“I’m essentially a cloud therapist.”
This series aims to demystify careers, challenge stereotypes, and inspire connections. Today we talk with Sarah Young, an Azure Cloud Security and Compliance Specialist at Microsoft.
Sarah Young is an IT security and technology expert based in Melbourne. With a background in network and infrastructure engineering, she combines deep technical knowledge with her operational IT experience to help Microsoft’s customers pragmatically balance security with business needs. In addition to her work as an Azure Cloud Security and Compliance Specialist, Sarah frequently presents on a range of topics at industry events across the world. She is also a co-organizer of Melbourne’s All Sec security meet up. Sarah was recently hosted on the InfoSec Life podcast (also on SoundCloud and iTunes.)
Sarah, what you do?
I am the go-to person in the Asia region for helping people understand security for Microsoft Azure. Most of the time that means I’m explaining either Microsoft’s approach to security or educating on cloud security.
For a techie, I spend a LOT of time talking about people’s feelings. I’m essentially a cloud therapist.
Explaining the technology is relatively simple. If someone asks, “Is your firewall good enough,” I can explain that easily. But getting past prejudices and fears about the cloud requires me to speak to someone’s psychology. Many of us in security have a hard time relinquishing control, and yet the cloud forces people to really trust their cloud provider.
Are there myths about the cloud that can make your conversations about digital transformation difficult?
It’s not a myth, so much as misunderstanding or lack of understanding about shared responsibility in the cloud. This manifests in two extremes: some CISOs might fundamentally reject the idea of the cloud because they don’t trust it or the cloud provider, while others believe that moving to the cloud means they’re absolved of any responsibility and that they don’t need to worry about security of their own applications. The former requires a lot of help with adoption, but the latter is also dangerous. [Read more on the 5 common myths about the cloud & adoption challenges]
The idea that the cloud is magic is possibly more dangerous to the customer.
Recently, I was approached by a student at Microsoft Ignite in Sydney who claimed that he had found a “security vulnerability” in Azure. He showed me how he was able to upload a shell to his own application hosted on Azure. This is a common but fundamental misunderstanding of who takes responsibility for which part of the cloud: I spent time explaining that the security vulnerability was at the app level — i.e. his responsibility. The layers Microsoft is responsible for are more secure, but putting a bad application with a lot of vulnerabilities in Azure does not automatically make the application less bad!
What drew you to cloud security?
We often discuss the security skills shortage and need for diverse talent, and there is specifically a cloud security skills shortage as well. There are corporate boards and C-level executives who feel the pressure to drive down costs and be agile by moving to the cloud, but many organizations do not have the resources to support the transformation.
About two or three years ago, I worked for a business that was adopting the cloud, and that experience gave me a great amount of empathy for my customers. They are told by their leaders to migrate to the cloud while still having to maintain longstanding internal security standards — we have to remain empathetic to CISOs and security professionals in those situations.
Sometimes, they need their own lightbulb moment. I facilitated a workshop recently where I asked the participants to think like a hacker. If you were a hacker, what operating system would you choose to attack? Probably Windows, because of its user base right? That means Microsoft has been defending Windows for decades, and has incredible security and threat intelligence as a result. We’ve been doing incident response for customers since 1999!
When people reflect on those facts, they find it obvious that Microsoft is a security company they can trust.
What are three qualities someone would need to succeed in your role?
- Enthusiasm. I am a techie and will always tell it like it is. When I believe in something, I promote it enthusiastically.
- Learning Mindset. You have to stay up to date with what’s happening in the industry and be excited to drive your own learning.
- Empathy. Many of us in the security field like to talk in black and white terms, but in reality transformation is challenging and there are people with a variety of motivations, backgrounds, and experiences that are all on the journey together.
Sarah, you travel a lot. How do you stay calm on the road?
I may not be the best person to ask! While I was in Nepal on holiday, a bat got into my room while I was asleep. When I turned on the light, the bat flew at my face and long story short, I’ve had to get multiple rabies shots for the past few weeks.
When I travel, I try to choose airlines known for good service and reliability. I actually try to not work when I’m on the plane. In this region, fewer airlines offer WiFi, and I enjoy the opportunity to have some quiet time and binge watch programs on Netflix. Lately I’ve been obsessed with a show called “Border Security” — I’ve seen the New Zealand version, the American version, and the Australian version!
Is a hotdog a sandwich?
No. It’s just a hotdog. A sandwich needs to have two distinct bits of bread. So a sausage between two slices of bread would be odd, but I would call that a sandwich and not a hotdog.
For more, follow Sarah Young on Twitter and LinkedIn, or join All Sec Melbourne to meet like-minded people in the InfoSec community. Listen to her recent guest feature on the InfoSec Life podcast (also on SoundCloud and iTunes.)
