Uncovering Hidden Risks 7.27.22
Ep 1 | 7.27.22

Transitioning to a Holistic Approach to Data Protection


Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now let's get into this week's episode.

Erica Toelle: Hi, everyone, and welcome to the first episode of the newly relaunched "Uncovering Hidden Risks" podcast. My name is Erica Toelle, and I'm your host. And I'd like to introduce our guest host today, Talhah. 

Talhah Mir: Yeah, so great to be here, Erica. I really, really appreciate you inviting me on this podcast as a host. As you know, I had a chance to do the last version of "Uncovering Hidden Risks" with Roman. Great to see this thing continue through - really, really excited to be here. I'm a PM on the insider risk management team and actually was part of Bret's organization for a couple of years, had a bunch of things in his organization until he finally got sick of me and booted me out. So we'll get a chance to talk to him - really excited about that, so thank you, Erica. 

Erica Toelle: Yeah, I'm so excited you could be our guest host for today because, you know, like you mentioned, you were the host of the v.1 version of this podcast. And now that we're rebooting it, it's just so perfect and fitting to have you join us for the first episode. Maybe with that, we could go through the podcast concept a little bit and then explain the guest host. 

Talhah Mir: Yeah, let's do it. 

Erica Toelle: "Uncovering Hidden Risks" is a podcast to elevate the conversation beyond just compliance and classifications. We'll examine the end-to-end data protection story across an organization, including people, places, processes and products. The risk landscape for organizations has changed significantly in the past few years. Traditional ways of identifying and mitigating risks simply don't work. While traditionally organizations have focused on external threats, risks from within the organization are just as prevalent and harmful. These risks could include unprotected and ungoverned data, insiders doing or saying things that they shouldn't, as well as ever-changing regulations. 

Erica Toelle: With more than 300 million people working remotely, data is being created, accessed, shared and stored outside of the traditional boundaries of business. Enterprises need to move quickly to a holistic approach to data protection and reduce their overall risk. This means extending data protection across all aspects of a business, including people, places, processes and products. Risk and security practitioners will benefit from an end-to-end data governance solution to help protect data, manage risks and satisfy regulatory requirements. This podcast explores how to introduce a comprehensive approach to data protection within your organization, and each episode will feature a different guest to help us examine these themes. 

Talhah Mir: Yeah, and I love this idea of a guest host, by the way, Erica. I think this whole idea of bringing not just different guests that can provide a different set of perspectives on what we're looking to do and get into, but also having different guest hosts can provide diverse perspectives on where to dig in to, what kind of questions to ask and how to frame things up and whatnot. So I'm really, really excited about this, Erica. I couldn't be more excited about getting this thing going, and appreciate you having me on for the first one, Erica. 

Erica Toelle: Perfect. Thank you. So with that, let's go ahead and introduce our guest host for today, Bret Arsenault. So the first step towards digital transformation isn't solely about technology. It's getting people to embrace the right mindset. Brett Arsenault has a career-long reputation for turning technical knowledge and insight into action. His future-forward, global perspective makes him a sought-after advisor for hundreds of companies every year. He has worked with numerous boards over the course of his career in the fields of finance, oil and gas, health care and technology, including 50 of the Global 500. Bret, thank you so much for joining us today on the podcast. 

Bret Arsenault: Thanks, Erica. I'm super excited to be here. Obviously, it's an important topic, and I'm honored that you and Talhah would both consider me a person worthy of doing this podcast. So thank you. 

Erica Toelle: It's great to have you kick off the first episode. With that, let's go ahead and dive into the first question. I'm curious. So much has changed in the past few years. How do you view the data protection landscape these days, and what risks do you see for other CISOs? 

Bret Arsenault: Yeah, I think, you know, in my role as CISO at Microsoft, I obviously have accountability for protecting the assets of the company, and I also have crisis response and resilience. So it's a pretty fascinating time for the role. It's an interesting time for the industry. And certainly to your comment, I mean, I think if we look at trends, this proliferation of data at a time when you want people to be both protected and productive is really, really important. And I think, you know, depending on which, you know, statistic you look at, whether it's 180 or 190 or 163 zettabytes, all I know is that's a lot of data. And so how do you protect the data but still ensure people are productive is one of the most important things we need to answer. And it's exacerbated by the current situation, which is the remote workforce, 'cause we've seen about 60% of organizations will say that they've had an issue because of a gap in their security posture because of the remote workforce, which is - you know, as we know in a post-pandemic world, we've seen a really large increase in that kind of workforce. And if people haven't adopted a zero-trust strategy, they tend to have more risk in a remote workforce than the companies that have. So we need to make sure we plan and account for both of those scenarios. 

Talhah Mir: So digging into that a little bit more, Bret, what trends do you see specifically to data protection or around data protection specifically? 

Bret Arsenault: So I think if you take the scenario I was mentioning where you have larger data set, more desire to be profitable and certainly with the economic times and doing it in a way that is economically viable, one of the trends that I think we see is an increasing scenario where we see insider threat. And that is becoming harder and harder to - for many companies to detect because of the remote scenario that we generally think of. And so I think if I was to look at it and when we look at the analysis for how we do things, about 25% of the breaches that we see today have some involvement with an insider. So you really need to make sure you're focusing on the insider threat side of the problem, which I think is huge. And then there's this funny tension between risks, like insider risks, protection, and then lastly, compliance, because there's so much in our requirement to do compliance. And in some ways, they create an unhealthy tension; in some cases they create a healthy tension. There are about at least 100 new regulations coming up. We see on a daily basis about 250 updates from the existing regulations. 

Bret Arsenault: So how do you keep up and make sure you can measure and assert your compliance with those regulations in a way that isn't impacting the ability for people to be productive, or taking on more operational expenses you need to go do? It's a large data set to go deal with. So when I think about the protection side of the problem, the risk side of the problem, the compliance side of the problem - those three create a pretty interesting tension to continue to work through. And it has to be done at scale. Like, if you just think of the numbers I just provided - whether it's regulatory changes, insider threat issues or just data proliferation - if you can't do it at scale, it's not - there's no economically viable way to do it, unless you can do this at scale. 

Erica Toelle: Bret, you just listed a lot of great data protection issues that are top of mind for you. What advice would you give to your peers that are starting to think about how to tackle these issues? 

Bret Arsenault: Yeah, I think, as I said at the beginning, there's both a healthy and an unhealthy tension in this. And the most important thing is to take a holistic approach not just think of it as a set of separate pieces or processes you have to go do. So when you create a program that does data identification and data protection, it evaluates that against the risks you're trying to mitigate against and, more importantly, what's the business value you're really trying to go drive. And I think a lot of people just think of it as a set of controls as opposed to a business value statement. That's one thing I think that's important to say. 

Bret Arsenault: The other thing I'd say is you have to think about it within the bounds of the context of the culture of the company you're in. And so what is the culture, the ethos, you're trying to build in your company - which is protecting the assets of your organization, but perhaps more importantly, the assets and the protection of the customers and the stakeholders you have that you work with every day. And so at that point, again, it becomes a business enabler. In many cases, it can actually become a differentiator for you relative to other people that are working in the business. So what's the value? What's the differentiation of doing this versus what's the penalty for doing those kinds of things? - I think is a pretty important thing to think about as we look about that, as we look at that space. 

Bret Arsenault: The other thing is I do think there are parts of it - like, it can be overwhelming to look at the whole problem, like, as I mentioned on the regulation piece or the data size. And putting data protection on all data is an interesting scenario. Like, you really need to think about the tiering of what's, you know, highly sensitive, sensitive, etc. - whatever parlance you use. But putting a set of controls on data that's deemed to be public - which is probably more than 80% of most customer's data - doesn't really make a lot of sense. You're putting a lot of controls and a lot of overhead on it. So don't do that. Really tier the data and think about which ones you have to act on that are the highest risk first. And that makes it a much more consumable problem when you go through that space. So I think ensuring you're thinking about that is important. 

Bret Arsenault: And secondarily, probably a thing that I've probably invested more in and learned from in the last seven years is how to do it through automation. If I have to count on the user to do the right thing, then I'm not going to - I won't have a scalable solution. I need technology. I need to use the learning algorithms - and whether it's artificial intelligence or machine learning or any other capability. Those have to actually be the thing that helps you with your identification and classification and labeling because otherwise you're just counting on a nonscalable (ph) entity, which is human touch. And so I'd rather have humans override and provide the virtuous cycle that makes the automation work better but not be focused on the fact that I just need every person to go do some specific task or action. 

Talhah Mir: So, Bret, I love that. That makes a lot of sense. That's what we hear from customers as well around automation and being able to scale up that problem. 

Bret Arsenault: Yeah. 

Talhah Mir: I'd love to kind of dig in a little bit and get your perspective on how much automation, right? Is it - you want 100% of your business processes automated or your detections automated? Is it 80%? Is it 60%? How do you think about the right balance to achieve, so you can make the kind of scale investments that you need to make? 

Bret Arsenault: That's a really good question, Talhah. I mean, honestly, I think there's this view that these things are binary, like, 100% automated or 100% manual. And the reality is it's a sliding scale. And you sort of alluded to it, but it's important - some things you can automate 100%, like the idea of labeling. Is labeling 100%? No, but it should be, certainly at this point with the corpuses of data we have and cloud capabilities. You should be able to get to 80 - you - just live the 80-20 rule. Can you get to 80% automation? And then what things can't be automated? So much like in a SOC, it's the same thing when we think about investigations or insider risk. You have both your legal department and your HR department involved. And at some point, you want to be able to get to - they need to go look in and understand, is this a real risk or is this, you know, a benign positive or whatever it might be? But the more automation you do to hand that package over in a way that they can actually go run at scale is great. And then you want to measure it and say, OK, great. I took out this much manual part by doing these pieces. Now, what's the next thing you can go do? 

Bret Arsenault: As an example, in many of the operations things we do, the auto casing, or the left side of the problem, is the easiest thing to automate. The take action - what's the closure on that limited side? - is where you have more people hours involved in that. But then over time, you should even see how you can compress that. Are there patterns that do that? So start with this idea of 80-20 rule. And then look at it in each phase - whether it's in inventory, whether it's in protection, whether it's in investigation, whether it's in, you know, the outcome that you want to go drive. But I do think having a thoughtful mind and a process about where you want to do automation to where you get the most return on your investment is important. 

Talhah Mir: I love that. I think the pragmatism of that advice is just superb in terms of just not trying to bite off more than you can chew. Start where you can. Start to automate, and then go towards a reasonable goal. Eighty-twenty's a - I think a fantastic rule set to kind of have. 

Bret Arsenault: Well, I think it's a - but it's also part of the culture here about the growth mindset, which is if you - like, if you start with something and you say we're going to do it all manually, then you just shouldn't start. You can't start there. So you have to have an idea of what the balance is. But for every person who's working on it from the manual side, they should be thinking about - what things can we automate out of the system? What things can we get through, either learned experience or through machine learning, that will help us in that process? And it turns out there's more you can do than most people understand. But until you start and look at the problem, you just - you may not move off of it. And we did a lot, a lot, a lot of manual work in our original data classification stuff, which I finally stopped and said, we - this is not going to work. It's just - one, it doesn't scale. Two, it's not even effective. So how do I use automation to do a better job and have humans instead do the verification than the heavy lifting, right? 

Erica Toelle: For teams and companies that want to implement an effective data protection strategy, what steps should they take? I mean, it's really hard to know how to get started, how to frame this up. It's a big landscape, like you said before. 

Bret Arsenault: Yeah, it's interesting. I'm not the rocket scientist in this call, so I'll just - I'll go with the simple lessons of threes. That's kind of my model. And so the first thing you have to do is you have to understand your data estate. Like, you can't protect what you don't understand. So you've got to get an understanding of the assets of your entire data estate. And so using tools that will help you go inventory the data you have is really, really the first step, and it's the most important step you need to go to. And I think the key, honestly, is identifying the crown jewels of your entity - of the corporation you're working. That is probably most important. That's the question, like, every board asks. It's not about every piece of data that you protect, but what are the crown jewels of the company you're working in or the organization that you may have? Like, for colleges, it's different than it is for churches is different than it is for enterprises is different than it is for small-medium business. Same is true - it's different for oil and gas than it is for retail as it is for technology companies. But each one of them have a data element or data elements that are the most critical things that they're trying to protect relative to their business. 

Bret Arsenault: And so knowing what those are and understanding your data estate is really, really important. Identify and know what they are. And the next following question is, OK, since you know what the crown jewels of your organization are, what are you doing to protect and oversee the data of those first? Like, get that taken care of 'cause that's the hard problem to go solve. And then lastly, how do you manage the risk and compliance posture against those? Make sure from an end-to-end perspective you're managing it. But more importantly, in my mind, compliance relative to existing regulation is a way to manage point in time looking backwards. You really need to think about what the regulatory landscape looks like going forward so you can see around the corner, mostly to make sure that you have operational efficiencies in the things that are coming 'cause it just - in general, if they created a new rule in another industry or another geography, it rarely has much that's different from any of the other rules. So why are you just going in and recreating the same thing over again and running a bunch of cold control objectives as opposed to mapping against a unified control framework that you already have? The nice part is you already have the answer. All you want to do is map the answer to the - it's like that old game when you had here's a question, here's an answer. If it's the same answer in a different question, awesome. Just map it across it and don't do all that work all over again. And that's how you get operational efficiency. So my three, again, is understand the estate, protect the crown jewels, and then manage the risk in compliance. That would be my simplified three-piece answer to that question, Erica. 

Talhah Mir: So I'd love to dig into this a bit more, Bret. We constantly hear about this from our customers around understanding your data estate. It's foundational, and at the same time, it's not exactly trivial. So I'm sure there's been a lot of learnings that you've had, a lot of challenges you've had to face when you try to tackle this problem of understanding your data estate at Microsoft. So what are some of the things that you can share with our customers on how to go about doing this? 

Bret Arsenault: Well, I think there's a lot of tools, whether from us or other companies, that allow you to automate the inventory of the data that you have, and then really working - and I - you know, again, as I said at the beginning, I have resilience in business continuity and crisis management in my remit. So we have identified the most critical process for the company. We've identified critical applications in business, and we map across those. And we map dependencies. And I think that mapping of dependencies - here's critical data, but it turns out, this data services 17 applications and 13 processes. And knowing that dependency map is really, I think, important because it's not just about the data. What is it really driving in the business outcome you're trying to go do? So, you know, I would leverage most organizations have some continuity resilience planning that has that kind of data associated with it, which really I think is important for - and you can go bottoms up from data up the process tree, or you can go from process to application down the - but you can go either way. I encourage people to do both 'cause you tend to find if you follow the path one way, you may miss something. So that would be one of the big things I would actually do in that space. And then it's really - it's super helpful. And then you may also identify some processes that were more critical that you didn't realize at the time. 

Talhah Mir: Awesome. So process and technology to help you kind of tackle that problem. 

Bret Arsenault: Yeah. I think, you know, in terms of - well, honestly, it's process, people, application, data, right? That's how I sort of think about the problem. 

Talhah Mir: Love it. So once you've got your data estate identified, let's kind of go through the second point that you called out - right? - data protection. So how do you think about balancing your investment across all the different data estate that you have and to apply data protection strategies? How do you kind of balance that across the board? How do you prioritize? 

Bret Arsenault: Well, as I said, I sort of look at a tiering of what the data is that we're trying to go protect. And so whatever the crown jewels are, or the things we're protecting first, working with the businesses to understand - how do we do that in a way that doesn't try to impact the productivity of the users using the data? There are times where it will, though, right? You'll find out we may be oversharing data. And I think that's one of the first questions you have to ask. Is the data overshared? 'Cause that's probably the most common thing that we'll see happen. And it's also - becomes very difficult when you move to the risk management or insider risk management, which is if you didn't have the correct controls in there in the first place and so user didn't know how they were supposed to or not supposed to use the data, that was really broken. So you have to make sure that it's self-evident to them. 

Bret Arsenault: It's also really important that it - the rules that you apply, apply to the data itself - right? - because the data has to be able to move from one system to another. It has to be able to go from, as I said before, applications and processes. And so if the data and the rules associated with protecting it are not integrated with the data itself, then you really can't get the kind of scale you want, particularly when you start working with vendors, customers and partners - right? - because you can't have to keep applying different sets of rules all the time. The data should have a set of things that are what it can do and what it can't do and be self-defining and self-evident to both the user and the systems that consume the data. 

Talhah Mir: So the three elements that you talked about in your strategy - let's dig into the third element, which is managing risk. 

Bret Arsenault: Yeah. 

Talhah Mir: How do you think about reframing that, especially in the context of internal risks now, which is something you talked about? We certainly hear about that a lot from customers, something that's very near and dear to me. So how do you think about reframing managing risk all up in the context of internal threats or internal risks? 

Bret Arsenault: Yeah, it's interesting. I probably - I'm not sure I got the best answer for you here, Talhah. I think, you know, for - like, we just look at basically - what are the assets and the risks to the company, both from a reputational and financial impact perspective across all the classes? And for a while, we had insider risk for years as a risk item because we were concerned about the path we saw, but we were also concerned about the lack of controls and effectiveness of controls that existed in the space, say, 10 years ago. When we continue to make progress using some of the things we talked about, the - you know, we have a set of risks, and then we have a set of compensating controls. So it forced us to continue to have the conversation. It also then forced us to say, which of these things is just part of another existing service or another risk, and it's not specific to insider? Like, unauthorized access, whether it's insider or outsider, it's still unauthorized access, right? 

Bret Arsenault: Now, I still want to have the lens that shows me when it's insider versus outside. But at the end of the day, most people - I mean, from a risk perspective, it's not going to - that's not going to be the most critical thing that you have to go do. So if you don't have enough focus on inside - I see a lot of conversations about debating insider versus outside risk. I - honestly, you need to differentiate the scenario from the controls to make sure is there really something different you do for controls perspective versus it's the same things you do all up. It's just a different pane of glass that you want to make sure a set of people do. The repercussions are very different. Like, what you can do from insider perspective is very different than what you can do with outside partner, outside adversary, everything else. So there are differences. I don't want to say they're exactly the same, but they're not two completely separate programs. There's overlap in the controls between a lot of the different things you want to go do. And so I certainly wouldn't create a program that was 100% independent, that didn't leverage the existing controls and capabilities we would go put in other places for insider risk. But I do think it warrants its own view all the time, particularly as we've learned with recent global events about, you know, geographies and other geographies where you have different workforces that you need to think about differently. 

Talhah Mir: So let's actually unpack that a little bit, right? So how do you consider considerations of, let's say, different countries that have different laws, different regulations as you think about protecting your data, as you think about managing a risk? Do things really change for you? Microsoft's a global company. You're responsible for the whole company across the world. So do you think of different controls in different countries? 

Bret Arsenault: Yeah, we obviously think of different controls in different countries. And there's a continued pressure for this data sovereignty where people are trying to keep data inside their borders for lots of reasons - protecting constituents of their countries, for economic reasons as well. And so, of course, we want to operate within the regulatory requirements of any country that we're operating in. But we do always want to - if we're going to be selling, building, driving, running businesses in countries, we want to be respectful of the laws that are there. And so we are obviously looking at the regulations and how we're going to do that. I think it's an - like, the - but for me, from a pure economics perspective, the more we can get regulations that scale and span boundaries, the better off we are. So, like, as an example, when GDPR came out for privacy, it was not a global regulation, but we made this decision that all data would meet GDPR requirements regardless of where it was because it met a bar that we thought was good. And so we made that decision as a company to go down that path. 

Talhah Mir: So, Bret, you talked about your strategy being identify your data estate, protect your data, and then finally manage your risk. What advice do you have for customers that are trying to start in that journey? Where do they start? How do they start? What should they look at and how should they prioritize across those three elements? 

Bret Arsenault: Well, I think, as I said, you've got to start with your - you know, your identification of what you have. I do think, though, there's a little bit of a misnomer that you kind of - you have to do all three at the same time; you need to run them in parallel. You can't do anything until you've identified your data, though. I'll probably step back a little from that. You got to do the identification of the data before you can do all the other pieces. But that doesn't mean you can't start working on your risk management program and what your protection strategy should be. But to action them and apply them, you want to make sure you're doing it in the most judicious fashion possible. 

Bret Arsenault: So I would just say, you know, start with the inventory but still be building the other two legs of that stool as you're going down that path. And then all the time, every time, think about where you're going to do automation and - what are the biggest use cases you're looking for first? Like, it depends on your company. Impossible travel's a classic insider use case - right? - where, you know, one day you're logging in from Vegas, and an hour later you're logging in from Redmond, and another hour later you're logging in from Germany as an example. So impossible travel is one. It also is fraught with false - with a lot of false positives depending on the system you've built. So that's a super good one to have. 

Bret Arsenault: But I also think the idea of knowing what the behaviors you - are first, even if they may not be the one that you - like, start with the known bad behavior you want to find and detect, whether that's impossible travel or whether that is - like, there's lots of sophisticated things you can do, like start correlating between physical data and nonphysical data, right? So the badge-in system is a classic example where, based on, again, global situations, we would look at badge-in with an innate geographic region versus a login within a region because it turns out that they may not be in a building, but they may still be in a geography that, you know, we want to make sure we're protecting people. So how do you then correlate between the two systems to make sure that they're working really well? 

Bret Arsenault: Or start with the thing that makes the most sense - looking at protection of sensitive documents is something we worked really hard on. Documents are autonomous unit. They're very reasonable to deal with. I mean, there are a lot of them, but they're reasonable. Applying that to something like source code is the next thing you need to go do. If you're - you know, if everyone's in digital transformation, how do you do that, and then make that problem even more interesting and apply it to the source code that's all open source that you don't own? And how do you go think about that? And so, you know, we continue to look at the next step, the next step, the next step. But start with what you know because training your teams and training your systems is the first thing. And then you eventually get to use ML models that will actually go and look at things that you didn't think about but will show anomalous activity that are based purely on math, not because of something you thought about. And that's when you realize you're really exploiting the capability of technology to help you in those scenarios. And I think that's really a really important thing to do. 

Bret Arsenault: The other one, and it sounds pedantic - or maybe not pedantic, but it's certainly a pedestrian part of the job - but anomaly detection is an amazingly powerful tool. There can be anomalies based on assumptions or suppositions that are true or not true. But one thing that's for sure, particularly when it comes to insider risk, is baselines are really important. Even systems - baselines of systems are really important, and I think people don't really understand or spend their resource on baselining a system. And so baselining activity and, of course, respecting privacy but, like, even systems that we baseline - same thing. When we looked at badge-in data as an example during two years of the pandemic and we'd see a baseline that was consistent and then in one geography I'd get this flashy light, and it kept those people badging in that shouldn't have been. We told them not to. They were. They shouldn't have been - in our mind, they shouldn't have been because it was an anomaly from the baseline. So that doesn't mean it's wrong. Now that this is a case where automation has done everything it can, I need to make a phone call to the team that lives in that part of the world and say, hey, what's going on? We're not supposed to be doing this. And then they came back and said, yeah, there's a part of the business that does physical hardware work that can only be done in a clean room setting. And so they have to go in, and here's the precautionary stuff we've done to go do it. 

Bret Arsenault: So without a baseline, though, it would have never shown up as an anomaly. And then with the anomaly, there were certain things we couldn't do just purely with automation. So that's when - but again, all that worked. It just took, like, literally one phone call and one check to find out what was going on. And then we can strike it from the system and say, OK, in that particular area, that's OK. We allow it, and we make the exception 'cause that's what you do with risk management. You mitigate the risk, eliminate the risk, or you manage and accept the risk. In that case, we accept it because the business need required that people go in that building at the time. Even given the pandemic situation, it was the right decision to make. 

Erica Toelle: Bret, you have, like, a fascinating perspective. You get to talk to CISOs from all sorts of different companies. I'm sure there's some, you know, technologies we don't even know about that you get to help plan or have insights into. Do you have any, like, predictions for the future you could share with us or any insights into the future? 

Bret Arsenault: No. I'm not sure I'm smart enough to have those kind of views. I would just say, you know, there's some simple axioms that we think about. One is, you know, how do you get twice as much productivity from half the people? And that's where you start using, you know, algorithmic work to go find, like, detections and other things. And I think there's - I mentioned there's other data sources and there's convergence and correlation across disparate systems, but I think we'll continue to see more and more of that, again, without violating people's rights to privacy or, you know, systems. But I think that you'll see us continue to be able to do more and more in those spaces, even by taking things that are personally identifiable, anonymizing and doing them in a way that's legally capable because it's the behavior I'm interested in, not the individual. 

Bret Arsenault: And so do I see behaviors in regions or other extraneous situations that are causing behavior, like I mentioned around the one situation we had with needing to be in a building even during the pandemic? I think that you'll continue to see that use of massive compute to help us go detect these kinds of things that we weren't doing, which is correlating systems that may not seem like they're correlatable, but it turns out they really are. There's a lot of norms that happen in those things that will help us with that. And so I think you'll see us - these three things we talk around about identification of data, protection of data and regulation. Imagine if I tied a system together that actually became causal between the three and as opposed to being three things you do at the same time. You can actually use regulation to help affect the impact or outcome of one of the other components. And I think eventually we'll get there. But it's going to take a little bit of time and a lot of compute. 

Erica Toelle: Well, thank you so much, Bret. This has been a absolutely fascinating conversation, but unfortunately, that's about all the time we have for today. But before we leave, I'm just curious - do you have any words that you live by or a personal motto of some kind? 

Bret Arsenault: You know - motto I live by, I don't know. First and foremost, make sure that my wife and daughter are happy. That's probably an important one to live by. I think - as a kid I grew up with root hog or die, but no one will know what that means. And so we probably should just cut that right from the record. But I do think, you know, the role that I have at Microsoft and the role that many other people who work in the space that I do around security and protection, it can be daunting relative to the bad things that happen in the world, relative to the good things you're trying to go do. And I would say from an empathetic perspective, I do think it's important that we - you know, we honor the past. I think people would get upset about systems or other things, but the decisions and the things that were built at the time made sense. That doesn't mean that they make sense in the current environment. So this idea of honoring the past and being honest about where we are presently but then having hope for the future based on the capabilities is important. So this idea of honor the past, be honest about the present and have hope for the future is probably the best answer I have for that question. It's also what lets me sleep at night. 

Erica Toelle: Perfect. Thank you so much. And thank you so much Talhah for being our co-host today. And have a great rest of the day. 

Talhah Mir: Thank you, Erica. Thank you, Bret. 

Bret Arsenault: I appreciate it, Erica. Thank you, Talhah. It's been an awesome, awesome time to work and meet with both of you today. 

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us @msftsecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to Uncovering Hidden Risks on your favorite podcast platform. And you can catch up on past episodes on our website uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.