, of course, nation-state attacks. We all saw how much cyber was used by the attack of Russia on the Ukraine. We saw a lot - as Microsoft, we saw a lot of surgical cyberattacks just before a big physical attack on Ukraine. And as you know, Microsoft did a lot to help there. And we will see nation-state attacks growing. The next one is supply chain attacks. And as companies are using more and more third-party software - and they are as secure as the weakest point, and therefore, securing the whole supply chain is extremely important. 

Ann Johnson: I couldn't agree more. And it's - you know, the ransomware actors are really interesting, too, because with ransomware as a service - and they're also, as you know, selling information on the black market, as you mentioned, but they're also doing outsourcing for a nation-state. So there's this whole ecosystem in the dark - you know, the dark web, as people say. But there's a whole ecosystem of bad actors out there that are monetizing attacks in any way possible. And that's only going to increase, as you mentioned. So I don't think the cybersecurity industry has always been pretty resilient when it comes to global slowdowns because the threats continue to increase. And you just can't cut spending. So I do - I am cautiously optimistic that we will continue to be able to put solutions for our customers in place that will help them defend themselves, even if there is more of a slowdown globally. 

Michal Braverman-blumenstyk: Exactly. It's an arms race, but I'm absolutely positive we are winning that race. 

Ann Johnson: Yeah. I couldn't agree more, Michal. So let's talk about IoT. I know you're particularly passionate about IoT security. And there is this increase in devices getting deployed in places like manufacturing plants and retail and health care, even in people - right? - embedded devices in humans. Cyber risks are magnifying. Talk about why you are so focused on this area. And you were early, by the way. I have the insight that you were very early to focus on this area. And what advice do you have for businesses and for engineering leaders that are grappling with the challenges and with the opportunities that come with IoT? 

Michal Braverman-blumenstyk: So you're absolutely right. I have been very excited about IoT for quite some time because to me, IoT is the heart of the digital transformation because it combines the physical world and the virtual world. And together, that's what makes the digital transformation so successful. And together, that's what will makes humanity - it will make so much advances to humanity. I almost compare it to the Industrial Revolution. But in order to enable it, we have to make sure that all those IoT devices - whether it's cameras, whether it's smart screens, whether it's smart elevators, whether, as you said, it's medical devices, whether it's embedded in your body or not, pacemakers on one hand but also manufacturing - all of it participate in the digital transformation. And securing IoT devices are very different than securing your IT, your database, your laptop, your server, your cloud, etc. Therefore, we need on one hand to make sure that we provide specific security that understands all the protocols of the IoT and, on the second hand, providing the end-to-end security tying all the devices to the IT. 

Michal Braverman-blumenstyk: Let me give you an example. Let's look at a case that happened in the past, a casino that happened to have an IoT device, which is an innocent aquarium. Now, the aquarium was connected to the corporate network because someone wanted to feed the fish virtually. Great. However, nobody thought that the fish have anything to hide. Therefore, nobody thought of protecting the aquarium. And as we know, attackers always will look at the weakest link. And they understood that the aquarium is connected to the internet but also to the corp net. And they attacked the aquarium. For the aquarium, they did lateral movement to the company network, and they were able to get to the crown jewels in the customer database. And this is an example why end-to-end security solutions are so important because IoT and IT are now mixed together. As a matter of fact, if we look at recent analyst research, in 2026, 75% of all enterprises will have IoT business lines embedded in their company. So we in Microsoft believe very strongly in providing holistic IT, IoT and OT end-to-end solutions. 

Ann Johnson: So I think it's really important, particularly the last thing you said. The examples are great, but the fact that we need to have all of these solutions fully integrated to give customers better visibility and - because our customers tell us regularly that - what they worries them. And what they don't think they have is great visibility across the entirety of their environment. So it's great to hear the innovation that's taking place in that space. And speaking of innovation, you are the CTO for Microsoft Security, which is a huge responsibility. And part of that role, I know, is looking into the future and determine what technology and engineering investments Microsoft needs to make, how to empower our customers, how to keep our customers successful. So what has you excited? What technology are you thinking about right now? 

Michal Braverman-blumenstyk: So first of all, cybersecurity is very exciting. The reason it's so exciting - it's like playing chess. You have an opponent. When you just develop software, you don't have an opponent. You just have to develop good software. However, when you develop and design cybersecurity products, you always - you have - you always have to be one step ahead of your opponent. You have to think what the attacker will do. And I find it extremely challenging and interesting. And so what we are working on now - some of the things is autonomous security, which is different when automation. Automation is very important, but autonomous is one step ahead. 

Michal Braverman-blumenstyk: Think about it. Let me give you an example. When you have a vacuum cleaner, this is automating the cleaning of your house. When you have a robot that does the vacuum cleaning, this is autonomous. You don't have to worry about it. And because the attacks become more and more sophisticated and we need to employ more and more data and technology in order to combat it, it's very important to make sure that we outsource the headache of the security professionals. And we do a lot of the things autonomously without even bothering them and making sure that they only have to deal with the 1% that get their attention. So we spend a lot of time in developing air-based system that are doing autonomous security posture management in other security areas in order to give the security professionals the freedom to focus on the most important thing. We also look at special trends like metaverse. Metaverse will become more and more prevalent, and we have to make sure that we secure this world, that nobody is kidnapping the metaverse and that the identity of the metaverse is kept intact. 

Michal Braverman-blumenstyk: Another area that we are looking at is post-quantum cryptography. Let's look at cryptography. In the last 20 years, we are using cryptography algorithm, which are very efficient and, you know, the RSA cryptography algorithm. And it's impossible to - it's almost impossible to break it with the current computing power. However, quantum computing will be a reality. And it's quantum computing - it's becoming a reality. All the current cryptography algorithm will not be so solid. It will be very easy to break them because quantum computing has so much power. It - things that took years before to break will be a matter of meeting - of minutes. Therefore, we need a new generation of cryptography algorithm that will be resilient to the computing power of quantum computing. So this is another area that we are working in. Also Web3 Security - Web3 is the next generation of the web, and we have to make sure that we are ready ahead of time for all the attacks, that we leverage the Web3 capabilities. 

Michal Braverman-blumenstyk: And the last thing which is - we find very interesting is securing business as a service. For years, security is considered as horizontal. However, when vertical computing and vertical application are becoming more sophisticated and more prevalent, security has to be vertical as well. And we are now looking at security solutions and security products that leverage the context of the particular vertical - the particular business in order to provide better security. So this is about security. But you know what? I talk about - I wanted to mention another field, which is not security, because, as you know, in my ILDC hat, I'm looking not only in security, but I'll do it later. 

Ann Johnson: It's fascinating the trends that you're talking about because we - as we look at - and I know you know that our team is working with some folks on your team on a paper called "Cyber 2025 and Beyond." And all of these things are top of mind, but the one thing that you and I - and we talk about this - is what are we missing, right? What is it that we're not seeing that's going to become a cyberthreat down the road because the bad actors aren't going to go away? They're - you know, they're making money, right? They're not going to - the old joke, why do people rob banks? Because that's where the money is. Why do people launch cyberattacks? Because they can monetize it. So it'll be interesting as the industry evolves - and I agree with you. We're one step ahead, and I want to keep staying one step ahead. 

Michal Braverman-blumenstyk: Absolutely. That's why we are here. 

Ann Johnson: Yeah. That is why I get up every morning. Exactly. 

Michal Braverman-blumenstyk: Exactly. 

Ann Johnson: Which brings me to the topic of women in cyber. So as you know, you know, you and I have been in cyber - we met in 2005. We've both been in cyber a very long time. Women have historically been underrepresented. It's getting a little better, but there's - you know, it needs to continue to get better. We're also have this tremendous labor shortage in the cyber industry. And one of the ways - I've talked for many years in speeches and blogs and posts about, you know, pragmatically, one of the ways to solve the cyber shortage is to be more open and welcoming as an industry and encourage, you know, women to pursue cyber careers. But when it comes to attracting and retaining women and other underrepresented groups, is a diversity policy enough, Michal? What do you think we can do? What have we done wrong, and what should we be doing? 

Michal Braverman-blumenstyk: So first of all, it's an excellent question. So I - before we go into the shortage, I want to refer to - I think, to my experience as woman in cyber and as woman in general in technology. And I think that I was lucky. Look, from a very early age - and I think that I have to really give a lot of credit to my father. My father raised me as - I was completely oblivious to the fact that I am a girl - that a girl should not do something. I grew up feeling that sky is the limit. And again, thank to my father. And I never felt the glass ceiling. I was always good in math. I liked math. I was specializing in math and computer science. I was in technology - army - in the unit and later in the industry, felt exactly what you felt, that there was not many women. But I didn't let it bother me. And as a matter of fact, for many years I didn't spend time focusing on the fact of that I am a woman and what should I do? 

Michal Braverman-blumenstyk: But I was wrong. The fact that I didn't feel the glass ceiling doesn't mean there is no glass ceiling. And once I realized that, I became very active in women organization in tech. Like, for example, one of the things that men are doing better is networking - like, the good old men's club. This is a very effective professional tool, and women are not doing it so well. So one of the first things that I did after I decided I'm going to be active in promoting women is opening networking organization. As a matter of fact, in - I opened UPWARD Women in Israel, which is networking for professional women. Another thing that I did - I started to work with girls. It's so important to give role models to girl. And I'm going to - and I'm talking with girls in schools. And by the way, we should start even in kindergarten. Show them how much impact women can do in technology, encouraging women and girls to enter cyber. As a matter of fact, in Israel R&D center, a lot of the women here, we are active in working with girls from the periphery, working from girls with different economic strata in order to bring them to cyber. And we see a lot of progress here. 

Michal Braverman-blumenstyk: So to answer the second part of your questions about the shortage - so I fully agree with you. Diversity in cyber is extremely important. So obviously, bringing women and girls from a very early age - encourage them, showing them how excited - how exciting this field here is, exactly what you and I feel about that. But it's not only women. It's also other minorities. Every minority which underrepresented in high tech is also underrepresented in cyber. So in Israel, for example, we work with bringing more Arabs, bringing more ultra-Orthodox Jews into cybersecurity. I know in the United States, we are doing with other minorities. Another very important minority is looking at people with disabilities, whether it's physical disability or mental disability, and enable them to enter the field because they have amazing minds. So let's make sure that we don't leave anybody who can create great cybersecurity solutions out there without giving them the opportunity. We also work with people on the autistic spectrum, and they are amazing engineers. So in short, if we are - all of us, all the cyber companies - are doing this effort in order to bring those underrepresented population to cyber, I'm sure we will do a great advancement in closing that shortage gap. 

Ann Johnson: I think that's fantastic, the work that you're doing there. As you know, we, as Microsoft, sponsor Girl Security. We sponsor WiCyS. These are more U.S.-focused programs that are getting some global footprint. And the - you know, there's a few other organizations we work closely with, like the Security Advisor Alliance that actually works in the U.S. from seventh grade to 12th grade in the U.S., to try to get students, even before college, interested in cyber. I think it takes all of it, Michal. I think we have to just keep doing all of it. There is no one thing... 

Michal Braverman-blumenstyk: Exactly. 

Ann Johnson: ...And we have to do it on a global basis also. 

Michal Braverman-blumenstyk: Absolutely. And I think it's our role in the high tech. I mean, Microsoft is doing that a lot. And we are encouraging other companies to join us because the high-tech sector is very dominant. And if we will do that, we can change the world. 

Ann Johnson: Absolutely. We can change the world because people will think differently, too. And we need that. We need non - I know you have a technical degree. I have a political science degree. We need liberal arts majors. We need also people that think differently, so we look at problems differently. So, Michal, thanks for sharing your incredible insights. We always like to send our listeners off with one or two key takeaways about what you think we can do today - you know, practical advice. If you were talking to a customer today, what would you tell them we could do today that they should implement in their environment? 

Michal Braverman-blumenstyk: So, first of all, to combat cyberattacks and cyberthreats, it's a war. And like in any war, we need a coalition. And it's a war that cannot be won alone. Therefore, collaboration is very important - collaboration between organization, collaboration between states, collaboration between different sections of sharing information, of course, levering all the technology. But sharing, not keeping it to yourself. Another thing is education - educating the consumers and the children from very young age and educating the enterprise how to combat cyberattacks. And, of course, automation - automation and autonomous systems that will elevate the work that the professionals need to do. 

Michal Braverman-blumenstyk: I can tell you that I'm very optimistic because it's all about the people. It's all about the human factor. And even though the attackers - also great technologies and they're very smart people - because I believe that the good people that are good technologists will do the right choice and will come to develop cybersecurity products as opposed to develop cybersecurity attacks, I believe that the good side will win. 

Ann Johnson: I agree with you completely. And I also agree that educating folks from the first time they touch an electronic device, you know, at very - you know, the digital natives now, right? - all the way through, you know, their career is important. So, Michal, thanks for taking the time to join me today. 

Michal Braverman-blumenstyk: Ann, like always, it was a pleasure and a great fun. And I'm really, really thankful that you invited me to this amazing podcast. 

Ann Johnson: Many thanks, and thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: So I invited Michal to join me on "Afternoon Cyber Tea" because she just has this breadth and depth of information that is incredible. As the CTO for our Microsoft security business and also as the leader for our Israeli development center, she really has a great pulse on the industry - what's new, what's evolving, what customers are thinking about and what great innovative technologies are out there. It's a wonderful episode, and I hope you'll enjoy listening.