Podcasts
Security Unlocked: CISO Series with Bret Arsenault
Ep 3
Security Unlocked: CISO Series with Bret Arsenault 6.9.21
Ep 3 | 6.9.21

The Human Side of Hybrid Work with Amy Coleman

Show Notes
Transcript

Announcer: You're listening to the Cyberwire network.

Bret Arsenault: Hi. I'm Bret Arsenault, chief information security officer at a little company called Microsoft. Recently I was approached by some customers who were really struggling with the complexities of the security threat landscape. In particular just looking for practical advice. With the increase in threats, with the changing landscape in digital transformation that's going on, people are really trying to understand from experts what could they do practically that would actually help them in this new threat landscape we're living in today.

I realize how fortunate I am to have met with some of the sharpest minds on this topic, whether it's competitors, vendors, internal Microsoft people, government people, who all share a vision for a mission on how to better protect ourselves. This created an opportunity to take some of those learnings and share them in this podcast series. Hopefully you'll find this interesting, I know I'll learn a lot from it.

Bret Arsenault: Welcome to the podcast, Amy Coleman.

Amy Coleman: Thanks Bret, I'm thrilled to be here.

Bret Arsenault: I can't think of a more interesting topic, obviously with everything going on with Covid and people in many parts of the world returning to work, and we always think about this and people processing technology. In my role, a lot of times, I'm cast as just a technologist but, obviously, being part of the Covid team we think about our people, in particular, as one of the most critical assets we have in any company, but certainly here at Microsoft.

And so, as we think about both when Covid first happened, and we were sending people home and the return to work place, how do we keep people productive, secure and healthy? It's such a key part for us. And I couldn't think of a better person to talk to than you, Amy, from HR, and how we think about our people and make sure we do all those things and all the lessons we've learned and, I mean, you've been amazing in leading this effort and as part of the Covid response team. So, just was really excited to talk to you about it.

Amy Coleman: Thanks Brad I'm happy to be here and happy to know that people are on top of your mind over less than security and other things. But yes, thrilled to be here and it's been great to be working with you and your team through the Covid response.

Bret Arsenault: Yes, exactly, exactly. When I took the role from the product team to this side of the business we did say crisis management should report into the function. Because, how you respond to a crisis for a security event or a natural disaster or even pandemic was part of the planning, there's a set of consistent things you have to go do, a set of of principles we guide ourselves to. 

So, I think that's been super-helpful. I think about your role, and when you go back to January, 2020 even December when you first started seeing some of these things, maybe just play back, from your perspective a little bit, on what were the initial conversations like and what you were thinking about representing all the people for the company?

Amy Coleman: Yes, it's a good question. It's like many other things that this company, how did, how did I find myself in the middle of this response team and what was it like back then now that we're, I don't know, 15 months, 14 months from there. And, I remember the day, as we were starting to, if I think back to the, the time frame as we were starting to think through sending all of our employees home, which you know what the scale,140,000. I don't know exactly the number. We were out across a hundred plus countries sending everybody home or sheltering in place. Sending them from the office is probably more, a more accurate description. 

And, I remember getting a call from one of my favorite attorneys saying, "Hey, we have this team that's come together that I think you need to be a part of. There's various people in HR including our public health expert, but there's nobody sort of pulling together. What is the HR response going to be and all the issues we're going to have with all the movement of people and could you join this team."

Amy Coleman: Little did I know, it would become a bit of a full time job, but if I get myself back to that place I think about the scale in which we were trying to do this. So that's how we, we sort of formed this team that came from across functional parts of the company, from real estate and security, from HR, from our legal partners, and, obviously, a lot of people brought on your team. 

We started to come together to deal with not only sending everybody outside the office or home from the office, but then what and now what? How do we keep our employees safe and healthy? So it was a, it was a big undertaking if I really kind of look back, which I haven't, quite honestly, done a lot of reflection just yet, since we are still in a pandemic state, literally, across the globe.

Bret Arsenault: You know we had people move to working remotely in the 48 hour window and I remember our CFO said, "Hey, how do we make sure people are being productive?" That turned out to be a lot easier than people returning to the work place, because it's like everybody in mass essentially for us in 48 hours to varying locations, countries, styles, etc., for how people are returning to work place is very, very much more fragmented.

So, how did we make the decision? What is our current policy, as in bringing people back? Because you hear about this flex work time and flex location and so maybe a little bit of the thought process, because you guys really drove the new model we're working towards.

Amy Coleman: It sounds kind of crazy, but we really relied on maintaining our culture through this. Who do we want to be? Who are we now? Who do we want to be in the future? Where do we want to be on the flexibility scale? Some of the things that you know well, Bret, we relied a lot on the work place stages so we could clearly communicate when people could start coming back. 

I think that was the initial question is, is when can people start coming back and why can they? And so, all of the data, the health data and the metrics and then the regulations and the policies that they need to go. So our stages gave us a way to communicate that out to employees and leaders. And then, we could dial back and dial forward, and so, that gave us clarity, and then, we needed to find the stages in that.

Amy Coleman: And now, we're at that place where we're really looking, we're facing, in the next couple of months, where most employees may come back in some way shape or form. So how are we thinking through what really is hybrid? I think the way that I look at it is really and you talked about it, that people, we have a physical spaces, places and people and processes, is some of the ways that we're really looking at it. And, on the people side, we're starting with policies and, and we're starting with principles about how do we look at flexibility? How do we look at remote work? What are our beliefs about where employees are most engaged?

Amy Coleman: The interesting thing about this pandemic is it really cracked the world open to say, "Hey, our employees can be more productive or be as productive if they're most engaged, and if you live and work where you're most engaged, we will get more discretionary effort, we will get more engaged employees.

We started with some of those principles and, maybe, those are more beliefs, and then, we started to build what our policies on the ground and, and, as you know Bret, that's when it gets super-complicated, because of the breadth of our businesses, because of the breadth of our reach of the globe. And now, we're starting to really work on how is it going to work? Literally. What are the practices.

Amy Coleman: We spend a lot of time on the tactics to say, okay, when somebody comes in what do we think about shared offices? What do we think about open space? What are our employees saying? How are we listening and responding? So, I think there's a, there's a lot of things in our...we've just started to share our hybrid play book as many companies have. Because I think, this hybrid along with the pandemic really transcends competition, so we're all trying to share with one another how we're going to crack this hybrid paradox and really get it right. 

We have an amazing workforce who are amazingly happy in a, in a perfect world.

Bret Arsenault: Yes, no, it's, totally get it. I'm curious because you mentioned the work place stages. Can you just share, for people who don't know what that is, what those stages are?

Amy Coleman: The principles behind it is, since employees have unique ability to continue working form home like you said, Brett, because we are privileged here on tech on that, on that front, and I'm, I'm generalizing with most employees. We know we have a lot that are essential workers that needed, and have never left the office.

But, the plan was really to slowly ease back into the workplace, to ensure that our essential on-site workers are kept safe, while we're also supporting the communities in which we work to recover quickly. So, we have six stages on the dial and, to really support this hybrid approach, we rolled those out so employees and leaders could understand that.

Amy Coleman: So, stage one if closed, so really only securities on-site. Stage two is mandatory work from home unless you're an essential employee. Stage three was working from home and strongly encouraged. Stage four soft opening. Stage five is open with restrictions, and stage six is open.

We've modified that as we've learned more about Covid, how it actually reproduces the different variants. So, again, that public health team, the data scientists, have really helped us think through keeping employee health and safety top of mind in all these different stages.

Bret Arsenault: Yes, it's super-helpful. I think that, obviously, we've talked a number of companies, like you said, because the pandemic sure transcends competitive nature and sharing how we can...the rising tide lifts all boats in these scenarios. Speaking of the global nature and the variations both in regulation but also in health status of different locations.

Now, I think a good example I think [SPECIALIST TERMINOLOGY] in the, in the stuff we were doing, our CEO mentioned that, in China for example, 81% of our employees are going back to the work site three plus days per week compared to pre-pandemic time, and I get to look at these numbers every week, and then, in Australia, in personal attendance is just 19% of what it was pre-pandemic.

Bret Arsenault: And so, were you have similar stages but very different culture, different views on how to go do that work force. Little bit, if we could, just how you think about that relative to, obviously, one size doesn't fit al,l but I'd love to hear your thoughts on where the cultural attributes are and, and how we support that?

Amy Coleman: I mean, you said it well. Flexibility, this is, in my simple brain, I look a little bit at as, the same as the, I don't know, maybe, Bret, a decade ago, we started to try to define what work-life balance meant, and then, we realized quite quickly it means something different to everybody depending on all of the parts of your identity and all of the parts of your life, and so, I think flexibility is in, kind of, that same category where it's really hard to define what it means. It could mean something, for me, it could mean that I have the flexibility to go do something but I'm willing to work whatever hours it takes to do my job. For somebody else it might mean that I stop work at a certain time.

Amy Coleman: For somebody else it might mean that I live near the community that I most identify with. So, I think we're finding that it's really hard to define, so listening to our employees is our best bet in helping us to find, at least, the, the groups of flexibility that we're starting to think through. So, I think about those is, that the dimensions you probably saw on the hyper play book which is about work hours, work places, and work types.

And so, again it's not a one size fits all approach, but we can categorize some of these things to really harness what can we do about it? And, also, we've learned a lot, Bret. You know this, we've learned a lot about, okay what do we lose if everybody scatters across the world and works wherever they want to? [SPECIALIST TERMINOLOGY] has talked a lot about burning social capital. So we've also done a lot of work with the future of work team to try to understand.

Amy Coleman: But, when is it most important to be together and when is it okay to all in different places, but we're all on teams together? And so, we're, we're learning a lot about what flexibility really mean, both at the individual level, at the team level, the business level, and on the company level. 

And, I think we'll continue to learn more. The one thing that I tell all of my HR peers is how do you listen to your listening systems? I mean, we are so lucky to have so many people analytics arms. And, Bret, you know that we're, we're always trying to figure out where all of the information is so we can bring it together. But, how do you hear from your employers, how do you mind the data that your employers leave in the system and in an appropriate way?

Amy Coleman: And then, how do you get insights from all of those, so we can actually make policies and practices and places and processes that work for our employees. 

It's, it's going to be a continuing challenge about what flexibility is. But, I think we're in a buyer's market here. The talent is going to decide its terms. Our current talent and our future candidates, so we've got to get flexibility to a place where people see their ability to work in whatever way they can in the business and the roll that they're in that works best for them.

Bret Arsenault: Yes, it's interesting. I love the way you phrase that around the, you always refer to the digital empathy or the listening systems we've built, that are, one , built inherently into the tools, the systems we have. But then, secondarily, I know we did a lot of different survey things as well. And I, I think there's a couple good examples. As a good example of the things that we do in technology is we look at pull requests or code check ins as a, as a unit of work of productivity.

And we would see during the shelter and place period that number kept going up. And so, we actually saw people doing more check-ins and then we got worried about, well this is not right, people should be taking more time. We're worried about them taking time off, and then, when you actually went past the data which showed pull request, You would see things like, no, it's my way of coping. It keeps me from either watching the news, or whatever it might be.

Bret Arsenault: But, for some people, it was their escape mechanism. I think it's really, has really challenged what inclusive thinking really is. And, really trying to understand what people are doing. 

That would be a really good segway on this digital list thing, since there's two things. There's some of the things we've done in product like workplace analytics. But, you obviously run a massive survey system on a global level to try to understanding keep your finger on the pulse of what's happening, how are people feeling? Any insights from the share with listeners on when to survey and when to use analytics built-in detect?

Amy Coleman: Yes, it's a great question and I'm lucky enough to work alongside a bunch of super-smart data scientists and analytics that have folks that, along with some of the workplace analytics that you mentioned, that can get sentiment. 

So, there's a couple of ways that we've been thinking about it, which is, do we see a trend? Maybe, using your example of workplace analytics. Do we see a trend on something about how many quiet days or how many non-meeting days do you have? And then, can we use that trend and get employees sentiment around burnout if we have a hypothesis about burnout?

Amy Coleman: Which I know everybody's talking about in the last year now is how, how digitally exhausted people are. Video exhaustion, the term, sort of, living at work has, it used to be like, "Oh you slept on the couch if you had a big deliverable the next day." Now work is everywhere.

And so, I, I think we've found a lot of power in having hypothesis and then getting employees sentiment. And, and Brett you know this, that the challenges, what's your end size? Who's responding? What's the signal amongst the noise? And so, I think in HR, we spend a lot of time on that ladder one. What's the signal amongst the noise? And how do we not over-survey?

Amy Coleman: As you know, we have many surveys that, by culture, by region, they want to know something more. But we're really trying to get it to a place where we can have it the company level and, and not get survey exhaustion as well. But, that's been one of the most powerful parts of being able to address different communities, acute needs. And, like people with kids at home. That's how we figured out really quickly that that was an acute need in our community. How could we help?

And, wellbeing has become something that's super top of mind and now a lot of that came from our listening system and trying to figure out that signal.

Bret Arsenault: Yes, actually. [LAUGHS]. Now you're hearkening back. I remember when I first started the company I think that's when the earth cooled but it's-- I remember, I remember them giving me, my boss said, "Hey, the cool part is, we're going to let you expense the sleeping mat from REI." And, I thought that was so cool. Then someone said, "That's cool. Like, how is that cool that they expect you to sleep in the office?" 

That was 30 years ago, we're not that company now, but it's like I thought that was the coolest thing. I was going to get to expense my sleeping mat.

Amy Coleman: Right, the more things change the more they stay the same, I guess.

Bret Arsenault: Yes, yes, it's just pretty amazing. But, I think that listening system that you said, the one thing is that we learned a lot of things. So, I think this has been a...this day's been amazing and we had telemetry on things like how many meetings people are having, and were they shorter or longer? How many hours a day? Two party calls which is, that's a person using teams to just call one other person, which is a replacement for the hallway conversations that used to happen when we were on premise.

How did you see that play out, relative to, for example, individual contributors versus managers?

Amy Coleman: I think managers, in general, was a really interesting community that you and I could talk for hours about and the impact of, of Covid, the pandemic, what we rely on managers and, and the company for. I think we saw and, and Bret you have the data, we saw a definite additional pressure on managers and additional increase of responsibility and time. And then, therefore, an additional burnout that the managers were having. 

And, I think that it came from a lot of different things, some of which is you've talked about meetings, that's a big one. Without the ability to do drop by, pick up the phone. Everything had to be schedules, everything had to be meetings. We also were asking our managers, really early on, and it's something that I don't think we would change because they're such an important community.

Amy Coleman: But, as I mentioned at the very beginning, we asked, we had leaders that were coming out and communicating for clarity, to reduce uncertainty, to increase trust. But, but you know, at the company as big as we are, when we still try to do personal leadership at skill we really, your day to day work is most impacted by your manager.

So, we were also, at the same time, asking managers to really lean in to their employees. And, we used that, the model coach and care as our principles around management. But, we really put that huge emphasis on care. So, we saw managers having a lot more work because they were doing check-ins with their employees. They were seeing how they were doing, they were, they were just leaning in much harder than they ever have. Not only for, for the work and the deliverables, but, "Are you doing okay, is there anything I can do for you?"

Amy Coleman: Checking in on your mental health, on your wellbeing, on, "Is your family okay?" So, we saw an additional burden really early on in the managers. Like you said, with, with the data and some of the analytics we saw, but we also then quickly put in some support for managers to try to get them resources really quickly. Things like check-ins and team agreements, really simple things to help managers.

Okay, maybe I don't, maybe it's not really clear to me how I go check in with my organization. So we're, so we were giving him some resources to help do that. But managers were our key community in the, the every day sort of wellness and wellbeing of our employees.

Bret Arsenault: How does that transition though now, if we're going to have this remote work for us, more remote, more flexible than, than we were in the past. I think to your point around flexible and time flexible in location, flexible in role. I think that's going to be another thing that managers in other skill sets so how are we thinking about training managers for that?

Amy Coleman: It's a great question about, okay, so what is the manager role look like in hybrid? And, I think...our hypothesis is it's, it's even more important than it was prior to the pandemic, that managers are the most important relationship to help foster a feeling of connectedness. And, as you know, Bret, connectedness then gives you a whole bunch of other benefits as both as an employee and, and from the company perspective.

So, for managers we're, we're trying to help give them, not just training but learning, and, sort of, this bite size learning around how do you think about hybrid meetings? How do you think about inclusion and hybrid? How do you make agreements? Because it can't be all alone on the employee to say, "Okay, this is what I, this is what flexibility means to me." They're part of a team, they're part of an organization, they have a role.

Amy Coleman: So, the manager does have an ability to say, "Let's make some agreements about what it's going to mean to be flexible in this team." And, and things like, let's say we're all local. I don't even know if there's any teams like that any more. But, maybe, we say that we all come together on Mondays. And so, that's part of our team agreement. And, maybe, some of our other team agreements are, we always have somebody in the meeting with us to, that's the inclusion ambassador or the facilitator to make sure everybody's got their voice heard.

Maybe, another agreement could be, we don't start talking about our weekends until we start teams in the room. So, that, that building social capital that, Bret you and I walk into the meeting room together, the folks that don't actually sit in the building that we sit in, or may, they may have chosen to work from home, they get the benefit of, "Hey, how was your weekend? What did you do?" And so, that building those relationships.

Amy Coleman: So there's lot of ways that we're going to start working with managers. We also have to be, I think as a company, really supportive of how difficult the role of the manager is. I think, I think we've changed our narrative a bit so, how can we continue to help support them and give them resources they need? And, give them a place to call when they're not exactly sure that to do.

Things have gotten really, conversations have gotten complex, the world has gotten, I mean, let alone the pandemic that, if you think about what happened around the world in the last 15 months, it's gotten to be a very complicated place. Because everything that happens out there is also happening inside the company. And so, our managers have big workloads, we're trying our best to help support them.

Bret Arsenault: Yes, I think you're, frankly, just some of the social injustice on top of the pandemic was really a taxing issue for managers, for sure, just in terms of knowing how to respond and what to do and their own personal dealings with all those things are, are pretty significant.

Now this is a part in the podcast where I get to have a lot of fun.

Amy Coleman: Oh boy!

Bret Arsenault: Yes, exactly. So, number one, this is just more, this is simple. What is the current book you're reading and any that you would recommend from reading recently?

Amy Coleman: I don't know if you know this about me, Brett, but I'm always reading multiple books. I don't know if it's something about, I don't know if people do that. I should ask people. But I usually--

Bret Arsenault: Actually, a lot of people do it's, it's a-- yes, you have the perspicacity to pull it off. I could, I could barely focus on that. So, good for you.

Amy Coleman: Well let me tell you, it'll be death by multi-tasking, is going to be my demise some day. But, I usually try to read something that, that aligns to my profession, at the same time that I read something that's, that are fiction or an auto biography. So, right now, I'm reading Adam Grant's book called Think Again. Which, ironically, is about unlearning change and re-framing. I talk to employees about that, like that, how do you re-frame your dream?

And, It's so interesting, during the pandemic, because we're all kind of re-framing what life is, what is work? So, there's some irony there. And then, I just started a fiction book called Land Slide, which is a novel about a family on the brink. I think of those two together and I thought, they're kind of a sad combination. [LAUGHS].

Amy Coleman: But, they're sort of, they, sort of, match the pandemic. So, unlearning change and people on the brink. So, anyway, that's what I've got in my books. I don't know, what are you reading, Bret?

Bret Arsenault: Oh, you don't get to ask me questions. That's the best part of this.

Yes, as far as the book I'm currently reading, which I will say reading slowly, is Michael Singer who wrote the Surrender Experiment, which is a really great book given to me by one of my favorite people at Microsoft and it really is regarding about letting go and just running with the energy that's happening at the time. And so, as a security practitioner, we have this idea of create energy. This is one that there's both types of energy. And so, this is one that's just helping think about how to make that thing go forward.

Bret Arsenault: So, this is the thing that, from a practitioner perspective, and, again, your unique perspective on this from the people in HR and even the process side, I think, is fascinating.

So, if you were talking to a fellow HR friend, or, or another business and they were saying, "Well we're putting together a hybrid plan." What would be the three things you would, practically, tell them to go start on?

Amy Coleman: Good question. Number one, may not be super, when it comes to practiced, practically in tactics, but I would say having, you could either say, growth mind-set, Bret, like you said, or having a learning mindset or learner mindset, is absolutely foundation for forward momentum on this stuff.

I've had to challenge a whole bunch of things that I've thought that I felt. I've had to challenge a whole bunch of things that the company has. It's really interesting to think about now, as people are starting to return, to think about a plan for returning to the work site, and our muscle memory is super-strong, right?

Amy Coleman: All of a sudden you, you're, you can even visualize, things are going to look the way they used to look. And, there's no going back, and so, let's take this as an incredible opportunity to be part of one of those companies that, not only, is successful hybrid, but can define what the future work looks like. 

So, it's going to be constantly, I would say, constantly check your biases, check your mind set, check how you feel about people working from different places. Check about hiring. There's a lot of things about really having a growth mindset to, to push forward.

Amy Coleman: The second one, I would say, is listen with empathy, and you know this, Bret. You've been talking about as a leader, and what they used to term as soft skills, which I don't think is actually, I think they're much harder [LAUGHS] than the the technical skills of leadership. But, but really listening with empathy. How do you, how do you hear? How to put yourself in someone else's shoes? How do you understand? I think that's, that's super-key. 

And then, the third one is really about the power of modeling. Someone like you, Bret, your shadow casts long at the company, so everything you do everyone's watching, which is a bit of a blessing and a curse. So, how do you really model inclusion and things like that.

Bret Arsenault: So that's great, Amy. I think what I heard you say, just in summary, is that, one, make sure the leadership team has a principled view on growth mindset, and what the future can look like, not just what do we come back to, but what does the future look like for the company, and be aligned on that.

Number two, make sure that people have built in and designed a system that has the empathy required to continue to learn and drive those kinds of things and we refer to it as digital empathy. And then, number three, the importance of modeling and how critical that's going to be for leaders, managers and IC's, that they continue to model the behaviors that go back to point number one.

Amy Coleman: Since you've gotten all the opportunity to ask me questions, I'd love to, I mean, there's a big security element. I talk about process and people a lot, but I'd love to hear from you. What's on your mind after hearing from the people angle, from the security angle?

Bret Arsenault: But, you didn't really get these roles or responsibilities. I know that's big in HR. I'm the interviewer, I get to ask the questions. [LAUGHS]. But I think it's a great question. No actually, seriously it's a, it's a really good question. I think for us and security practitioners yes, having people work not in the buildings in that scenario did create a certain set of risks and profiles that we had to manage to ensure we could, again, keep people productive, but also secure and healthy. And, I think we've covered a lot on the idea about productive and, and healthy. 

On the secure side, we did a podcast with Mark Kosanovich and also with Emma Smith from Vodafone on just the concept of zero trust. And, luckily, in our scenario, five years ago we had started that model where we just assumed you were in on a corporate network anyway. And, we assumed breach, so we largely, for us, even, despite the going to over 97% remote work force, we only had to make a one percent budget change in our VPN capacity, because we'd already design for a system like that.

Bret Arsenault: But, I think it's totally fair. I think there's some physical security aspects that we, in the hybrid workplace guide, we walk through what the security aspects are. So, yes, I think we were fortunate we'd been working on it, and there's some best practices there that people can call into the other podcasts or they can take a look at that paper, and I think that will be great.

I would also say, it's super-important for the security team to stay closely and tightly interlocked with the HR team. And so, I think that's been a super-good thing for us to go do. So while [LAUGHS] I appreciate the ongoing partnership that we've had and thank you for everything you've done both for Microsoft and the security team.

Amy Coleman: Likewise, my friend. It's been a pleasure.

Bret Arsenault: Thank you so much.

Bret Arsenault: Thanks for listening. I look forward to our next episode. Remember, stay safe, and stay secure.

Female voice: Security Unlocked. CISO series with Bret Arsenault is produced by Microsoft and distributed as a part of the CyberWire Network.

Security Unlocked: CISO Series with Bret Arsenault
Podcast Info
HOST(S):
Bret Arsenault
As Microsoft's Chief Information Security Officer, Bret Arsenault keeps Microsoft's data secure from cyber-threats, while ensuring compliance with evolving regulations. Bret leads crisis management, business continuity and resilience for Microsoft, including its Covid-19 response program. He is Chairman of Microsoft's Information Risk Management Council, advises Fortune 100 leaders and boards and is a founding member of Security 50 and the Executive Security Action Forum (ESAF).
Schedule: Wednesdays (biweekly)
Credits: Executive Producer is Bruce Bracken, Co-Executive Producers are Kathleen Kearney and Nic Fillingham, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft