Securing the Digital Frontier: Global Regulatory Readiness with Microsoft
Erica Toelle: [Background Music] Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now let's get into this week's episode.
Manny Sahota: Hello, everyone. My name's Manny Sahota. I'm the director of Global Cloud Privacy Regulatory Risks and Clients. And today we are talking about securing the digital frontier, global regulatory readiness with Microsoft. I want to give a quick thank you to our main host, Erica Toelle, for having us here. And I'm substituting for her. I hope I do a good job. And we're really glad to be here. With that in mind, I have Beau and Dmitry. Can each of you introduce yourself please?
Beau Faull: Sure, I'll go first. So I'm Beau Faull. I'm a technology specialist at Microsoft based out of Perth, western Australia. So I primarily focus on data security and data governance, and that's where I play in.
Dmitry Butko: And my name is Dmitry. I'm the Asia strategy sales lead for small and medium corporate segment. I'm fairly new in the role. I used to be a technical specialist manager, so I used to manage a bunch of technical specialists for small-medium corporate segment. So lots of stories from the field. And I'm quite excited to be here today.
Manny Sahota: Perfect. So we have several things actually to touch upon, but the focus will be helping customers navigate the regulatory, right. There's several challenges that we see. There's several new regulations across the world. We have NIST in EU. We have EU AI Act on a lot of the AI solutions that we have. And, you know, we give customers confidence on how Copilot products align with these AI solutions as well. In the banking and financial services sector, we have Digital Operations Resilience Act. That regulation's becoming law soon. India's DPDP. Essential 8, though not a regulation, this strategy actually helps customers understand what position they should take, companies should take, to improve their cybersecurity posture, right. So really this is a guide to support the world in the direction they should take. So this is a challenging place to be, right, if you are a CISO, a chief privacy officer, a chief legal officer, general counsel. You know, the future really is helping customers align with regulations. And those companies that best align with these regulations are the ones that are going to thrive, right? I believe, and I'd love to get your thoughts Beau and Dmitry, I think companies that help their customers thrive through the regulatory terrain are the ones that will be successful, right? I think slowly are gone the days where product pitches or the solution itself is enough, right? Customers need confidence that not only can they use a solution, but this will help protect their digital assets, right? So any comments that you two have there?
Beau Faull: I guess in terms of Australian regulations, now we're looking at approaching those, we're obviously still expected to make the same industry standards as anyone else, right? So if we've got GDPR regulation, if we've got PCI requirements, we do still have to meet those sorts of controls. So we work with customers every day in I guess helping push that across for them so they can get a good deep understanding of how we can help them sort those issues out. We've also got things like the Australian Privacy Principles and things like that that beholden specifically to private information, whether that's your customers, whether that's health information, any of that sort of stuff. But we fairly recently have had a few major breaches into some really large organizations. And for some of those cases, the information on the customer that had been breached had been for multiple years, even after the customers had left the organization. So when we start speaking about that data hoarding issue, even though it is less prevalent now that some of that stuff surfacing, not all organizations are actually clearing out that information. And like you said before, Manny, a model that's been picking up steam a lot, particularly in Australia but I've seen it starting to be looked at at a global level as well, is that Essential 8. So if we think of that, it's essentially a maturity model designed to protect an organization. Like it says in the name, it focuses primarily on eight controls. So that's patching applications, patching operating systems, multifactor authentication, restricting admin privileges, application control restricting macros, application hardening and regular backups. So they're kind of the basics that we're looking to make sure an organization has in place even before moving to more complex workloads. But each of those different controls has a maturity level associated with them, and those levels have a different degree of control needed to meet that level. We've got a lot of white papers, a lot of regulatory I guess suggestions on how to put some of those controls in place in an environment. So we could put some of that in the Show Notes here as well. But the funny thing is, I'm starting to see that this framework is being used more at a global level. It might not always be culled, essentially, and different organizations and different vendors have their own spin on them, but they're always back to those eight essential controls.
Manny Sahota: I really like one of the controls, it says enable macro settings or something. So it's kind of nice that we partner really well with our regulators and customers to really ensure that we are supporting them the best that we can, right? Dmitry, any comments there to add?
Dmitry Butko: Manny, I really appreciate the question. I'm quite excited about the regulatory compliance coming into play right now, because cybersecurity was a really wild west before. So customers didn't really know what to do. They didn't know about the risks. They didn't know about what they have to do. Right now, governments are on the ball to setting frameworks. And some of the machine frameworks, which are controlled by, assembled machine frameworks, which are risk-based. So they are telling organizations around the world to learn what the risks are. And it's good to see the maturity of customers picking up and understanding that security is not just about installing antivirus and forgetting about it for next three years; it's all about continuously assessing the risks and addressing those risks through technology, process, or user training. So I think it's quite exciting times. I think maturity of the customers is going to pick up. And I'm just looking forward more and more countries setting up these frameworks to be essentially more secure.
Manny Sahota: And that's a great point. So we're going to dive into a few segment areas and we're going to quickly touch upon them. The first would be around global cybersecurity trends. We'll touch on regulation compliance and cross cloud services. That's been actually a very important conversation and focus area for our customers. Then culture and awareness, right? Like what's top of mind for our customers? Where are the gaps? What do they need to think about? And I think the most important thing is, what do they need to think about when they come into the organization? If I'm a chief privacy officer coming into an organization at these times with the environment that's unstructured data, like that's not a safe place to be, right? So what's top of mind for them? And then finally, the overall cybersecurity vision. What direction is Microsoft taking? What direction are companies and competitors thinking about? And, you know, any guidance and feedback that we can provide. Before we jump into this, just on this topic, what are some high-level concerns that you see from customers? Dmitry, you see the overall Asia vision lens and especially with the regulations like DPDP. Though, you know, you being the technical specialist working with customers day to day, really understanding how solutions align to the regulatory requirements, like that is golden advice. Any high-level comments, challenges that you see from customers?
Beau Faull: I think at least from my perspective, it's more when we start speaking about regulatory compliance, getting the right people in the room to address those concerns. So a lot of the time that's fallen to privacy officers or risk officers in order to, I guess, meet that requirement. But realistically, it needs to be part of the organization to meet these needs. People need to be trained. Whoever's doing the technical implementation needs to know why we're placing some of these controls in. Too often, with at least the people that I speak to, we start speaking about regulations but not why we're actually putting these things in place. It shouldn't just be a box-ticking exercise. It's to actually make sure that the information that you're holding is secure. This might be a baseline that they're starting on and then have to develop controls further on down the track to bolster that experience. But I think the key part that a lot of people are missing even now is the education and training into why we're putting some of these controls in place.
Manny Sahota: That's a great comment, actually. Dmitry, do you have anything to add?
Dmitry Butko: Look, security is becoming a board level conversation right now. Everyone understanding it's not just about the technology and some things cannot be fixed with the technology. So user awareness is becoming critical. And to be honest, for me, you can tackle the phishing and malware with the technology, but I think the most efficient thing is to actually train users not to click on phishing links. So it's a simple example but I think this is what's happening when security is getting elevated in the company levels.
Manny Sahota: Yeah, that's interesting. And maybe that's something we can touch upon on this, the culture and awareness piece as well. One thing that I see fairly often is customers want the confidence, right. They want the closest thing to a guarantee, right. I think slowly will die the days where companies are paying hundreds of million dollars for best effort. But what Microsoft does is really communicate and share responsibility model, right. We partner with our internal legal teams to understand how we will comply with our solutions, what changes we need to make, our partnerships with engineering, but then also our level of commitment for the customer. And why I think this is phenomenal is, our customers have advisors to support them on the shared responsibility model. Like if I was lead counsel chief privacy officer, I would like to connect with Microsoft before I work with my outside counsel, right. I think that's a great strategy to reduce your outside legal costs. And this is definitely a top of mind concern for our general counsel. So you also see the general counsel have more of a heavy hand in the decision-making for the technology solution products as well. Because tomorrow, if solution A is better than solution B but solution B can better align with regulations, that's where the general counsel comes in and says, hey, I'm not risking the entire business for maybe -- this is not for a Microsoft statement but for our other competitors that are potentially maybe even best-of-breed, where sometimes a solution may be phenomenal, but if it doesn't comply with the regulation, you know, hands are up, we may have to look at other vendors, right? So that's a big focus area that I see. So let's dive in. First is global cybersecurity trends. I'm going to target Beau first, since you work in Australia customers every day. What are some of the trends, especially from the thought leader of cybersecurity regulations, right, being Australia and the Essential 8? Anything additional to add?
Beau Faull: I guess, in terms of global trends and the things that I'm seeing -- and I do speak to customers at a global level -- is there's a lot of discussion on AI. How do I secure AI? What products do you have? What capabilities do you offer that can help me secure some of those AI workloads? And that's becoming more prevalent every day. The Australian government has released guidelines around some of the AI usage that people should be tuning into and having a look. And that's not just based in Australia; every government across the world is looking at implementing some sort of guidance into organizations and the responsible use of using that AI in their environments. So I think that's a big trend that's going to be continuing on for the next couple of years until we've actually mapped it out properly and discovered how we want to make sure we're securing those workloads. The other big thing and it's been a trend for a while is the concept of data hoarding in organizations. So even as soon as a couple of years ago, an organization would hold all of its information that it's ever received kind of until the end of time because they didn't know how long they should be holding some of that information for. Think of health information, think of driver's license, other personal information. That I think that has become very front of mind for a lot of organizations. The more information that they are holding on customers or that they don't need anymore, the more risks that they're actually applying to their organization on if there is a breach, if something does get compromised. The less data you're actually hoarding from a business perspective, if you no longer need it, the better position you're in as an organization. So we've been having a lot of discussions with both customers and I speak a lot in the industry in general in how to kind of remove that information if you no longer need it. So there's going to be processes in place and some sensitive disposal, there's automation you can put in place for that sort of thing. But the more that you can remove the information you no longer need, especially if we speak about there's been a lot of instances -- let's say that a driver's license has been captured by the business, they've taken a photo, that's expired five years ago. Probably don't need to be holding that information anymore. It's about print process, clear, defined process in place to remove that information out of the organization. And that's coming up more and more in the conversations that I'm having.
Manny Sahota: Yeah, that's great. And I think one thing to add to that, empowering employees to make smart decisions, to mitigate data hoarding, right. Because sometimes you can create duplicate information where there may be even sensitive information like PII, and then the employee creates multiple documents of this type of information. So instead of having this centralized, and, you know, having a small team of X amount of people resolve this overall issue, empowering organizations to do that. So not diving into solutions too much, but, you know, with previne, I know you can push the onus to the individual to make the decision to remove, delete, save. And you can even provide controls where like after X days, if that information is not removed, if it does contain PII, we can create sensitivity labels. Your legal counsel, your legal team will have the access keys if this hasn't been resolved in X days, right?
Beau Faull: And I think just on that as well that that's the key part that I think a lot of organizations are missing is they don't actually know where the data they're holding exists the majority of the time. It could be they've had that data for 12 years and it's sitting on an on-premise service somewhere they've got no visibility on. A really important thing for those organizations to do before they even look at applying some of these controls is simply find where their information is and then map that back to a protection.
Manny Sahota: Perfect, okay. Let's talk about Copilots and actually maybe even cross cloud services. Dmitry, with your role of just on Asia strategy, with different regions adopting diverse regulatory frameworks, how does Microsoft Copilot maintain compliance across borders? Any insights or thoughts there?
Dmitry Butko: Yeah. The frameworks keep emerging in different regions. The short answer, we have a dedicated team of legal professionals and technical professionals who make sure that every time the new regulation comes in, we ensure compliance to a security framework or to a regulatory framework. So that's very important. On top of that, we keep educating our customers that any cloud service is shared with sensitivity model. So it's not just about us being compliant to a particular security framework, but also telling our customers that they need to be compliant with the local frameworks. On top of that, I think our responsible AI standard is really best-in-class. I haven't seen anything like that anywhere else on the market. And it's basically beyond what the regulations are right now in terms of AI. So I really suggest that if there's any takeaway from this podcast, just to have a look at Microsoft responsible AI standard and maybe get some idea what you want to implement in your organization.
Beau Faull: I think on that as well, there's a lot of talk out in the industry at the moment about AI kind of introducing these risks into organizations. The more that I speak to people about it, it's more about these controls that haven't been put in place correctly in the first place. Let's look at governance of information, for example, or access to that information. Those issues are being surfaced because AI is now in place. AI isn't introducing these issues in a lot of the time, it's just surfacing information that already existed within an organization that hasn't been secured the right way in the first place. So I do want to make sure that when we do have this message and we do speak to people about it, normally it's not the actual LLM or the AI model that's surfacing the information and causing the issue in an organization, it's that there's been poor governance and security controls and practices in place that allows it to do that.
Manny Sahota: That's a great comment. Let's touch on cybersecurity culture and awareness. This has definitely been a great topic, especially for companies that aren't in the cloud that actually want to move into the cloud. Are they slightly not behind the race, especially when they're adopting AI solutions, right? I think you have to be at a certain level of posture for your security compliance and privacy that you can adopt some of these tools within an organization. So let's say beyond technology, cybersecurity is about cultivating the right mindset. Beau, do you have any comments on how Microsoft's empowering its users to foster a culture of cybersecurity?
Beau Faull: Yeah. I'll speak I guess globally as well. So I think the culture globally -- and this isn't just at Microsoft, I think it's the industry as a whole -- has come a long way over the last few years. We want to make sure we're doing a very good balance between productivity and security so an organization can do the best work in a security and compliant way. So in some cases -- and I've seen this a lot -- security can be viewed as a blocker in an organization. But we should be making sure that that enablement is still there. So I've had experiences where someone's put in a business request and that's been declined with a like a flat no from the security team. There's no reasons why. There's no controls put in place. And there's not even like any sort of recommended path forward to get something approved. I think we as a discipline of security and compliance professionals, we've come a long way from that mentality of just declining things. It is still in some organizations, but I think it's changed a lot. You can see how that culture that we've developed over time connects us into the business at a much deeper level than it did previously. And it's made really big impact to the security of the organizations that do this really, really well, instead of doing it as a blocker. That said, if I focus specifically on what Microsoft does, we do a lot of in-depth training programs both internally and externally for both customers and the general public in forms of things like webinars or documentation, things like that. Whether that is technical controls or educational material, we want to make sure that this culture is embedded and is second nature to everyone and it's not something that's considered an afterthought. So even if we look at things like the software development lifecycle. The earlier that we bake security and that culture into when we're developing these products, the better outcome it is for the end product and the less expensive it is to fix the issue after that has come to light. So I think that's the culture being cultivated. It's much better than even five years ago when we used to have these conversations.
Manny Sahota: That's a great comment. And to add to that as well, I think what is wonderful is the growth of our legal department. We've significantly hired more in the area of privacy and regulatory affairs. There's much more support we provide customers on the front line as well. And most importantly, the guidance documentation around aligning product to regulations to optimize your cybersecurity posture, right? So I think the education piece for customers is important, right? Because this is a very challenging concept, right? Like customers need to understand how to secure their data against a regulation that may evolve, right? So I think Microsoft is doing a phenomenal job being extremely transparent with their position and how they support customers with the shared responsibility and the education and guidance documents as well.
Dmitry Butko: I'll probably add to that, I see in developed areas like Australia, European Union, but there's also developing markets where customers still haven't moved to the cloud. So our role right now is to educate that security in the cloud environment is very different to cybersecurity in the on-premise cloud. So we spend a lot of time explaining it. When you move to the cloud, it's all about identity. It's all about multifactor authentication. It's all about protecting your cloud apps. It's actually thinking about data security, labeling. It's not just about the antivirus. So it takes a lot of time to explain it to the customers, but we think we are on a good path.
Manny Sahota: Phenomenal. And back to you, Dmitry, with the next question as well. This is more on the overall vision. What does Microsoft's strategic vision look like when it comes to tackling global regulatory challenges in cybersecurity?
Dmitry Butko: That's a very loaded question, but I'll try to be very concise. Look, it comes down to the shared responsibility model. So, of course, we are building our cloud, which is resilient. It's secure. It's compliant with local frameworks and global frameworks. But at the same time, our security products and even our productivity products are helping our customers to comply with those frameworks as well. I think the focus is to help in multiple areas. It's not just looking at end point, it's not just looking at email security, we're looking at multiple assets of security. And that's quite exciting because it's always changing.
Manny Sahota: I think especially for global companies, it's fairly challenging, right? Because these frameworks are like webs that overlap each other, right? Like NIST 2, the regulation has to align with the Essential 8 in Australia, EU regulation align with GDPR, with EU-AI Act. And if you're a bank, there's also Digital Operations Resiliency Act in EU as well, right? So it's a challenging time for people, which is why it seems like companies are leaning more towards the suite of products versus a best-of-breed approach. Because the integrated approach of having a platform which is built in and not built on -- so security and compliance and privacy can be utilized in collaboration activities as well within the whole entire environment. With regulations, it seems like regulations are slowly keeping up to technologies. However, the world is reacting to the ability to respond to these regulations. If we were to give any advice to customers, what could we do proactively?
Beau Faull: I think from my side the way I view regulations the majority of the time is, once they're in place, consider them as a baseline for your security posture. Don't just finish regulation, let's say the Essential 8, consider yourself done and then not look at any proactive controls. These organizations still need to look into the industry to see what's happening. They need to make sure they're across the cybersecurity landscape. A lot of these regulations -- let's say a new threat comes up -- they don't automatically start adopting a control against that new threat. So if we're looking at purely regulations, don't consider them a tick-box exercise, get them done, get them in place, and then expand on them. The more mature that your cyber organization gets, the more secure you're going to be in the long term.
Manny Sahota: Well said.
Dmitry Butko: And, look, it's a continuous process. The biggest advice I have for anyone is just constantly, continuously assess your risk. And any regulation framework which is risk-based will tell you that you probably have to do it on a quarterly basis. And once you look at your risks, and once you have maybe external consultant helping assess your risks, you eye is opening. So you will start understanding, hey, I actually need to do this or that. And also, talk to your peers, talk to the vendors. It's a constant conversation, if there's anything better. So I think there's a lot of peer sharing in the industry. And industry groups are becoming a lot more active.
Manny Sahota: Perfect, well said. I think we have one final question here. Listeners are very curious about the role AI has in our overall strategy, right? I know with some of our solutions, AI actually provides a lot of automation features. That's actually the benefit of going closer the E5. How does Microsoft integrate AI to improve threat detection response? That being a very great focus area for customers. Dmitry, any comments there?
Dmitry Butko: I'll make a comment and hopefully Beau can chip in. But I think detection response is going to be hugely benefited by AI. So I think there's a lot of manual labor right now. Ultimately, detection response is just combing through the data. It's correlating multiple data sources. And AI is really good to work with the data. So I think the product solutions out there are going to make a lot of difference. And with our Copilot for security is going to be released soon. It's going to be quite exciting to see what it can do.
Manny Sahota: Perfect.
Beau Faull: And I think -- and this not just goes to AI models, right? Any LLM that you're looking at -- which is a large language model, in case anyone's wondering what the acronym is. We use them a lot. The benefit of that is that we can feed it huge amounts of information and get a response back on a query to that information really quickly. So if we're looking at, we've got terabytes worth of logs, right? The ability to build quickly correlate that information and get a response out is where the benefits of an AI model are. If we can make sure that we're baking that into a business process and make sure that AI is factored into those, you'll quickly see those organizations and those early adopters be able to take that next step into how quick their response times will be. It also goes back to not only detect and respond, but when we're looking at safeguarding that information, we can use AI to do things like encrypt information that should be encrypted. We can use it to start scaling out a lot of these controls that we wouldn't be able to do otherwise. You'll see it in every vendor product that's coming out in the market now. Every single person says, we've AI to automate X. The benefit of AI is that it can automate these basic things that otherwise we'd have to be spending engineering hours and time to develop and deploy. The more AI that you have, as long as it's controlled obviously and we don't just roll it out to everything, the quicker response times are going to be.
Manny Sahota: I completely agree with that. And this ties in with the thought that the big challenge with AI that we're seeing -- and love to get to know your thoughts as well -- is there's an explosion of data, this is moving fast, regulations are slowly catching up to technology, but this year has been a big drastic change from the last few, right? What's one piece of advice you would give to our customers? If you're a legal counsel and working on regulations alone, that's a lot of work, even a legal team. But understanding the products that help accelerate efficiency within the organization, is there any guidance that you can give any specific audience on this topic? Beau, let's start with you.
Beau Faull: I think if you're a legal or regulatory is, make sure that you are reaching out into those industry groups, if you're having these thoughts about what regulations might be coming up, all of your peers probably are as well. So reach out, try to get an understanding of what you think that landscape might be, and then you can start speaking to the business about how to potentially put some of those controls in. If you're a CIO, a CISO, someone deploying the technology, I think the biggest thing you need to consider is getting visibility into what these models are doing in an environment. If we're using LLMs to craw huge amounts of information, we probably want to know what queries are being run into that LLM. We probably want to know who has access to run those queries now that information has surfaced. So if you're looking at deploying these, my number one thing to be searching for would be making sure that you as an auditor or as a regulator or as someone that manages this technology, that you have visibility into what it's doing and the information being fed into it.
Manny Sahota: I will take the second one, and Dmitry, I'll leave you with the last thoughts. I think my comment would be, I would give a call to action to legal audience, legal customers, chief privacy compliance leaders to dive deep into the products. I think now is the time, you know, with the security products, the CISO has a heavy hand, but now the future is aligning with regulations. Companies can't use products if they don't align with regulations full stop, right? Before it was kind of a slap on the hand. Now companies get exposed. Sure the 2 to 4 to 6% fines, sure, it's painful for some, it's nothing for others, but the exposure, that is a reputational risk I think is the greatest impact an organization in the future. So my final thoughts would be, legal audience, legal stakeholders need to really understand these solutions. And you have your account executives, ATS, you have your advisors that are there to support you. Also, with the regulations, right? Like we have a shared responsibility model. I encourage you to connect with our, you know, front-line experts to collect this information as you move forward to improve your privacy posture in your organization. Dmitry, any comments there?
Dmitry Butko: Look, Beau mentioned it but I'll repeat. So with AI and LLMs, they're starting to crawl your data, and they basically allow you to have easy access to, in principle, the same as, for example, for enterprise have access to a shared point. AI just makes it a lot easier to surface that information for a user. So really what you have to do is create a data strategy in the organization. You need to understand where your data lies. You need to start labeling. You need to look at how long you keep the data. So that is really, really important for any organization right now.
Beau Faull: And I think with that as well -- we had spoken a lot about technology and problems and all of these things, AI models, all of this sort of thing. But if you're not getting the business process down first and how it should be used effectively in your organization, most of these controls are irrelevant. We can use the controls to meet some of those business process and requirements that come out, but let's make sure that we've got those processes baked into the business before we even look at any of these technology stacks.
Manny Sahota: Well said. Thank you so much. Some final comments, final thoughts. We just want to wrap up the episode by just sharing any words that we live by, our personal mottos. Beau, Dmitry, any mottos that you want to share?
Beau Faull: At least from my perspective, and I say it all the time, is do the basics right and then look at other things. A lot of organizations I work with are trying to run before they can actually walk. So get your basics. Get your multifactor in. Check your access permissions. Get all of this stuff in place first, then look at the more complex things.
Manny Sahota: Dmitry?
Dmitry Butko: Look, my thoughts are slightly different to Beau's. Cybersecurity is a team sport, so make sure you make everyone else around you successful and enable them, don't hard the information. If there's something comes up, just share it. It's a constantly sharing and communication process. It probably applies anywhere in life, not just security.
Manny Sahota: Perfect. I will tie actually two mottos together. The first I'm going to say is embrace the dirty. And the second I'm going to say, slow down to speed up, right? It is very challenging to understand new products, it is. But if you just embrace the dirty and try to really learn these tools and solutions, they will help you rapidly accelerate your workplace efficiency. And I would argue at least by 50%, right? So it is always challenging learning new tools and learning new solutions, but AI is the future, we need to embrace AI so we can move forward faster. With that, I'll wrap up and say, hey, thank you so much for joining, and hopefully we'll be here again.
Beau Faull: Thank you for having us.
Manny Sahota: Awesome, thank you.
Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us, @msftsecurity, or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.
