We are proud to welcome Mike Howard, former Chief Security Officer of Microsoft Corporation, to our Security Advisory Council. His experience and trail-blazing accomplishments in security will be a great asset to our company.
During Mike’s career he brought Microsoft to new heights of security, earned his place in their C-suite. He’s been a tireless advocate and inspiration for elevating the role of CSO in all companies. We recently talked to Mike to find out how he accomplished that and what he sees in the future for the CSO role. You can read Incident Response 3.0, A Model for Optimal Incident Preparedness in the Digital Age, for the latest industry-leading insights shaped by the Security Advisory Council.
GDL: You’ve been called a “trailblazer” CSO because you have been a long-time advocate of getting the security function into the C-suite. And you were very successful achieving that status at Microsoft. How do you advise a CSO to sell this idea to a C-suite that may not be listening?
Mike Howard (MH): Unfortunately, that ‘not listening’ you referred to tends to be the case a lot of the time.
I think the first thing is that CSOs have to learn to change their mindsets. We used to say within my group, “We’re business people first, but our business happens to be security.” The idea is that you have to show that you enable business success in order to get C-suite buy-in and gain your seat at their table.
Each industry is of course different, but for my industry we were able to position our operation as a way to directly help the company make money. What we did was approach our sales and marketing team over 10 years ago and said, “We’ve got three state-of-the-art security operation centers that have the best Microsoft technologies along with true redundancies of operations. If one of them goes down, we have continuity of operations. We know that you bring Enterprise clients to Microsoft and want to sell them enterprise software, or you want them to re-sign up after their contract expires. Let us in security meet with them; we’re part of the business.” So, we bring those customers to our operations centers, do a dog and pony show demonstrating how well the Microsoft-enabled security system functions.
Then, if we helped our marketing and sales team seal the deal, we arranged it so they would give us some credit. That way, we in security became instrumental in bringing in customers. In fact, that program was so successful we spun off that function into its own vertical. We were eventually credited with bringing in millions of dollars in revenue. Security, a former “cost center,” was now seen as improving the bottom line.
But that’s just our example. CSOs everywhere should take a look at their particular enterprise and figure out how to show the business that it can help bring in revenue.
GDL: Sounds like you had to understand the business’s overall mission in addition to its security aspects.
MH: That’s right. We had to understand the strategy of the business.
One thing that I would advise any CSO to do who’s interested in being part of the C-suite, at least those who are in a publicly traded corporation, is to take a long, hard look at your company’s 10-K.
Years ago, when you asked security pros, “Have you ever read the 10-K?” The security guys and gals would ask, “What’s a 10-K?” And we would explain that it’s a document that has to be filed with the SEC that outlines the company’s strategy, what the company is all about, etc. And there are also sections in there on risks to the company, whether it’s IT risks, risks of competition, etc., and there are also sections on physical security, cyber security, business continuity, and so on. The idea is that CSOs should ask themselves, what part of your security operations can you tie into the 10-K?
My point is that we were aligning security with the business strategy, and that’s the mindset I would advocate for every CSO to have. To put it succinctly, security professionals are business professionals first and foremost, and that business has to be secured.
GDL: It seems like that model you’re presenting could even apply to other kinds of department heads who might feel left out of the C-suite loop because they’re construed as cost centers not driving sales.
MH: That’s 100 percent right. Anybody who’s in a cost center, HR, legal, finance, or what have you, and the company is looking to make cuts, say, to improve their quarterly earnings, you’ll want to show how your operation helps the bottom line. If you can do that, you’ll have a stronger argument for not being cut.
You’re not always going to find a receptive audience. There are bean-counter types out there who are only concerned about counting beans and are not looking strategically at what you as a cost center have to offer.
So, this can get tricky. In corporate security, we have the responsibility for duty of care. If people are travelling overseas and we don’t have a travel program, or if we know there’s a gap, say, in camera coverage, then we have the obligation to point that out and ask for the appropriate funding to get those gaps rectified. You may not be comfortable increasing overhead in a cost-cutting atmosphere, but everyone has to consider the liabilities. If something bad were to happen, and we knew we had a security gap and did nothing about it because it cost more, that wouldn’t be helpful to our cause.
GDL: Can you talk about the current and future states of the physical security industry? What trends are you seeing?
MH: Let me provide some context. Back when 9/11 happened, physical security became the focus. Everyone was worried about another terrorist attack, attacks on their facilities and personnel. So, there was a lot of funding and emphasis on the physical security. Obviously today we’re in a new world where cyber is the big concern. Today there’s more emphasis and funding for the CISOs than there is for the physical security officers.
GDL: But are those two functions being integrated appropriately?
MH: I don’t necessarily see the kind of integration there should be. Ten years ago, there was a movement to have this uber-CSO. And the uber-CSO would manage both the cyber and the physical side. But in most enterprises today you see a physical security group and a separate IT security group. And most of them don’t integrate well.
They’ve got to be able to talk to each other when bad things happen, when the balloon goes up, so to speak, and they have to come together. But we’re seeing a gap in, what should be, holistic security for the enterprise.
I think that a lot of the physical security leaders are struggling with the fact that they don’t see as much funding coming their way as they did in the past. So, they’re struggling with how to bridge the gap.
When I advocate for integrating these two functions, I like to use the word governance. There's got to be models of governance within the enterprise in which the various verticals, cyber, physical security, IT, business continuity, risk, etc. form a coalition where they’re not following each other but are sharing information with each other and are finding out if there are gaps. You’ll also see if you’re perhaps both working on the same issues when you shouldn’t be. This form of coalition governance to me is the best formula for moving the physical security world forward to integrate better with the cyber world along with other enterprise functions.
Part of the problem could be human relations issues too -- when the two players just don't like each other or don't want to work with each other. The two sides may not be interested in what the other is doing. But you’ll find that there is a hunger for physical security professionals to learn more and more about the cyber security realm. Yet they still wrestle with questions about how best to integrate.
Years ago, at Microsoft, we got together and started a governance structure that enabled each group to be transparent about its strategy and gaps we might have in our own program, and we tried to see where we could help each other out.
Most important, if you’re talking any aspect of security to the C-suite you have to do it with one voice.
GDL: Sounds like way too many companies are not even close to the ideal. Is that the case?
MH: Yes, but I think it will change. We're seeing a demographic shift now. You’re going to see people who are CSOs who come from business backgrounds. They understand P&L and can run a business unit. And when you start getting more and more of these folks that are younger with a lot of finance savvy and business savvy, you’re going to see less and less siloes. It’s not going to be about only physical and cyber, it’s just going to be about enterprise risk.
So, I do see progress on the horizon as you get new people in there, new thinking, really true business people. That doesn’t mean that people with my background can’t adapt to that, they just have to have the right mindset and are willing to do it. In a lot of cases they haven’t been able to do that or have been unwilling to do that, and that’s also the case on the cyber side. So, I think there are opportunities for improvement on both sides. I actually hate to say “sides,” because it’s all one security and needs to be approached that way.
GDL: You’re speaking a lot about the human relations component. But what about the technology side itself? What are some of the ways that the technology you use to fulfill a mission in physical security joins, or maybe doesn’t join, with the tools that the cybersecurity people are using? After all, cyberattacks often can cause great physical damage.
MH: People often think of cyberattacks as only being attacks from afar, from a foreign country say. But they also could be the result of someone physically plugging in a malevolent USB into a system, which crosses over into physical security.
As an example, we have operation centers with card access systems that record when and where people badge in. So, if someone’s supposed to be in Washington but they badge into UK, that’s not something that the cyber folks would probably have a handle on. But they may need to know about it because whoever is badging into UK could be involved in a cyberattack. So, it’s important to bridge that gap by being able to leverage the physical security technology so it can be put into an integrated data link to cyber security, providing end-to-end capability.
In addition to the technology piece, there’s also the fact that when it’s ransomware or other kind of cyberattack, the people on the physical security side often have very good expertise in investigating. The cyber side generally will not have that investigative expertise. Nor in many cases do they have a global footprint the way a lot of physical security groups have. So, we can help the cyber side because we have boots on the ground in different places and relations with local governments, local security services, along with our investigative expertise. We can help the cyber side not only with the technology pieces that we can leverage, but also with our investigative capabilities.
GDL: How do you evaluate technology?
MH: Evaluating technology is a big task, because you have to have the strategy before you have the technology. Today people go to trade shows, and they look at these widgets, as I call them, bright shiny objects. But they haven’t thought to ask what are the strategic imperatives for that piece of technology? Is your company going to expand globally? Do you expect more of your people to be travelling internationally? Are there terrorist threats in a particular country? Natural disaster concerns?
Whatever the situation, you need to do a risk analysis and then determine where you are going strategically. What technology do you need to map to your company’s business strategy? Where do you need to be three-to-five years down the road while making sure you’re staying cutting edge as well as looking at the longer-term future? Only after answering these kinds of questions can you start making some reasoned decisions on what kind of technology you need to employ to get you strategically to where you need to be.
But that’s hard work. Some people say first, for example, I need more cameras. But that’s wrong. You’ll end up with something that’s not integrated, something that’s not scalable. You’ll have technologies that don’t talk to each other. And you’ll have to eventually tear that whole thing apart and start all over again. I repeat: strategy first; then the technology.
GDL: How does an organization build a pervasive culture of security awareness that goes down to individual employees and contract workers?
MH: We call that culture a force multiplier. You can have cameras, guard force personnel and so on, but still your best asset are the employees and their security awareness. So how do you create that culture?
In security, we developed a communications group. We had an issue with so-called tailgating, when one person, say, badges into an area, and 10-15 people go right in behind that person without swiping. But we’ve seen a shift now where people are badging in even when the doors are already open. How did we get there? We kept hammering over years – one person; one badge; one entrance.
We would put out communications on the Internet; we had signage on elevators, on doors. And we would reward people for good behaviors. We came up with the idea of giving Starbucks cards as rewards if we saw someone swipe and the person after them swipes again, and we’d thank them for doing security right.
We’re also affected by unfortunate incidents like school shootings that made people understand the importance of security. But at the same time, in the tech industry, we’re not like a military contractor with lots of armed security, very locked down. We don’t want an oppressive atmosphere. We want our people to be comfortable in an atmosphere where they can be creative and innovative, so, again, we have to be sensitive to the strategic, business needs of the company, while being secure.
So, the idea is to say that, in order to keep everyone safe, your employees need to be the first line of defense. And over time, it was amazing to watch how people would badge into a room, one after the other, even when the doors were open – a radical shift.
What you have to do is pick your targets, get a good communications group and do the traditional things like signage, but also use social media. We had multiple communications from me where we would talk about all the different things global security was doing, managing things like kidnappings or terrorism events, because a lot of employees may only see a small slice of what we do. They don’t realize that physical security is doing much more all over the world. So, over a period of time they came to understand that they can be, and should be, part of the front line of defense. But it takes a good communications strategy, a good communications group, with people who understand how to use social media to get the word out. It takes time as well. But you have to keep hammering them over and over. They may get sick of hearing it, but they’ll never forget.
GDL: Did you bring in a separate communications group or people from Corporate Communications to help you in that campaign?
MH: We did it within our security group but, relating to my earlier point about integrated governance, we were tied in with corporate communications with an umbilical cord. If we were messaging out to the Microsoft population, we would vet that messaging with corporate communications first so that they made sure we were jiving with their strategies, including the required tone and the tenor. We were all in sync.
The other piece of that is we would also need to work closely with corporate communications when doing crisis management. By working with them on the communications campaign to improve security awareness among employees, we were able to establish relationships vital to crisis management where communications play such an important role. So, when an incident actually happens, we already know each other and each other’s concerns and can work in lockstep.
Like every other company, we had to prepare for an active shooter situation. It’s a difficult thing to talk about with employees to be sure. We worked closely with PR folks in corporate communication, and we came up with this holistic strategy for how we could present this vital material to the Microsoft population without being alarmist; how we could direct them to our security intranet sites for information on what to do if an active shooter incident were to occur. We did that a few years ago, and it met with very good response, the result of a real partnership between security and corporate communications.
GDL: Well Mike I want to thank you for your time and for your interview. Congratulations on your retirement from Microsoft, and welcome to the Groupdolists Security Advisory Council.
MH: Thank you, and I look forward to being able to contribute to Groupdolists.