Afternoon Cyber Tea with Ann Johnson 8.8.23
Ep 78 | 8.8.23

Microsoft EVP Charlie Bell on the Future of Security


[ Bright piano playing ]

Ann Johnson: Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead.

[ Bright piano playing ]

Today I'm joined by the Executive Vice President of Microsoft Security, Charlie Bell. Charlie has over four decades of leadership experience in the tech industry, from developing space shuttle software to leading the creation of Amazon Web Services' decentralized engineering system. And now working here at Microsoft, to make the digital world secure and safe for everyone on the planet. Charlie relishes big challenges and believes that bold innovation is possible with deep curiosity, continuous learning, and an emphasis on rapid problem-solving. Welcome to the show, Charlie.

Charlie Bell: It's great to be here, Ann. Thanks.

Ann Johnson: So, Charlie, you've had this really extraordinary and absolutely inspiring career in technology, and I would love for our audience to hear a little bit more about your journey. So can you tell us how you got your start, and then what ultimately led you to your role leading the Microsoft Security Organization?

Charlie Bell: Wow. Yeah. It's been a -- kind of a crazy wandering path. I started out as a programmer working on the space shuttle. I wasn't doing the flight software. I was working on the engineering world, doing mechanical engineering and other things for payload integration. We put the payloads in the shuttle. The shuttle was this space truck that goes up and down, and NASA figured out, Oh, my gosh, we've got a lot of logistics to do here. We've got to strap things in, take them out. They got to have power. They got to have signal. They got to have - they've got to make sure they're not going to get baked on orbit or they're not going to fall out the back, and there were all kinds of things that we had to do. And I had a lot of fun writing that software. And then I was thinking about changing careers just because, well, that's a rocket factory. They, you know, they're building space shuttles, and all I'm doing is writing a bunch of software on how to do things. And I was having a conversation with the guy in front of me, who was a flight interface engineer, and he was actually doing the hard engineering of how do you actually put these things in. And he said, Oh, you ought to do what I do. I said, Well, I couldn't do what you do. And my next one-on-one with our boss, because we both reported the same leader, he said, Well, I think you're going to do Mission 61 Baker. And I didn't know what he was talking about. I said, What do you mean? He goes, You're a flight interface engineer; you're 61 Baker. Apparently, this guy had talked to him and they'd already worked that out. So I got out of software, I was doing a flight interface engineering, which was just a blast. I mean, I got -- I did a mission down in Houston. I worked a console, not the glamorous thing in the mission support room. It's the engineering thing where you get all the problems and you have to solve them really quick. But it was a lot of great experience. I worked with some amazing people on the space program. And then the Challenger happened, which kind of put NASA on its heels, and it was tough. You know, we were planning on ramping up to 40 flights a year, and suddenly we had a whole different view of how we were going to handle this thing. And so I started playing with back-end software with -- while we were in stand down, with a couple of database slides. I got into database software and ended up working for Oracle for seven years. It was a lot of fun. Oracle was great. Because of my aerospace background, I spent a lot of time with Boeing. It's actually how I got up here in the Northwest. We were writing software for the electrical organization at Boeing, putting a database under diagrams, and it was a lot of fun. I wrote a lot of C code, and I got tricked into doing management at one point. Somebody came to me and said, Well, you know, you ought to do this. And I said, Okay, I'll try it. I didn't have a lot of desire to do it. But as I started to do it, I realized, Okay, I get to -- I get to have a little more impact. And then the Internet happened. That was 1995-ish, '96. I left Oracle to start a company. It was -- it was called Server Technologies. We're building an e-commerce platform, and it was really cool. We got going. We were literally rolling for a couple years. We had customers, very exciting. We had one engineer still bringing in -- because we're all self-funded, bringing in cash by consulting with this little startup across the lake. They were doing e-commerce and I needed him back. So I had a conversation with the CIO of that startup. He ended up buying my company. That was Amazon. And so 1998, March '98, the 12 of us, so we were very small, it was nothing big and material, ended up -- Marty was an aqua hire. He was basically looking for the Oracle talent because they were using a lot of Oracle. And so we ended up over there at Amazon, and oh boy, what a ride, 23 years. I got the job -- first job actually was running customer service applications. That was actually really interesting. But I was only doing that for a few months when the CIO there said, Hey, I need you to run infrastructure. And I thought, Wow, that's the worst job in any company. But okay, it's got to be fun. It's Amazon and I'll do it. And boy, was it a ride. I had so much fun doing it. I learned all kinds of things. I learned all about networks and data centers and operating systems, all kinds of stuff we provided. It was crazy. But what would happen, we understood that there was this interesting problem that developers had to muck with infrastructure and they were all mucking in the same way. So we built AWS, and that was initially just pretty raw compute service, EC2 and S3 was simple storage. And actually, the very first one was the simple messaging service, but that was so small and really didn't count. The first two were those compute and storage. Anyway, we did that; that was crazy. I got to see the whole cloud thing happen, and I feel kind of lucky I went through this. I saw the Internet happened with e-commerce, then I see the cloud thing happen. And what happened was it got to be a big deal. And Jeff said he was going to retire, and it caused me to think a little bit about, Well, I'm -- at my age, you could probably do one more thing that is important. I, you know, I could -- I could try something or I could stay and do this. And both of them were kind of interesting. And the more I thought about it, though, the more I thought that security was a huge problem in the world that was just going to get bigger. It's a very interesting problem, Ann, as you know. You're in this business. And I just see the -- the future of this. We needed help and whatever I could add would help. And so I thought -- so I was talking to my wife and I said, Well, I wonder where I would do this. She said, Oh, you ought to talk to Satya. She knew Satya. And so anyway, I ended up in Building 34 over there talking to Satya. And the more I talked to him, the more I realized, Oh my gosh, Microsoft's really committed to -- to this problem. And, you know, there was already a lot of work -- good work that had been done. And so this was in August of '21, I came over to work on the security problem. And it's been a hell of a lot of fun ever since.

Ann Johnson: You know, whenever I hear you tell your story, Charlie, I am reminded of Apollo 13, right? And some of the parallels to security. Because creativity, ingenuity, teamwork, never give up, all of those things are things we think about in the industry. So your experience in the space program is really relevant, as well as obviously married with your experience at AWS. But it's relevant to problem solving, security, and how we think about problems.

Charlie Bell: Absolutely. It's so true. I mean, you tackle a very large problem. I think it's easy to be daunted by those very large, complex problems and think, Oh, my gosh, how is this ever going to work? I have developed some confidence that we are going to - we are going to solve this. You know, you won't ever eliminate the bad actors, I don't think. Maybe human nature will change over 100 years. I don't know, but it's certainly not in our lifetimes. But I think we can do some -- some great things here to make it not the dominant thing in our lives.

Ann Johnson: Yeah, no doubt. So -- and you're coming up, as you mentioned, on two years, and obviously you had this really impactful and meaningful career before Microsoft. So, tell me why Microsoft and why the pivot to security?

Charlie Bell: Well, like I said, I was looking at -- when I started thinking about, well, what - what is the big problem in the world that I want to work on? And the more I thought about it -- security is, I call it the mother of all problems because almost everything we do in technology can become a weapon in the hands of someone. And so you think about all the advances that humanity has had, you know, since fire and everything that we create in the computer world and the technology world can be turned around and used as a weapon. And so you can't really make the kind of progress we all want to make unless we first solve this problem. So it's kind of the mother of all problems. Unless you feel secure, imagine, you know, all the work that we're going to do to change the world of transportation. We're going to have a lot of autonomous cars and we're going to have all the rail that's driven by software and just all the transportation world is incredibly digital now. Well, it's a surface area that makes you very nervous about what attackers might do, or power infrastructure. You know, we've seen attacks on gas pipelines. You know, one of the things we hate about ransomware is they go after hospitals. And so when you think about this problem, until you solve this problem, we have to walk afraid in everything we want to advance because everything we add could end up being a new source of a problem. So for me, this was, like, the biggest problem of all. And the other thing that makes it very interesting is you have a bunch of bad actors out there who are innovating to try to create new problems. And getting ahead of that innovation, it's not like most problems you solve, you solve the problem, you move to the next one. You know, you get this solution, you know, you build a better car, and now you figure out how to digitize it and turn it autonomous and on and on. But in security, everything you build ends up being twisted and turned by somebody else who's trying to innovate. And so I think that makes the problem -- it makes it very difficult but also challenging and therefore very interesting to tackle. And so that -- that was what's going through my head. The other thing that I also thought about is, Gosh, I know a lot about the world. You know, I thought about, I go, What is my experience going to be useful for? Like what -- how can I be useful? What, you know, what is my background going to help? And I thought, Well, I know a bit about, you know, infrastructure and cloud, and I know a bit about a lot of things. I know a lot about data and how it works. And I thought, Well, you know, I also know a lot of services and operations and things like that. And a lot of that all comes together in security. So I felt, Yeah, I would be able to help in this area.

Ann Johnson: There's no doubt, right? There's no doubt you have helped in this area. And I know in listening to you and speaking with you, you consider it a great honor, a great responsibility, to build technology in service for our customers. And you speak with senior leaders at every company in every sector in every part of the world. So, can you tell the audience a little bit about some of the top security-related opportunities and challenges you hear consistently from customers? How does that frame your strategy and your thinking about what we need to do at Microsoft and also in this ecosystem that we think about when we think about collective defense and security problems really being an ecosystem solved for the industry?

Charlie Bell: Well, by the way, it's one of the reasons I did -- I thought again, thinking about the problem and how customers -- I was talking to a lot of customers about this. The first thing is they -- it's too hard. I mean, when you think about the complexity of the modern technology world, it's too hard to get it right. And so I think one of the big problems they have is getting set up correctly. The analogy I've used is, you know, imagine a football field. And by the way, I'll use the European and rest of the world definition of football, not the American version where you touch the ball with your hands. I don't know how they call it football. But imagine you have this pitch and you can make it 20 miles long and you make the goal two feet wide. It gets a lot harder and would be a very low-scoring game. And so that's what customers want. They want to have everything set up correctly and -- and not have to worry about the problem because they know that they're set from the start. And being a provider, you get to understand, like, the latest. You get to understand, for example, what is happening in containers or what's happening in AI right now. And you understand how it's evolving and how people are using it, and that helps you protect it better. And so that was one reason I came to Microsoft. And also, by the way, the whole end user world, I mean, attackers go after people because we're -- sadly, we're the weak link in the chain. And so having -- being a provider of productivity technology, of email and documents and analytics and things like that, I think helps understand the problem better. But that's what I hear from customers, is just being better protected. And then the other problem they have is as they try to build the way that they protect themselves, and of course they have to be -- the problem is attackers are moving ever faster. They're automating, they're moving with the speed of machines now. I think the average -- I think we said an hour and 17 minutes, I think was the average time to goal for an attacker getting in now. That's the average. And so they're moving incredibly fast. And so defending requires a very unified look at everything going on and the ability to move with machine speed. And the problem that customers have today is most of the tools they -- they can put on the problem, they're very fragmented. Many of the customers I've talked to, they might have 100 security tools that they're applying to the problem. So, you know, we talk a lot about end to end, but it's basically getting one way of looking at, you know, you take away some of the advantage the attacker has, the attacker comes from any point, but if you can see the entire field, if you can see everything, then you get to employ everything in the defense. And so, and so I think that's the other thing I hear from customers, is getting rid of the seams in their defense and in their posture and the way they're set up and really getting to one view of it.

Ann Johnson: Yeah, look, I think that makes sense. And to the point, we talked a lot about end to end and we talked a lot about, you know, having a cohesive platform and visibility and the big problems we're trying to solve. Because with too many disparate tools, you have seams, right? And you have surface area you can't see that's open for the bad actors, and I know you -- I know you know this. And as you look to solve that, I listened in on, you know, and participate in a lot of the calls you have with your leadership team. And one of the things that always struck me and that I think is really poignant to security is this leadership philosophy you have around rapid problem solving. Can you tell us a little bit more about that and explain why you think speed and acceleration of problem solving is so relevant, particularly in the security space?

Charlie Bell: Yeah. Well, a couple of things. One is, as I said, it's the mother of all problems. And so if you want to think of it, is you've got to be faster than the fastest innovation. So take the absolute tip of the spear in what's happening, and you've got to move that fast if you want to protect. And so that's one driver of speed. You know, we're seeing it play out in generative AI right now. Microsoft's the first mover in this space, but we've got to move really, really fast in the security world just to make sure that -- that customers can confidently move forward with it. But also you've got to remember what I said before, that the attackers are constantly innovating. Again, you have humans out there actively innovating all the time. And so the speed that you move, you've just got to move faster than they do, and so speed is everything. The other thing I'll say is -- the nice thing about speed is you accumulate it. And so the faster you innovate, the more quickly you get to the next thing and the more you can build upon what you already did. And the -- it's the way to think of it is like the first derivative of the rate that you're traveling. So the speed of innovation is incredibly important, and recognize that it's kind of a - it's a community thing. There's no genius that's going to figure everything out here. It's going to be a crowd-sourced kind of view of all the ideas that come in and then make sure that you can quickly harness those ideas and get them in the hands of the people who need them.

Ann Johnson: Yeah, there's no doubt. And doing that rapidly, staying one step ahead of the bad actors who are innovating and innovating with investment, right? It's incredibly important. Let's switch a little and talk innovation, right? Microsoft has been in the news and internally hyper focused on AI, which I've long believed is going to be a step change for the cybersecurity industry. So what do you think about the overall promise of AI and what global issues, you know, not -- even outside security, do you think are going to be addressed with AI?

Charlie Bell: Well, the first thing I'll say is, you know, we talk about the asymmetry of the attack or the fact that, you know, they come at us from any point. It's like first move in a chess game, they get to move first. But we actually have an asymmetry, too. The asymmetry on our side is data. We get to see everything. You know, Microsoft -- we talk about the 65 trillion signals a day, but we have a tremendous amount of data. And as you see what's going on, you can take what you see in one spot and you can defend everything with it. So the data asymmetry is a -- think of it as a big half of the solution to tilting things in our favor. But the other half of it is to harness everything that you have. And, you know, one of the challenges in security, it's been a very bespoke kind of industry. You know, you have your experts in the network and experts in endpoint and experts in email and each of the areas that you operate in, identity and access and privilege and everything else. And so you get experts, and the problem is to be great at security, you've got to be over the whole thing. It's, again, it goes back to what we said it's end to end. And so it's very hard for us to get -- humans that can think, that system thinkers that can get across all that. And think about the whole thing. And so we end up siloing and passing things, and it slows everything down for us. The nice thing about AI is it's all discipline. It doesn't care about a particular discipline. It thinks about across all of it, and thinks about it with lightning speed. It knows -- it can say, Oh, I need to go look at the access logs for X, and pull a query, and grab it, and use that information to provide context for the next action that it's going to take. And it does all that at machine speed. If there ever is going to be anything that totally changes that asymmetry, it is AI. Because you're -- the fact that you can harness everything you have and do it with machine speed now, that makes it very difficult for attackers. Because remember, they do have a data disadvantage. They only get to see the surface and they only get to see what -- the area that they've been able to get to. But remember, we see the whole thing. We just haven't been able to harness it all. And that's -- that's what AI is going to let us do.

Ann Johnson: I think that's a great way of looking at it. And look, I think the possibilities are endless. And I've - I've said this so often, but there's also -- you know, we want to cut through hype. We want to cut through noise. So to bring it down to today, you know, what security use cases are short term? What's real? And then maybe what's your future thinking?

Charlie Bell: Well, oh, and you asked me before about other things that we might apply the AI to. And that would take a - that would take a long, long day, I think, to go through. This is what's happening in Gen AI. You've seen it from Microsoft, all the things that we're doing. But in security, I'd say we can use it for so many things, and it will -- it's advancing very quickly. I think that one of the initial problems that we have to go to work on right away is what I said, that you don't have the experts. I think the number is 3-1/2 million jobs go wanting in security just because we don't have the people to do them. And so I think the very first thing we go after is the defenders, the people who protect, and make them incredibly productive so that we have only a few thousand jobs that go wanting. We'll feel much safer and much better. And so it's just making defenders much more productive, being able to handle an incident and be able to move across everything with machine speed, be able to go to the next step, go to the next step, look at the next thing, and do it faster than the attackers could ever do it. I think, you know, those would be some of the first early use cases. I think posture is another one. I think looking at the way things are set and configuration and just processing. By the way, the priorities, because one of the things I love about the AI is you can ask it, Which things should I work on first? But just getting to that side of it. I think another place we're going to see right away, these are all right away things that we can go after. I think we're going to see it in how we build code. If you go look at GitHub Copilot, I like to say it's a security tool. It's a developer tool that's a great security tool because it can write vulnerability-free code, and it can look at existing code and tell you. Those are some of the early use cases. It's going to get broader. I think we'll get -- we'll get deeper into helping the business understand how to solve problems in brand new ways. Protecting AI is going to be a big, important part of it. I think for those that haven't followed what happens with Gen AI, you basically converse with the AI in natural language. It's not an API. You don't say, here's, you know, get me this, put me this. You give a natural language question and it processes it. And of course that means that it's -- if somebody were able to get into that stream, they can manipulate the AI. And you can imagine if you have agents, AI agents out there, and bad actors are able to manipulate those agents, that's a whole new - whole new world. And so I think we'll use AI to defend AI. You know, one of the cleverest things I've seen is some of the applications of AI to basically spot when somebody is trying to manipulate and protect. And so -- and if using AI and other ways to understand where, maybe where bad actors are attempting to use technology in a new way and pervert it to do something wrong. So, and certainly it's going to permeate everything we do to - to get set up correctly. And it'll be in our -- one thing I've said often is that security and management are really two sides of the same coin. Security and availability. A lot of the things you do to make sure that bad actors can't deliberately do something, you also do to make sure that your people can't accidentally do. And so there's an awful lot of things that we're -- we're going to be able to do in that space as well.

Ann Johnson: That's fantastic. And, you know, I spent a lot of time thinking about the ecosystem, and you and I have talked about security management identity as all things that are important to us, but also the belief that it's a team sport, right? And that public-private partnership is important. And us developing an ecosystem with startups, the enterprise security community is also important. How do you think about that? How do you think of all of this coming together for collect defense?

Charlie Bell: Well, you nailed it, Ann. It's -- again, it was what made me excited to come to Microsoft. And I go back when I did my startup back in the mid-90s, I knew that I would need to work -- I mean, you know, we're a startup, we're going to work on some technology platform. We're not going to try to rewrite operating systems and all that. And thought about a few companies. And then I started talking to Microsoft, but we were a Microsoft partner. Everything we built, we went from Oracle, we were all Oracle experts, we built everything on Microsoft technology. Why? Because Microsoft by its nature was open to working closely with startups and other companies, and it's been that way ever. And so in security, it's so important because the space is so vast. As I said, it's the biggest problem. And, in fact, I think we talk sometimes about the economic loss that happens in the security space. It's like $6 trillion a year, which if it were a GDP, it would be, like, the third largest GDP. It would be actually bigger than Japan and growing faster than India, which is the fastest growing GDP in the top 20. And so when you think about the landscape, how big this is and how much help needs to be brought to the problem, it's not going to happen from one company. You know, Microsoft isn't going to be the answer. It needs leaders and it needs some ability to bring people together because of the fragmentation problem we were talking about. It doesn't mean that you need one provider. It is going to take a team. By the way, partnership with government, incredibly important. I think the work we do worldwide with different government entities and also the laws and how we -- how we make sure that bad actors don't persist out there I think are really important. But it's a partnership of government, of organizations, large companies, you know, we work closely with the financial services because they're a really important part of the infrastructure, power infrastructure, and all of the ecosystem of ISPs and systems integrators and service providers. It takes the community to really -- and it is our advantage, by the way. There's more of us than there are of the bad actors, if we actually work together and we don't let them pick us off one by one.

Ann Johnson: Yeah, I think that's right and I think only together, right, are we going to solve this problem. No one can -- as you said, it's a huge landscape and no one can do it alone. Well, Charlie, I want to thank you for chatting with me. I know how busy you are. And despite the rise in cybercrime, I'm always an optimistic, right? I believe cyber defenders are more often than not multiple steps ahead of the bad guys. I try to be incredibly optimistic, and that's why I get out of bed every day and do what I do. And I know you are, too. So, as we wrap, I would love to hear why you're a security optimist and what is your perspective on how we continue to come together and defend our digital world?

Charlie Bell: Well, I am. And that's why I got into it. If I thought it was a lost cause, I'd probably spend my time on something else. But I think partly because of this change, we're seeing a lot of capability from cloud and huge changes in what we can do with AI. And that's been apparent for a while. And so I think that, like I said, I think the asymmetry is changing. I think that -- that we do have the data advantage and we certainly have the AI advantage because of that. And so I think inevitably we'll get ahead of it. The question is how fast can we get to this better world? I mean, you think about it, like, I saw some estimates that said by 2030, if we don't turn the tide on this, you'll see the take being bigger than the US economy. And the world just has too many problems, you know, to go solve to be wasting our resource this way. I mean, imagine what $6 trillion dollars a year would do for climate change, for sequestering carbon or something like that. So we've just got a lot better things to spend our time and effort on. And I feel good. The defenders as a community, as an ecosystem, that we're going to turn this around and it's eventually -- it's going to be something most people just -- most of the bad actors just don't want to waste their time doing it. They'll do something a little more useful.

Ann Johnson: Completely and totally agree. And it's one of the reasons AI is so important because we do need to close that staffing gap. And one of the ways we can close it is by automating everything so that by 2030 we're not in that position. Charlie, thank you so much again for taking the time to join me today.

Charlie Bell: Thanks for having me. I really appreciate it.

Ann Johnson: And many thanks to our audience for listening. Join us next time on Afternoon Cyber Tea. It was an easy decision to invite Charlie Bell to be on Afternoon Cyber Tea. Charlie is leading the entirety of the Microsoft security division. He's responsible for everything, and his vision and the way he works and his optimism and his philosophy, he's just this incredibly talented executive who always brings the right attitude and perspective to the work, and it was an engaging conversation. I know the audience will love it.

[ Bright piano playing ]