Uncovering Hidden Risks 9.7.22
Ep 3 | 9.7.22

Go beyond Compliance with Microsoft Purview

Transcript

Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now let's get into this week's episode.

Erica Toelle: And we're live. Thank you for joining Episode 3 of the "Uncovering Hidden Risks" podcast. I'm here alongside this week's guest host, Rudy Mitra, who's the corporate vice president of Microsoft 365 security, compliance and privacy. Rudy, it's a beautiful day here in Tucson. How are things for you in Seattle? 

Rudy Mitra: Hey, Erica. Great to be talking to you. It's another amazing day here in Seattle, where we have a little bit of sun and a little bit of rain, which gives us all the weather all at once. 

Erica Toelle: Perfect. I sure do miss that Seattle drizzle. Rudy, we all know you well here at Microsoft, but for the folks who are listening and maybe haven't met you, could you share a little bit more about your background? 

Rudy Mitra: Yeah, Erica. Happy to. I've been at Microsoft 23 years, the last 13 of which I've focused on working on security, compliance, privacy and risk. My journey has taken me through different disciplines such as engineering, most recently product management. And I love this area. It lets me talk to so many customers, talk to them about what's top of mind. I am so excited to be building solutions in this area with them and for them. 

Erica Toelle: This is why we're so thrilled to have you on today, Rudy, because as some of our listeners know, we just launched the "Uncovering Hidden Risks" podcast with the intention of helping people better understand how and why they should be taking a more holistic approach to data protection. In fact, we just recently spoke with Bret Arsenault, who is Microsoft's chief information security officer. In that episode, we not only focused on the significance of evolving your data protection strategy across all people, processes, places and products, but we also explored how to implement a comprehensive approach to data protection across an entire organization. Considering the recent launch of Microsoft Purview, how do you think about your core security and compliance principles? 

Rudy Mitra: Great question, Erica. So as the security landscape continues to evolve, organizations face a variety of risks that extend well beyond the traditional cybersecurity landscape. That's why we believe in a comprehensive approach to security and data management. And we view data protection, governance and compliance all as integral parts of an effective data strategy. Now, with Microsoft Purview, for folks who are just learning about our recent launch, it's a portfolio of solutions for information protection, data governance, risk management and compliance. And it enables organizations to effectively manage their data. It provides enhanced visibility that organizations can leverage across their environment and helps close the gaps that can lead to data exposure, simplified tasks through automation, and stay up to date with regulatory requirements and keep their most important asset - their data - secure. 

Erica Toelle: That's a perfect transition to introduce our other guest, Igor Tsyganskiy, president and CTO of Bridgewater Associates, who has been on this data governance journey since the beginning. He is here to talk to us about some of the pillars of data protection, including understanding the data across your entire estate, protecting and overseeing data and managing risk posture. Igor, can you take a second to please introduce yourself and share a little bit about your journey in data governance and data security? Maybe you can also touch on some of the challenges that you see today. 

Igor Tsyganskiy: So my name is Igor Tsyganskiy. I run technology here at Bridgewater. I am responsible for pretty much all of the end-to-end technology, including our core investment systems, our data centers, all of our cloud environments, our IT, our corporate governance, security architecture - cybersecurity architecture - as well as data governance and identity governance. So pretty much anything that is digital at Bridgewater, infrastructure-wise or investment-system-wise, I am responsible for. Data governance is extremely important to us. Understanding the world and having the types of the customers that we have, making sure that the right data and right information gets to the right person at the right time is critical for our business. So I am glad to be here today talking to you about all the wonderful products that you guys have. 

Rudy Mitra: Great. Thanks for taking the time, Igor. So what are some of the biggest challenges that you see as president and CTO around data governance? 

Igor Tsyganskiy: In the simplest way, it's knowing where our information is - right? - at any given point in time, what information and what data is being handled by whom and where. It's pretty simple in that sense. It's pretty simple and pretty complex. 

Erica Toelle: That's very interesting, and thank you for sharing. Could you tell us a little more about insider threats? 

Igor Tsyganskiy: Sure. We like to call this insider responsibility more than insider threats. We expect all of our employees and associates to work in a certain way when handling data for Bridgewater, as well as the data on behalf of our customers. Understanding the behavior and the - setting the standard of behavior for all of our associates is extremely important. The product that we use and the sort of products that we use to help do that is very, very important. 

Rudy Mitra: Yeah, that does sound like a daunting task. And I think it's your shift in cybersecurity culture as the tools and technology also support your team's success. Now, if you wouldn't mind, can you tell me a little bit about Bridgewater's journey thus far? Data governance and data security, of course, isn't something that happens overnight - a lot of planning, a lot of execution, a lot of thought leadership. How do you navigate some of these corporate requirements? 

Igor Tsyganskiy: It's a great question. A couple of years ago, we have decided to partner with Microsoft, share all of our requirements with Microsoft in a way that benefits us, as well as the community and as well as everyone else who may be using the products from Microsoft. The differentiating advantage and why we decided to do it is mostly the breadth of the stack that Microsoft has, all the way from an operating system to document management to information sharing that allows us to cover the broader set of requirements. So over the last three years, I would say that we've been heavily participating in helping you guys build the product, which we're grateful for. And we're at the point where most of our needs are met by a suite of products and services that Microsoft provides that allows us to basically manage information governance, make sure that our insiders are acting in a way that we think that they should be acting in our internal agreement of how we want to be with each other, as well as our partners - right? - and that we're responsible in the way we communicate to our customers and act responsibly on behalf of our customers. And that, you know, the suite of those products. I'm so glad that you've decided to take a suite of those - all the different functionalities that you've created and put it all together into one suite of products that we're talking about today. So the journey, in many ways, has been very rewarding because we can see always on where our information is, who is accessing it, who maybe have been taking it out from the area - so not just who has the information, how they're using it, but where geographically the information is dispersed - and be able to control all the aspects of interacting with information, both in the office, at home, as well as all around the globe. 

Rudy Mitra: Yeah, thanks, Igor. And just to kind of reciprocate, it's been an awesome, awesome partnership. And you've pushed the products hard, and the products have gotten better. And I'm truly thankful for the relationship we have across the companies here. I'm assuming, as you talked about the suite of products and you talked about the multiple, you know, sort of groups that work with these products. It requires, of course, collaboration. It requires workflows. Is that a good assumption? And how do you handle that? 

Igor Tsyganskiy: Yeah, that's a great assumption. Well, the way we handle it is internally, we have a set of product managers that work with business owners determining what the needs of the business owners are. And then we both continuously adjust the configuration of the product to the needs of our business, enable our businesses to collaborate because for us, all the different businesses - let's say we may be talking about security versus legal and compliance versus some other business. At the end of the day, all the things need to converge - right? - so, you know, you might be writing an email, and we want to make sure that when you're writing an email, you're doing it in a certain format that is appropriate for the relationship. But at the same time, it needs to be done - let's say you're only allowed to write a certain amount of email from work - right? - and not allowed to write a certain amount of email from home. And by - amount is probably the wrong word. I mean the certain type of an email - right? - from work, and then you're not allowed to work on certain types of things from home if the topic that is - maybe very, very sensitive. So in that example, an email needs to be composed at work, and the email needs to be professional. You know, you shouldn't be using certain words, or you should keep a certain way of interacting with each other at a certain level. Well, at Bridgewater, different departments handle those two different things, but it all rotates around the one same object called email. And so from one standpoint of view, understanding the needs of different departments is very important. But then converging that into the same set of requirements for the same product is extremely important. And some of that is done by our colleagues - meaning folks that are working for me - and some of that is done by Microsoft. So when we see certain gaps, that's how we work back and forth together. We communicate with the development teams. We give you folks feedback. And you're very prompt and helpful in making the product better and the suite of products better. 

Rudy Mitra: Yeah. This idea that you talked about, which is that, you know, success with managing data, managing threats and risks - it really is a team sport and requires, you know, more than one person, an entire team of folks, to be working through. It's such an important idea. It must span across the entire organization, I think, as you're saying. 

Igor Tsyganskiy: It touches every part of our organization. And in many ways, that's why it's frequently on the top of my mind and the top of other executives here at Bridgewater. 

Erica Toelle: That's great, Igor. It's been an awesome ride and journey over the past few years. Any final thoughts and insights regarding data governance and data security? 

Igor Tsyganskiy: Yeah. Well, first of all, keep going. I think that you are building a great product. And again, I'm thankful for the work that you've done. Second is for many organizations, I would strongly suggest for folks to consider not just features and functionalities but the cross-integrated nature of how these features and functionalities need to come together. We haven't been able to find anything close to what Microsoft has from the breadth of integrations and coverage across the board and the set of partnerships that you folks have with other firms. So my advice - consider the full scope. Don't focus on features and functionalities. Consider the full requirements across the board. 

Erica Toelle: Excellent. Thank you so much, Igor. This has been a really valuable and insightful conversation. For folks who would like to do a double-click into Microsoft Purview Solution, you can visit aka.ms/microsoftpurview to learn more about the data management and risk management portfolio that Igor was referring to. And, Rudy, we also want to thank you for being our guest host for today. As a final closing, we would love to ask you, are there any words that you live by or advice that you want to give our listeners? 

Rudy Mitra: Thanks for having me on today, Erica. Appreciate it. It's always about the customers first. And so we put the customer at the center of everything we build and all the discussions we have and designs we work through. Customer is always at the center of it - and making it simple. You know, across our solution area, we always think about how to make things simple, easy to use, easy to deploy. You know, that's it. Every day, we start with that. 

Erica Toelle: Excellent. Thank you, Rudy. And thank you to everyone for listening today. We look forward to our next episode, where we'll be chatting with Stephen Portillo, information security engineer principal, and James Craddock, lead security engineer, both from BP. We'll be talking about the four main challenges to protecting sensitive data, so you'll definitely want to tune in. Thank you again, everyone. We look forward to next time. 

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us @msftsecurity or email us at uhr@microsoft.com We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.