Microsoft CISO Agenda: More than Consumerization of IT

Bret Arsenault
This is a guest post by Bret Arsenault, chief information security officer, Microsoft IT.
Over the past 90 days, I’ve met with fellow chief information security officers (CISOs) and IT executives from various industries and customer organizations across the U.S. and Asia. These meetings gave me the opportunity to share what I call my CISO agenda – basically, the priorities and details of where we’re concentrating our efforts in the Information Security & Risk Management organization at Microsoft IT.
Often our discussions would start with a question like, “as Microsoft’s CISO, what are you doing about these technology priorities?” followed by, “what are you doing about bring-your-own-device and Consumerization of IT?” At Microsoft IT, in addition to having the CISO role for the organization, I am also the executive sponsor for Consumerization of IT and set the overall strategy and direction for consumerization.
To provide you with some context of our IT environment, below are some data points that speak to the diversity and state of the Microsoft environment:
  • 1.2 million devices access our corporate network, including thousands of non-Windows devices;
  • 5 million Lync calls per month;
  • 200,000 Sharepoint sites;
  • 90,000 mobile devices synchronized to corporate email;
  • 60,000 employees using our Yammer network;
  • 50,000 mailboxes running on Office365.
With this environment as a backdrop, let me share my CISO agenda, and then provide you with some thoughts on how we’re approaching Consumerization of IT for Microsoft employees.
CISO Agenda
There are four elements to my CISO agenda, and they reflect a balance and maturation of the role that I believe is required in the industry. First, there’s the well-established and more traditional domains of Risk Management and Technical Architecture, followed by the less-established domains of Business Enablement and Operational Excellence. I’ll explain each domain by giving examples of our work.
  • Risk management includes IP protection, preventing insider threats, creating solutions for data leakage and portability, and Consumerization of IT.
  • Technical architecture incorporates cloud computing, data loss prevention, disaster recovery and emerging technologies.
We do well in these two domains, which are table stakes for today’s CISO. But we need to master the following domains to advance the role within the industry. The reality is we’re in a business environment where businesses need to be agile and quickly respond to changes and opportunities arising from new technologies. Adding to this, the pace of change is accelerating and what we’re now seeing is that businesses are accepting more risks from technology usage to address the business risks they face due to the lack of ability to embrace or take advantage of change.
To strengthen our ability to respond and react quickly, and therefore support IT to be agile, we are focused on the following two domains:
  • Business enablement includes a focus on new revenue streams, building business resiliency plans, and support for rapidly changing business models, which will require improved business intelligence.
  • Operational excellence focuses on vendor management, asset and configuration management, business reporting and metrics, company awareness and training, and reviews of application, infrastructure and code.
There’s interplay between these domains on purpose to help reinforce balance and continuity for the teams executing on the agenda.
Consumerization of IT
You’ll see my team’s approach to Consumerization of IT hasn’t changed since last year’s blog post. Over the past year, we’ve increased the focus on the four primary categories of consumer technology we actively manage. They are:
  • Social computing and social media
  • Consumer services and applications
  • Consumer identity providers
  • Personal devices
We’ve found Microsoft’s diverse user base – with its multiple operating systems, devices, generations and different levels of tech savvy – demand solutions across these four categories. Look no further than the high adoption rate and use of our Yammer network by Microsoft employees [see this blog]. I also expect within two years that 66% of the devices accessing our corporate network will be personally-owned devices. My expectation is partially informed by this Sept 2012 announcement at our Company Meeting, and by an IDC study showing nearly 48% of devices used to access business apps today are personally owned.
User Education and Awareness:
The pace of user demands within these four categories of consumer technology means we need to be increasingly dynamic in our solutions – so we’ll continue to develop and mature them along with a user education/ lifecycle concept I’ve incorporated into my agenda.
I’ve increased my budget in the area of user education and awareness. Why? I’d say there are two reasons. First, industry studies show 40% of data breach cases are the result of preventable people mistakes. Second, as the perimeter between public and private networks dissolves, and we balance user enablement with IT controls, I see more responsibility is shifting to the end user. This means Microsoft employees and users on our network need to understand how to handle, protect and access our data.
We sponsor a number of internal campaigns to help Microsoft employees understand how to handle data. For example, a recent campaign highlighted the use of SkyDrive Pro versus SkyDrive. We teach employees to store corporate data on the former, and personal data on the latter.
This education and awareness program is just one part of a lifecycle approach to enabling users while protecting data within Microsoft (see diagram). The three other elements that form a closed-loop cycle are: policy and guidelines; configurable controls; and measurement and reporting. The complexity is that each are four discrete functions that haven’t been historically tied together. Here’s an illustration of this model:
diagram_enabling
Most important, the cycle empowers the end user while establishing a configurable corporate-controlled environment in the back end. This ties together a company’s need to help users be more accountable and responsible with the ability to measure and report cooperation with policies.
This lifecycle must be built into products and daily activities, as we’re currently doing with Exchange in Outlook. Exchange Mail Tips give users real-time feedback and suggestions to prompt them to follow good security practices. The new features allow an administrator to configure email rules. These can range from report-only monitoring all the way up to e-mail blocking. As we continue to move toward this model, I’ll be back to share more.