Microsoft’s Siân John: ‘Cybersecurity needs diversity’

18 Jan 2019

Siân John. Image: Microsoft

Security professionals of the future will need to come from diverse backgrounds to better understand more diverse forms of attack, says Microsoft’s Siân John.

Siân John is chief security adviser for the UK and Nordics in the enterprise cybersecurity group at Microsoft.

She has been in the IT industry for more than 25 years, both as a security architect and as an independent security consultant, working on projects to map customers’ business requirements to security solutions.

‘If we all come from the same background and did the same training, then we are not really as well equipped as we could be to protect against the very different ways of thinking and attacking’

John works with Microsoft’s customers to help them develop their cybersecurity strategy, and to understand how Microsoft’s technology and services can help support digital transformation and cloud services.

She was awarded an MBE in the Queen’s New Year’s Honours List for 2018 for services to cybersecurity.

Tell me about your own role and your responsibilities in driving tech strategy?

I am not part of Microsoft’s internal security organisation; I am effectively in an outside-facing role, so I spend my time going around talking to the CISOs of organisations about their strategies, what they are trying to achieve, how they manage that, and where Microsoft may or may not be able to help.

How would you describe the current threat landscape and state of infosec?

There’s a big change. 20 years ago, technology had a very discrete function and it was a very discrete world. We are really now at the point of ubiquitous computing where there’s almost no part of life that you can name where technology doesn’t feature or function. The other side of that is that when threats are out there, they are much more able to make an impact beyond the IT or technology department into people’s homes, factories, every aspect of life – and that is something that is only going to continue.

If you look at the threat landscape and history of threats, as we get new technology, the new technology goes out and then, effectively, the bad guys work out how to manipulate or use that for their own benefit. Any new technology we get, we can expect some new attempt to exploit it, whether for good or bad purposes – and after that we need to bring in security to protect it.

The challenge is to anticipate where the bad guys might attack. The fact is that we can do so much technically, and there is so much money and finance involved in it that it means the criminal elements have become more commercialised as well, and they are making money out of it. For hackers it used to be about fame; now it’s about how to actually make money out of threats.

What road brought you to your current role as chief security adviser of Microsoft UK?

I’ve been in IT for 25 years or a bit longer and I actually got into security when I worked at the UK Houses of Parliament. Effectively, I was there as the IT manager for the sergeant-at-arms. We found an issue in the system and fixed that, and then I got very interested in the idea that we shouldn’t just be building technology, we need to look at how we can build that in a secure way and protect it against people who might want to exploit it, but also against accidental abuse as well.

I then ended up working in an independent security consultancy/managed services provider for six years, and then from there I went to Symantec for 12 years.

We talk about baking in and building security in from the ground up with what Microsoft is doing. It is very interesting to come and continue that journey with Microsoft, to try and help and build security by design and build from the ground up.

A decade or two down the line, do you think we could have a whole generation of born-on-the-web people who are natural experts in cybersecurity?

I think so. If you look at most of the governments across the world, they are trying to see how they can encourage people into careers in technology but also cybersecurity. I studied economics and computing at college, and classical studies is my hobby. If you look at when I went to university to study economics and computing, there was no such thing as IT security or security degrees at that point.

I think we are going to get a lot more people who will come up trained, but I also think that, in order to be successful in cybersecurity, we need a diversity that is not just about gender or ethnic diversity, but it is about diversity of outlooks and backgrounds and thinking.

People with different types of degrees, people that don’t have a degree, people that did apprenticeships, people who left school at 16 – we need all of those different types of approaches because if we all come from the same background and did the same training, then we are not really as well equipped as we could be to be able to protect against the very different ways of thinking and attacking that might happen. I am hopeful that we will be able to get a lot of trained security experts but I am also hopeful that we will continue to get people with lots of different backgrounds working in the career as well.

Every organisation is becoming a tech organisation. But how do we engender the right security posture in all kinds of organisations and businesses?

I think we are at a tipping point where that change is happening. There are regulations promoting good privacy, and at Microsoft we really champion this idea of an organisation having a responsible attitude to the security of any data we hold for customers and the privacy of that data.

We co-founded the Tech Accord, led by our president and chief legal officer Brad Smith, and effectively it is an accord that we are trying to get organisations to sign up to, that talks about the ethical and correct way to treat data and make sure that, as organisations … we are behaving in the right way when we collect people’s data and not just because a regulation tells us to.

I also think that a lot of the headlines we are seeing reflect that we are in that cultural change and people need to think about privacy. These are two different things, security and privacy. You can have security without privacy but you can’t have privacy without security. You have to think about securing the data but also ensure that I am protecting the privacy of anyone’s data I’ve collected.

There are a lot of headlines, but we are in a better, more mature place where, as an industry, we are thinking about how we use data in a responsible fashion. This is also something Microsoft wants to lead on when we get into AI and machine learning as well. Not just are you building good AI and ML controls and systems, but are you doing it in an ethical and responsible way; and making sure that, from the ground up, as we go to the next level of technology, we are building these with privacy in mind – not just can we but should we – and making sure there is an ethical framework that reflects that.

Technology has matured to a point that it is core to our life, and the fact is that we need to deal with it in a responsible fashion.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years