Chapter 4
Edna Conway: Protecting the Modern Workplace from Cyber Threats and Compliance Risks
Edna Conway, VP, chief security and risk officer for Azure, Microsoft
Source: Edna Conway
Edna Conway forecasts the future of business and creates clear strategies to deliver new and secure operating models for a digital economy. She is a sought-after industry influencer, bringing rich perspective forged from more than 30 years of broad and deep leadership success creating new organizations and delivering cybersecurity, compliance, and risk management across a $143 billion technology company. Conway is a builder of new capabilities that achieve lasting and pervasive operational improvement.
Alexander: You are Azure's VP, chief security and risk officer at Microsoft. What is your mission?
Edna: It is an interesting mission because it is a role that didn't previously exist. As a result, I had the great privilege to craft its scope and mission to deliver optimum impact. My team's focus is ensuring that Azure is the most trusted cloud platform on the planet. This mission drives every aspect of what we do.
The core of this mission is ensuring customer trust — trust in the Azure platform itself and trust in us as a partner in their success. Earning that trust requires two digital capabilities: security and resilience.
A comprehensive approach to security fully addresses these concerns:
- Physical security
- Logical and operational security
- Behavioral security
- Information security
- Intellectual property protection
- Privacy
An approach to risk management and resilience must focus on continuing operations in a world-class manner. For my mission that includes the following:
- Business continuity and disaster recovery
- Anti-bribery and anti-corruption protocols
- Human rights and labor rights
- Health and safety
- Environmental sustainability
- Trade and export controls
Alexander: How should business models evolve to survive and thrive in an increasingly digital world?
Edna: The global pandemic has accelerated the pace of the digital transformation journey that so many governments and enterprises were already on. In fact, that transformation became an immediate necessity. It also has uncovered the opportunity we have before us to rethink the efficiency and productivity of our business models.
As we evolve our business models to thrive in the increasingly digital economy, we must consider two fundamentals. First, understand what can and should be automated. Second, undertake a core versus context analysis. Digitize using internal core competencies with your own capabilities and talent. Leverage third-party services and solutions (for example, XaaS1) to optimize the implementation of your digital strategy and drive efficiency.
Working through these fundamentals will allow you to begin to free your internal talent to address strategy, transformation, and the roadmap for the next generation of your business. To thrive in the digital world, we must optimize to leverage human talent to meet the needs of customers. After all, digital capacity has a single purpose: to serve people, not the other way around.
Alexander: How can technology shift the roles and responsibilities of the workforce?
Edna: We need to remind ourselves that technology can often give us insight into performance, trends, and anomalies. That insight can empower us to make changes before the full negative impact of an anomaly takes place. Conversely, such insight can provide us with a view to a positive change that we may not have otherwise been able to appreciate without the “help” of technology.
Imagine, for example, a sensor on a manufacturing line that provides real-time feedback. A digitally connected sensor can offer data that can be analyzed in a cloud-based IoT service, affording the manufacturer an opportunity to take action to adjust anomalies or capitalize upon an otherwise undetectable process improvement. Absent that assist from technology, our operational effectiveness may not be as swiftly optimized.
This digital insight allows enterprises to achieve and maintain their critical commitment to customers — trust.
Alexander: Which technology or digital capabilities are essential for a digital strategy?
Edna: To answer that we must first appreciate that we have entered a platform economy. In fact, platforms are pervasive in industry and our personal lives, from connected factories leveraging a single platform for visibility to operations to our own individual use of on-demand personal transportation platforms.
Given that reality, we must apply a layered approach to our digital strategies. There are two technologies that form the foundational layer of any digital strategy: cloud and mobile. These two are must-haves.
Of course, no conversation about digital strategy would be complete without addressing the use of artificial intelligence and machine learning. These capabilities can only be deployed on a foundation of mobile data capture, data storage, and data sharing within a cloud platform.
As a start, I suggest applying your digital strategy to your data storage needs. Then you can move on to address the variety of compute capacity needs for your business.
Alexander: What ingredients are required to establish a digital culture?
Edna: As I list those ingredients, let me first note that I believe culture is about people, not technology, so my answers are offered with that perspective.
The first ingredient is fostering open minds that are comfortable with technology.
The second ingredient is appreciating the criticality of including those who may not be comfortable with technology. After all, if you have a group of citizens or a group of co-workers who are not digitally savvy, you are not optimizing the use of their skills and also risking reducing the resilience of your enterprise.
The third ingredient is relentless curiosity: continuously exploring how operations currently work, what can make them more efficient, and how value can be added. This rigorous approach will create a culture that builds digital thinking into strategy and operations.
Alexander: What approaches will managers need to take to advance an enterprise's digital culture?
Edna: Similar to what I shared about the ingredients for establishing a digital culture, managers must focus on people.
First, managers should ensure that those whom they have the privilege of leading have a strong digital foundation. That foundation must include methods to assess and further develop digital skills and techniques to evaluate where and how a digital solution could enhance the business.
Second, managers must embrace regular reevaluation of their operational plans. That reevaluation should include asking yourself and your team these questions:
- Is there already an existing tool that we could leverage to free time for critical thinking rather than task implementation?
- Does another team already have a digitized process that can be applied to this team's work and goals?
- Can we, and how would we automate operational tasks?
- What are the platforms and tools we are using or could use to collaborate digitally and serve as the repository(ies) of our work product?
Applying this approach to managing routine operations and new initiatives allows a manager to make digital thinking part of the team's DNA.
Alexander: What are the most important digital capabilities for protecting users' identities and data?
Edna: I would focus on the following four digital capabilities to protect identity and data:
- Role-based access control
- Digital identity management
- Encryption
- Network and function segmentation
And, as always, educate users on how to identify and evade efforts to gain credentials and information.
Alexander: A recent study found that unmanaged devices are 71 percent more likely to have malware.2 What's the most effective way to combat this?
Edna: Today's reality is that the workforces of both private enterprises and the public sector use their own devices. No one entity can manage all the devices in the modern economy. You can, however, manage the way those devices
- access your core infrastructure;
- access, duplicate, edit, or extract your information; or
- implement workflow tasks.
Deploying identity management (for example, multifactor authentication) and monitoring who is creating, accessing, changing, and operating from what device will serve you well.
Alexander: Threats are changing. How do we have to adapt?
Edna: There are three key points that we need to consider when we want to adapt to new threats:
- Slow down: You are at risk of making a mistake when you are in a rush.
- Be vigilant: Stay aware of the changing threat landscape and attack vectors and leverage a revisit of your security practices as you learn.
- Conduct pre-deployment testing: Running in sandboxes prior to full operational deployment supports a diligence process based on staged implementation. Only when verification is achieved should a full deployment proceed.
Alexander: What will happen to companies that don't level up in digital maturity and organizational readiness?
Edna: They won't be in business. Leveling up in digital maturity and organizational readiness is not optional — it is an intrinsic necessity in today's digital age.
Alexander: Do you see a chance in low-code environments for employees to design business processes without software development skills?
Edna: I think that employees can design business processes at any point in time without software development skills. However, processes need to be implemented. Doing so in a digital age may not require software development skills if the implementation plan was designed with developers at the table who could ensure that process users can implement digitally. At some point someone who knows how to code needs to have been part of the team — period!
Alexander: Ten years from now, how do you think our workplace will look?
Edna: People will be wherever they want to be. Ten years from now, there will still be meetings at headquarters because people are creatures who require being with one another and developing rapport. We will never stop shaking hands, hugging, and understanding the feedback we get from being physically with one another.
I also believe that efficiencies will be added by the use of digitally controlled machinery and vehicles. These are adding more to our human capabilities every day.
Alexander: Thank you, Edna. What quick-win advice would you give that is easy for many companies to apply within their digital strategies?
Edna:
- Deploy a flexible enterprise resource planning (ERP) system.
- Lock down identity management deployed in conjunction with a role-based access plan.
- As for your data: segment, segment, and segment.
Alexander: Do you have a smart productivity hack or work-related shortcut?
Edna: Pick up the phone and talk to someone.
Alexander: What is the best advice you have ever received?
Edna: The best advice I ever received was from my mother: never judge a book by its cover. This advice is even more relevant in today's digital world.
Key Takeaways
- Going digital demands that you assess what should be automated, not just what can be automated.
- To build and retain trust, focus on two key digital capabilities: security and resilience.
- In 10 years, people will be wherever they want to be, but we will never stop shaking hands, hugging, and seeking the feedback we can only gain from being physically together.
Endnotes
- 1 XaaS (X as a Service) refers to something being presented to a customer as a service, typically in the context of cloud computing. XaaS provides endpoints for customers that are usually API driven but can also be controlled via a web browser or within applications. Typical examples are software as a service (SaaS) such as Office 365, infrastructure as a service (IaaS) such as Hyper-V, and platform as a service (PaaS) such as Azure.
- 2 “2020 Global IoT/ICS Risk Report,” CyberX, https://cyberx-labs.com/resources/risk-report-2020.