Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 74
Afternoon Cyber Tea with Ann Johnson 5.2.23
Ep 74 | 5.2.23

Risk and Resilience in the Modern Era

Show Notes
Transcript

[ Music ]

Ann Johnson: Welcome to Afternoon Cyber Tea, where we talk with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security executives. I'm Ann Johnson, and today I am thrilled to be joined by Roland Cloutier, who is currently Principal at the Business Protection Group, which is an executive cybersecurity advisory firm. Prior to the Business Protection Group, Roland was the Global Chief Security Officer at Byte Dance and TikTok, one of the world's largest leading media, social, and online technology companies. And prior to Byte Dance and TikTok, Roland held Chief Security and security leadership roles at ADP, EMC, Paradigm Technology, and more. Roland has also held roles in law enforcement and is a veteran of the US Air Force. With over 25 years of experience in the military, law enforcement, and commercial sector, Roland is one of today's leading experts in corporate and enterprise security, cyber defense program development, and business operations protection. Welcome to Afternoon Cyber Tea, Roland.

Roland Cloutier: Ann, always great to be having a little chat with you over tea. Thanks for having me.

Ann Johnson: So Roland, you and I have known each other for a while.

Roland Cloutier: A long time.

Ann Johnson: Yeah.

Roland Cloutier: Yeah.

Ann Johnson: I always hate to say that, but anyway. And you have led security organizations at some of the most well-known brands in the world. I would love for the audience to hear a bit about your journey. How did you actually get your start into cyber? What drew you to the roles you've taken, and what's kept you in the industry all this time?

Roland Cloutier: Gee, Ann, this is a podcast. Do we have that much time? No. Just kidding. You know, we -- I've had a blessed career. I mean, I think you, you know, you and I have talked about this in the past. I've got to do what I love doing my entire life. And when I left the military and went into federal law enforcement, I had no idea that my life goes in this direction. But of course, as a detective in a federal police agency, all of a sudden, you know, you're dealing with a lot of different type of criminal matters. And everything had to do with technology. I mean, that was just the truth behind it. You know, he had to get subpoenas and warrants and find forensics people. And the next thing you know, I, you know, I really thought that I could do better. And I was prompted by a good friend and mentor to go back to school. So I did, and, you know, and focused on computer science and then dipped my toe in the dark world of commercialism a couple years later and became really a security program builder. And so my first role out of government was with EDS, building security teams in the Northeast. And I got to tell you, I got bit by it, Ann. I just, I, I loved it. I loved building critical infrastructure defense teams for these companies, marrying the years of training I got in defensive operations and protection through the government. And this cyber, it formed like a new mission in my life. And from there, I got a lot of great points along the way on how to become a good business executive. And that led me to my chief security positions in different industries. And here I am today, 25, 30 years later, still helping other companies along the way.

Ann Johnson: So Roland, I'm going to take you back. I remember when we first met, which you -- which you may or may not remember, but.

Roland Cloutier: Oh, I remember.

Ann Johnson: Because there's a punchline to this. So I first met Roland when I was at this little company called RSA Security. And this bigger company, EMC, wanted to be able to secure access when people went to customers' environments to do maintenance on symmetric storage environments. They wanted to know who came in. They wanted stronger authentication. They wanted access. So me and my team went and pitched the CISO, Roland Cloutier, who we're all scared of, by the way. You had this big reputation. We're like, okay, we have to go in. We have to do a really good job. So ultimately, you ended up, you know, buying the solution that we pitched. But more than that, I'll never forget, Art Coviello said to me, he said, "I told you to sell EMC. I didn't tell you to sell the company."

Roland Cloutier: [Laughs] That's so true. I remember that because we were -- we were so focused on securing the totality of the business and understanding because we were in like 80% of critical infrastructures worldwide at the time. And modems were a thing. And that's how you manage these massive compute storage platforms for all these major institutions in all 19 critical infrastructure industries. And. We all sat down and said, there's got to be a better way to do this. And certainly, RSA was that way at the time. And I just remember it was what, not even -- not even 10 months later, and RSA was part of the EMC family.

Ann Johnson: That is correct. It was just a very pleasant coincidence. And it was my second run at EMC, but I digress. We'll get back on track. So look, the world has changed a lot since then, right? It's gotten more treacherous over the years. Right now, I'm giving a talk with Nadab Safrir [phonetic] from Teammate on geopolitical resilience at RSA, which is happening, you know, right after we're recording this. And we're putting out a call to leaders that they have to think about how they're going to plan for geopolitical resilience as well as cyber resilience and these inevitable global events and the issues we're having. I'd love your take on this. How do you think leaders and organizations are need today to build capabilities to ensure success amidst this challenging global environment? And what role does the cyber team play in building these capabilities?

Roland Cloutier: It is such a multi-level question, and not that I've lived this for the last few years, but you know, I'll give you my take on it. So I think foundational bottom line basics where chief security officers, chief information security officers, EIEIOs, however, you want to look at them, they have to understand business resiliency and really that three-legged stool. You know, the business continuity and business impact analysis and how your business works. They have to be business leaders. They have to understand the difference between disaster recovery and continuity of operations or old school, you know, government folks like you and I kind of cogs and then that third component of crisis management. And not just cyber incident, IR crisis management. I'm talking about business-impacting events that require strategic and tactical senior-level capabilities to manage through crisis problems for the entirety of the business. So I think if you focus on those and you have the ability to understand your business, understand what has to be in place in order for that organization to operate and what are the critical functions that impact the normal operations of business, you're in a great spot. And being able to take your business through putting in measures to identify those, continuing test those, all the things we've learned through our careers, that is just fundamental. Now, DR is different because DR is changing through digitization of our organizations and whether that means massive cloud migrations, native cloud environments, third, fourth, fifth party portions to our ecosystem that it actually delivers our products, whatever your business is today, understanding how you have to work within those -- the context of a critical incident when recovering or driving your business forward without major components of your business process is truly critical. And that last component around crisis management, it is difficult to lead an operational integral part of an organization in the best of times. In the worst of times, it takes practice. It takes knowledge. It takes effort. You just don't go do it. So I think people have to look at that third leg as well. So that is the, from my perspective, the underlining three components that people really have to build into their skillset at a leadership, especially security leadership, role. And the other part is really understanding your AORs. Like where do you operate as a business? What could potentially impact it? And a great way to do this is, you know, what they -- what they call premo-mortems. A lot of people call them post-mortems after incidents. But before they happen, look at the theaters of operation that your business operate in. Look at the top three to five things that potentially could happen there politically, legally, regulatory, socially. And take those and apply them against your business. And what would you happen? Who would you rely on? What are the decisions you think you'd have to make and have those discussions with the senior leader team of your organization? I think if you prepare on those two fronts, you're going to be well prepared for answering hard questions as they come across your desk in the future.

Ann Johnson: I think that's really a good framework because the decisions are really individual, right? You can't tell a company how they're going to respond to something. But you can give them the questions they need to ask and the framework that they need to ask it within. And then they have to make decisions that are fundamental to their business process, their values, their individuals, what parts of the world they're in, et cetera. And, you know, when I talk to your peers, they -- they're talking a lot about technology, right? They're starting to talk more about operations because they have to. They're talking about business resilience and operational resilience because they have to. But I'd love to get your advice on it. But a lot of the companies I talk to, right, and probably even people you talk to, are more mature organizations. They're more mature on their journey. So can we go to companies that are earlier on the journey? They don't have the most mature security programs. They don't have the biggest budgets. They don't have the most people. What fundamental decisions do they need to make right now? Or what discussions should they be having?

Roland Cloutier: In the context of geopolitical issues or in the context broadly of being able to support the business itself?

Ann Johnson: Yeah, and I think that's a great clarification. I would love to talk about how they support the business. But then how do they support the business in dynamically changing times, right? What -- what are like the must-haves that they should be doing right now?

Roland Cloutier: All right, I'm going to take you in the Wayback Machine because I still think it's fundamentally important. As you know, Ann, I don't call security security all the time. I often call it business operations protection because I really believe that's what we're there for. Whether you work in a business or an agency, you're there for the assurance and continuity of operations and the protection of what they take to market. And so if we can take a step back and do something as simple as what most MBAs would call Michael Porter's Value Chain, but do a value chain, a system, you know, assessment of the business. If you can sit down and understand how your business develops product, takes product to market, makes money, and services and keeps clients in the context of how your company operates, then you've gone a long way because, you know, we always say you can't protect what you can't see. How can you protect the business which you don't understand? I mean, just because you can protect the data center or a cloud compute infrastructure or a messaging platform, or, or, or, it doesn't mean you understand it. And it's the same with a business. I think in today's environment where CISOs, CPOs, CDOs, all the folks that are required to protect some level of operation in some way or meet regulatory requirements, they need to start understanding that they need to assess how their responsibilities goes across the entirety of the business and what they should really be looking at. And the good thing that pops out of that is that not only do you know how do you protect your business or you know what's critical to the operations of your organization, like the critical access protection program, but you also understand how your business operates. And you can actually educate often your company on how their company operates. You know, like, you know, if those two third parties go away, we can't do revenue rec, nor can we deliver cloud compute services here, right? I mean, like, those are big a-ha moments. I've had a-ha moments in my life, Ann, where we've lost literally like a smoking hole in the ground of a data center in Europe. And, you know, I show up a couple days after the -- it's still smoldering. And we're in the middle of, you know, a DR process realizing that we didn't even understand the extent on which continents that that one data center impacted. And CISOs, a good way to start is get in front of their business by helping map out their business. And this is one of the most basic things any chief security officers should be doing day one.

Ann Johnson: I think that's just incredibly important. And I think that that's what folks who are -- You know, there's so much complexity and so much comes out folks, that one of the biggest questions I get is, where do I start? You know, where do I even start, right?

Roland Cloutier: Yeah. Yeah. And people often start with an assessment and technologies and vulnerability management assessments and risk posture alignment. And those are all great. And you -- and we have to do those, right, because we have to make choices. We have to understand how susceptible our business is to an impactful event. And, you know, and all of the things that are minimum do care for an organization. But I always tell -- and it seems like an a-ha moment for a lot of people. The first thing you should do is really a value chain assessment. Understand how each one of your major business operations work, how to make the product and deliver it to market and make money off from it. And that's a great place to start.

Ann Johnson: Thank you. I had Charles Bonner on a month ago, maybe, and we talked about --

Roland Cloutier: Yeah.

Ann Johnson: Yeah, we talked about the role of the CISO. I'm going to ask you similar questions. The role of the CISO or the CSO has evolved tremendously since Charles started doing it, since you started doing it, right? You've written a book about what it takes to hold the CSO role. I'd love to understand your take on the qualities that make a good CSO today and what's going to make a good CISO or CSO, you know, three, 10 years down the road?

Roland Cloutier: So I'm going to -- I'm going to answer that question kind of opposite of my last question because I think technical CISOs are important, Ann. I think, you know, a primary function of what we do as a CISO or a CSO is ensuring the defense of a technical architecture that is the business that is today's digital business. And so I'm not saying you have to code. I'm not saying you have to be able to, you know, drive a firewall. What I am saying is that you have to understand the basic concepts of technology, infrastructure connectivity, cloud compute, all the things that make up our businesses today because you are going to be helping drive technologists and professionals who need to make decisions. You need to help them make those decisions in the context of a security strategy. But you also have to be able to lead technical people. So I think we're not going to lose the technology component. We can't say, well, you can be anything and just become a CISO. You can be anything and become a CISO. But part of that journey is going to have to be technical. Then I'll revert back to my last portion. Yet, you have to be a business leader. Most of us in these roles, especially at senior levels, are now either corporate officers or part of an executive committee because the position has such importance to the organization. And it doesn't matter if you're starting off in a 50-person company, a 1,000-person company, or a 10,000-person company. The significance of how you impact the day-to-day of an organization's go-to-market, an organization's ability to operate in any given jurisdiction, and manage through regulatory and legal issues is absolutely incredible. So you have to be a businessperson and a business partner. I guess that is the next area. Most of these areas you have to influence aren't just in your area. They're not just with the CIO or the CISO, or the CPO. They're across the business. They're across the go-to-market ecosystem with your sales organization and your customers. And there are a lot of different areas. So understanding what it takes to be a good partner and an influencer across the organization, I think, is the other major component when it comes to business. And from there, you can layer in things like understanding how to make good risk decisions. You don't need to be the CRO, but you better understand how risk is implied and implicated in the decisions you make and being able to participate in a broader risk ecosystem.

Ann Johnson: I think those are all great answers. And here's the thing, we keep hearing how CISOs need to be more business. But you're one of the first person that said, by the way, you still have to understand the technology and the application of the technology to solve business problems. That's -- I'm paraphrasing. But I think that's fundamentally important.

Roland Cloutier: And it's not easy, by the way, right? Like I'm glad this one isn't on video because my glasses are, you know, getting a little lower down on my nose as I get older. But you know, the funny thing is, is that technology changes on a -- on a dime. You know, I mean, you know, obviously, you know, with ChatGPT and the things that we've heard in AI, I mean, just in this last year, the acceleration of things that CISOs have to learn about in very fast context and the applicability to the business is incredible. So being a lifetime learner, being a lifetime, you know, person of curiosity when it comes to technology is incredible. I mean, just let -- I'm going to just continue on the ChatGPT just for a second. I mean, think about it. It's not AI security. It's input defense. It's model defense. It's biased defense. It's a usage defense. It's AI self-decisioning platform management, right? Like it -- those are like five different disciplines that a CISO has to learn or understand about before he can educate and consult his business on what they should do and how he empowers their -- or he or she empowers their business on how to move forward, right? That's a lot of learning that, you know, as an executive with five jobs in a company already, that you have to continue to do. So it's not for the faint of heart, that's for sure.

Ann Johnson: I love how you framed that, too, because I was -- I'm -- in this conversation we're having on geopolitical resilience, we're talking about the defense of AI models and AI data. And it really is -- it just is another element of platform defense. And what I'm trying to do is keep people from overthinking it, right?

Roland Cloutier: Oh yeah, they -- well, the problem is not only do they overthink it, they over solution it in an era where often what comes to us as a day-zero issue, there are no solutions, right? So it takes framing, context, a process by which you can take the business through how to crawl, walk, run through these things. And so it is a broader perspective that people need to sometimes fall back to rather than deep dive immediately into technical, you know, answers.

Ann Johnson: Let's change gears a little bit. Let's talk about burnout. You know, I've read --

Roland Cloutier: Is that why you brought me on, Ann? Is that -- is that why? You want to talk about burnout.

Ann Johnson: I brought on for my own therapy. But I've read a report, I've read a few of them, that CISOs are experiencing really high levels of burnout. The job is not as attractive as it used to be for a lot of reasons. I'm curious what you're hearing from your peers in the CSO and CISO community. And then a challenge, what can organizations, CEOs, boards, what can they do to better support their CISOs and their chief security officers?

Roland Cloutier: Wow. I was all set to focus on the first answer. The second one threw me a bit. Let me -- All right. Let me start with the first part of the answer. I think it's obviously the CISO has become an integral part of the operations of any organization. And it extends so far beyond just keeping the company protected. It's in our ability to operate as an organization legally in any given jurisdiction, to be compliant to the societies that we operate in too. I mean, there's -- there's just so many portions of it. And it's -- and, you know, it's not like a, you know, one- to three-year technology refresh. It's like, in every six months, three to six months, new technology that, you know, we have to adapt and change for. So the speed of change, the speed of decisioning, and the far-reaching impact as organizations, you know, fully digitize can be overwhelming. And so what you're dealing with is a, I think, a two-pronged problem that CISOs are dealing with today. You have the Joe Sullivan-like issues where, you know, you have CISOs that are getting involved in legal issues and discussions based on the performance of a company or an incident. You have the targeting of CISOs in compliance actions independently as aligned to regulations and attestations. And so there's a really, really high level of accountability and focus on the CISO. And on the other hand, you have this massive groundswell. Tools are getting better. Technology's getting better. Refining stuff that needs to be fixed. And although budgets are increasing predominantly. We're still having to prioritize what you don't do, right? And we always talk about prioritizing what we do do. But people forget about the prioritization of all the stuff we don't do in the context of that keeping us up at night. And then we forget, oh yeah, the third leg. We're also the 9-1-1 for the companies when something bad happens, might be a cyber incident, could be a geopolitical incident where all of a sudden, we're worried about pulling out of a country and how do we do that, to just about any other thing. The CISO becomes the 9-1-1 of the company. And so it takes a toll on being able to operate and making a personal decision. You know, do you want to be in that limelight, the target and the account of -- the responsible individual for all of the problems? So I think CISOs have an opportunity to develop themselves more broadly in leadership and their leadership capabilities, understand the totality of how we build and collect command staff, or our directs to handle that load for us and trust in building capabilities into them. And then I think the third part of that is our ability to educate the organization, right, instead of just doing the work and taking the work, being better at having open dialogues and involving. And that doesn't mean making it someone else's problem. That doesn't mean making them quote-unquote accept the risks. It means about being an educator and taking them through the business problem and involving the rest of the organization, making a joint decision process that takes some of that load off. So I think if we get better at doing those two things, I think we're better off. Now, what can companies do? From my point of view, focus on your CISO. Make sure that they know that they have your support at a CEO level. Make sure that they have direct access to you for critical issues. And that doesn't mean, you know, the CISO needs someone to go tell on all of the executives. It's not what that means. What that means is if I have a critical business problem that I want you to understand, and I think you should -- you should understand, I want to have access to you as the CEO or COO. I think it's critically important that -- And really successful businesses like Microsoft do that really well with their security leaders. And so I think that's one lesson to be learned. The other one is ensure that they're prepared through mentorship and education on how to deal with the things they're going to have to deal with, like the board of directors, like, you know, external regulators, like all of these things that CISOs are now being pulled in to be the lead on, how to answer questions through PR management. Like create a mini executive that you didn't think you'd need in this space by making sure he or she has the executive education necessary to be successful in that position. And I think that's one of the most -- other most important things that a company slash the CEO can do.

Ann Johnson: I like that very much like the last stand. I liked all of it. But the last part of that, understand that your CISO is an executive and they need not just CISO training. They need executive training.

Roland Cloutier: Yeah.

Ann Johnson: I think that's incredibly important.

Roland Cloutier: They do, that's for sure. It's been great in my career, I'll tell you. I have had great mentors that have said, Roland, that's nice when you're, you know, down at the fort having a discussion. But when you're in the boardroom, let's talk about expectations and how to better represent that. And, I mean, those direct educational sessions, you know, have been a highlight of my career.

Ann Johnson: That's fantastic. Talent, I know you are huge on mentoring and building and passionate about the next generation of talent. We have a talent shortage right now. How do you think the industry gets better? How do you think we attract more talent and more types of talent and different people who want to be in cyber and make them feel it's not quite as scary as they might think it is?

Roland Cloutier: Oh, I love this question. But I'm going to try with brevity because I could go on and on and on about this. Listen, I -- the first thing is know what you need. I mean, we can do best for the industry when we understand what we need to be successful security risk and privacy leaders in the future. So understand the workforce you're going to need for the type of business that you're in and create the right job families and, you know, what you need to be successful. So, for instance, you know, if you still have firewall engineer 101 in your job family, probably needs updating. A third of what we're going to need in the near future are going to be analysts, different type of analysts, threat analysts, data analysts, threat process analysis analysts. But they're going to be analysts like function. So do you have an analyst function in part of your job family? Like take the time, be successful in understanding what your business needs for the next three to 10 years based on what you understand. And create a job family matrix that is capable of changing with the needs of the organization. That's number one. Number two, do your university alignment. You are going to need a pipeline. So make sure that it, whether it's one university or it's 12 universities, that you do a great job at understanding your partnership with them, what you can provide to them, what they can provide to you, and how to engage them and use them as a pipeline. But you can't stop at universities. You got to get deeper into your community and involvement, I say, all the way back into junior high and high school, making sure that you're participating in STEM programs. And you're pushing the envelope on why security is sexy, why cyber should be what people are considering when they go into security, and how important it is to the future of society and getting people excited about it at an early age. Like I was in law enforcement at five years old, I know I wanted to be a cop. You know, we need people to get excited about cyber early in life so that they continue to do that in their progress of STEM programming and in education and even in government. And that brings me to my last point. I think engaging and understanding that we don't -- not everyone in our organization needs to have a Ph.D. or a MBA, you know, post-grad, that there are other ways into being a successful individual in cyber or aligned practices. And that's things like certificate programs, folks transitioning out of the military, career migrations, right? Maybe you have someone in finance that is fantastic with numbers and data. And if you could just give them, build on that capability with security capabilities and understanding, that could be your next great leader, right? So think about career transitioning programs inside your organization or even outside your organization at the state level. And make sure that you -- I mean, some of the best cyber warriors we have today come out of our national defense posture, Department of Defense, and other aligned industry. Think about how you consume those folks coming out of public safety or the military and being able to integrate them into your program. But do it in such a way that's meaningful and makes them successful during that migration. And those are a few tips I have.

Ann Johnson: That's a lot of information. And by the way, I love hiring folks out of the military because they know how to work on a team. They know how to work under stress. And I can teach them cyber tools, right? They know how to do investigations, a lot of them. So, well, look, I know you have a lot going on. Can you share a little bit with the listeners about what you're working on right now?

Roland Cloutier: Sure. This year is a great year. I'm -- I've taken some time out of operations to sit back and be able to do some thinking. You know, as CISOs, we're [inaudible] about 150 miles an hour, got a million things going on, and you don't get to dig deep. And over the last two or three years, especially in my last position, there's some stuff that I realized as CISOs maybe I wasn't as prepared for. And I'd like to help the world get prepared for. And one of that is data defense and access assurance. I think this is going to be a tipping point and probably two-thirds of the focus of our organizations in the next five years based on the regulatory climate and the continuing development of regulations in this space. So not just about how do I protect data, but the whole concept around where is my data. Where does my data move? What's the lineage coming in my organization to out of my organization? And who has access from what country to what country? Like that is entirely misunderstood or understood inappropriately. And as that is now leaving very specific regulated areas like finance and things of that nature, it's now going into any business that operates on a global environment. And it's going to be impactful. So CISOs needs to be prepared for it. So I'm spending a lot of time there. AI has been a personal passion for mine. I had to understand how to defend that, understand it in my last job in a very definitive way. And so I think there's new opportunities for how we, as practitioners and leaders in the industry, develop programs to enable businesses to run faster. You remember Art always used to use the brake kind of discussion with cars to get people's mind wrapped around, "We're not here to be the brakes on the car to slow it down. We're here to have good brakes so people trust, you know, the car to go faster." Well, it's the same thing with AI. We, you know, it's going to be businessed and societal transforming. We are going to be the ones that are going to be entrusted to protect that. So we need to start now. So I have a lot of focus on how to create programs to protect AI for security practitioners. And then transparency is another big area, of course, for me. So how do we know what we're seeing? What does our ecosystem really look like? How are we representing that in how we look at our risk posture across third party, fourth party, fifth party? And how are we educating and preparing our business to operate in a very integrated supply chain of a diverse ecosystem? So that's kind of, that thought of transparency and how do we get there for our business is super important. So a lot of fun things, Ann. I'm taking the time to be able to dig in. I've met with over a hundred companies since October. And just getting educated in this -- in a lot of this in a very different way and hoping to help out my peers.

Ann Johnson: That's fantastic. I love that you're doing that because you have so much to offer. You really do, based on your experience where you've been. You have such a diverse background that you have so much value to add to the industry. So I'm glad you're taking the time to do that. You know, you've had incredible insights. We always try to create optimism on this show. And, you know, a couple of takeaways. So what are you optimistic about right now in the future of cybersecurity?

Roland Cloutier: Oh, if either you're in cybersecurity or you're getting into it, it is the future of business. I mean, when we talk about, you know, business digitalization and the digital transformation of organizations, it is -- it's how our society is going to operate. And the fact that you can be in a career that's operational focused, doing good things, protecting the world that we live in, and the way that we live, and do it in a meaningful way. And maybe public service or the military wasn't for you, but you know, this is just another way that you can serve society in such a positive manner. And it's great positions. Like there is not a bad position in cybersecurity today, it doesn't matter what you do. It's exciting. It changes every day. And it's just very satisfying for people that like to see job well done. So I think the positive spin for me is that it's become not just a cool career, it's become an exciting career with lots of promise, a long future, and such diversity that I think it's just simply one of the best industries you can get into.

Ann Johnson: Thank you, Roland. I agree, by the way. And thank you for taking the time to join me today.

Roland Cloutier: Well, Ann, always happy to have a chat with you, whether on podcast or in person. And looking forward to our next one.

Ann Johnson: Great, and many thanks to our audience for listening. Join us next time on Afternoon Cyber Tea.

[ Music ]

So I selected Roland Cloutier to be a guest on Afternoon Cyber Tea because he has such a breadth and depth of experience that I knew he would be able to talk across a wide variety of topics and really contribute value to our listening audience in a meaningful way. It was an exceptional conversation. He's so dynamic and is so deep on so many things. I know the audience will really enjoy it.

[ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft