“The future is a boardroom with more security-aware business decisionmakers”
This series aims to demystify careers, challenge stereotypes, and inspire connections. Today we talk with Diana Kelley, Cybersecurity Field CTO at Microsoft.
Diana Kelley wears a lots of hats. As Microsoft’s Cybersecurity Field CTO, Diana brings over twenty-five years of cyber-risk and security experience to provide advice and guidance to CSOs, CIOs and CISOs at some of the world’s largest companies. In addition to her work at Microsoft, she serves on the ACM Ethics & Plagiarism Committee, is an Industry Mentor at CyberSecurity Factory, and guest lectures at Boston College’s Master of Science in Cybersecurity program. Diana is also the CTO and a Director of the non-profit Sightline Security, a member of the RSA US Program Committee for 2018–2020, an IEEE “Rock Star of Risk” in 2016, a frequent keynote speaker at major conferences, and is co-author of the book Cryptographic Libraries for Developers.
Diana, how would you summarize what you do?
I bring a 360 degree view of cybersecurity to help Microsoft’s customers secure their data and businesses. With almost thirty years of experience in the industry, I’ve seen and done a lot; from managing and building systems, to creating secure architectures for customers at systems integrators, to being a research analyst, to working with product vendors, and more. When I started I was just helping tech businesses, but now everyone is online and people need to know how to be safe digital citizens. As a tech leader and public speaker, I focus on how the cyber world is changing and how we can be ready for that transformation.
If someone wanted to have your job one day, what qualities would they need to be successful?
1. Be comfortable with public speaking. One thing that helped me become comfortable with public speaking was being a radio DJ. It was a dream of mine come true when I got to be a DJ for WZBC 90.3 FM in Boston, I did the modern rock show on Thursday afternoons.
After my very first monologue, one of the station guys comes into the sound booth to tell me that it sucked because he could tell I was nervous.
He told me, “If you do your next monologue and you’re nervous, it will suck. If you’re not nervous, it might suck, but it also might be good.”
That might be considered bad advice, according to media trainers, but it actually helped me! I also remember being nervous about my first keynote. And my first Microsoft talk was also scary, but nerves are often a sign of taking things seriously and I always want to do the best for the audience.
2. Be adaptable in different environments and with diverse audiences. This year, so far, I’ve traveled to Israel, Taiwan, RSA in San Francisco, and Saudi Arabia, and have spoken to top CIOs and CISOs in manufacturing, financial services, retail, and more. I am constantly moving between very different environments and have to adapt to my audience, wherever I am.
3. Be willing to learn, constantly. You can’t be in cybersecurity and not want to keep learning. We talk about how attackers are always changing their strategies, and that is an important reason to keep learning and growing, but the technology itself is always advancing too.
We must emphasis the mindset of learning more than anything else in this industry.
Knowing how to write a firewall or SIEM (security information and event management) rule is important, but what really matters is understanding the intent of the rule. Product rules are written a certain way, not because it is a law of physics, but because a person wrote it that way with a certain perspective and logic.
What are you excited be learning right now?
I am continuously educating myself about machine learning and artificial intelligence, because they are critical to the future of cybersecurity and our digital lives. You can never stop reading and learning!
What seismic shifts and trends are on your mind lately?
The biggest change is not new, but a reality we’re living out every day: it’s the move toward the cloud. The cloud allows us to orbit around our data. Wherever we are, whatever device we’re on, we can have the same experience. There was a time when we were really tethered to specific devices. Now, the experience of moving between devices and platforms is mobile and seamless.
We have great capacity to access all the data wherever and whenever we want, in our work and personal lives, but this transformation also means that platform providers have to make sure there’s security built into the experience. We need to innovate on identity-centric protection, as identity becomes the new control plane.
Another trend is Internet of Things (IoT). Years ago, the Weekly World News published a joke piece on the cover about a computer getting a virus from a toaster. I remember laughing at the idea at the time, but it is now a real possibility! IoT is drawing everyone into the digital world. Consumers and companies have to carefully consider what devices they use and how they are secured.
How can security professionals better partner with their business counterparts to enable innovation, in a secure way?
We have to remember that business managers are focused on how to balance risk in making decisions. The more security professionals can see their job not as achieving absolute security but as business partners who help educate the business on cyber risks, the better conversations we have.
Instead of just saying “no, we can’t do it”, explain “we could lose business and here’s why.”
In a board setting, translating security in this way helps decisionmakers to see cybersecurity as part of the business risks they have to manage for the company. If decisionmakers know the risks and make the decision to proceed anyway, that’s up to them. Others may want to limit their risk as a result.
Making a collective decision evolves the ownership of security from being just the CISO’s job to being everyone’s responsibility. It’s like being a doctor — if a lung patient wanted to smoke and the doctor just says, “you can’t do that”, they are automatically at odds. In contrast, showing the patient the health impact through visuals or studies helps the patient come to their own decision. In security we have to accept that we cannot control everything — but we can help educate those around us be more security-minded and make better decisions.
The future is a boardroom with more security-aware business decisionmakers.
That does not mean filling the C-Suite with only IT people, but making sure those with MBAs and expertise in marketing, finance, and operations also have an understanding of how cybersecurity affects the business.
Your role requires significant travel. What travel tips or rules do you follow to make life easier for yourself?
First, travel as light as possible. If you travel as often as I do, you’ll have to switch planes, chase flights, and potentially miss connections — you cannot check a bag in that mess. A smart partner at KPMG once told me that shirts and underwear don’t take up a lot of space. If you can get away with the same jacket, go ahead and maximize that core outfit. Don’t pack multiple shoes. I have special running shoes that pack flat, so they take up no room in my case.
Once I’m on the flight, I typically read and watch television. My advice is to feel very comfortable doing your nonsense reading on the plane; this is your time and it’s okay to relax. My other tip is to bring a backup battery, in case you can’t charge your devices on the plane.
Going back to your DJ roots, if you had your own podcast or radio show, what would you cover?
I currently produce My Cyber Why on Medium, because I’m fascinated by people in this industry and the passion that motivates them.
If I were to do a show about non-cybersecurity topics, I’d probably do one about my dogs. What are they thinking about all the time? Look at those faces!
Lastly, please settle a debate: Is a pop tart a ravioli?
Pastry ain’t pasta! So, no.