“The future is a boardroom with more security-aware business decisionmakers”

This series aims to demystify careers, challenge stereotypes, and inspire connections. Today we talk with Diana Kelley, Cybersecurity Field CTO at Microsoft.

Stephanie Lio
Apr 25, 2019 · 7 min read
Being a radio DJ taught Diana Kelley about being comfortable with public speaking. (Source: Getty Images)

Diana Kelley wears a lots of hats. As Microsoft’s Cybersecurity Field CTO, Diana brings over twenty-five years of cyber-risk and security experience to provide advice and guidance to CSOs, CIOs and CISOs at some of the world’s largest companies. In addition to her work at Microsoft, she serves on the ACM Ethics & Plagiarism Committee, is an Industry Mentor at CyberSecurity Factory, and guest lectures at Boston College’s Master of Science in Cybersecurity program. Diana is also the CTO and a Director of the non-profit Sightline Security, a member of the RSA US Program Committee for 2018–2020, an IEEE “Rock Star of Risk” in 2016, a frequent keynote speaker at major conferences, and is co-author of the book Cryptographic Libraries for Developers.

Diana Kelley wears many hats, including being the Cybersecurity Field CTO at Microsoft. (Source: Microsoft)

Diana, how would you summarize what you do?

I bring a 360 degree view of cybersecurity to help Microsoft’s customers secure their data and businesses. With almost thirty years of experience in the industry, I’ve seen and done a lot; from managing and building systems, to creating secure architectures for customers at systems integrators, to being a research analyst, to working with product vendors, and more. When I started I was just helping tech businesses, but now everyone is online and people need to know how to be safe digital citizens. As a tech leader and public speaker, I focus on how the cyber world is changing and how we can be ready for that transformation.

If someone wanted to have your job one day, what qualities would they need to be successful?

1. Be comfortable with public speaking. One thing that helped me become comfortable with public speaking was being a radio DJ. It was a dream of mine come true when I got to be a DJ for WZBC 90.3 FM in Boston, I did the modern rock show on Thursday afternoons.

This is ZeeBee, WZBC’s resident cat that Diana eventually took home. (Source: Diana Kelley)

After my very first monologue, one of the station guys comes into the sound booth to tell me that it sucked because he could tell I was nervous.

That might be considered bad advice, according to media trainers, but it actually helped me! I also remember being nervous about my first keynote. And my first Microsoft talk was also scary, but nerves are often a sign of taking things seriously and I always want to do the best for the audience.

“If you’re not nervous, it might suck, but it also might be good.” (Source: Giphy)

2. Be adaptable in different environments and with diverse audiences. This year, so far, I’ve traveled to Israel, Taiwan, RSA in San Francisco, and Saudi Arabia, and have spoken to top CIOs and CISOs in manufacturing, financial services, retail, and more. I am constantly moving between very different environments and have to adapt to my audience, wherever I am.

3. Be willing to learn, constantly. You can’t be in cybersecurity and not want to keep learning. We talk about how attackers are always changing their strategies, and that is an important reason to keep learning and growing, but the technology itself is always advancing too.

Knowing how to write a firewall or SIEM (security information and event management) rule is important, but what really matters is understanding the intent of the rule. Product rules are written a certain way, not because it is a law of physics, but because a person wrote it that way with a certain perspective and logic.

What are you excited be learning right now?

I am continuously educating myself about machine learning and artificial intelligence, because they are critical to the future of cybersecurity and our digital lives. You can never stop reading and learning!

Identity is becoming the new control plane. (Source: Microsoft)

What seismic shifts and trends are on your mind lately?

The biggest change is not new, but a reality we’re living out every day: it’s the move toward the cloud. The cloud allows us to orbit around our data. Wherever we are, whatever device we’re on, we can have the same experience. There was a time when we were really tethered to specific devices. Now, the experience of moving between devices and platforms is mobile and seamless.

Another trend is Internet of Things (IoT). Years ago, the Weekly World News published a joke piece on the cover about a computer getting a virus from a toaster. I remember laughing at the idea at the time, but it is now a real possibility! IoT is drawing everyone into the digital world. Consumers and companies have to carefully consider what devices they use and how they are secured.

How can security professionals better partner with their business counterparts to enable innovation, in a secure way?

We have to remember that business managers are focused on how to balance risk in making decisions. The more security professionals can see their job not as achieving absolute security but as business partners who help educate the business on cyber risks, the better conversations we have.

Don’t just say no, explain how security risks impact the business. (Source: Giphy)

In a board setting, translating security in this way helps decisionmakers to see cybersecurity as part of the business risks they have to manage for the company. If decisionmakers know the risks and make the decision to proceed anyway, that’s up to them. Others may want to limit their risk as a result.

Making a collective decision evolves the ownership of security from being just the CISO’s job to being everyone’s responsibility. It’s like being a doctor — if a lung patient wanted to smoke and the doctor just says, “you can’t do that”, they are automatically at odds. In contrast, showing the patient the health impact through visuals or studies helps the patient come to their own decision. In security we have to accept that we cannot control everything — but we can help educate those around us be more security-minded and make better decisions.

That does not mean filling the C-Suite with only IT people, but making sure those with MBAs and expertise in marketing, finance, and operations also have an understanding of how cybersecurity affects the business.

“I always want to give audiences my very best.” (Source: NBC News)

Your role requires significant travel. What travel tips or rules do you follow to make life easier for yourself?

First, travel as light as possible. If you travel as often as I do, you’ll have to switch planes, chase flights, and potentially miss connections — you cannot check a bag in that mess. A smart partner at KPMG once told me that shirts and underwear don’t take up a lot of space. If you can get away with the same jacket, go ahead and maximize that core outfit. Don’t pack multiple shoes. I have special running shoes that pack flat, so they take up no room in my case.

Once I’m on the flight, I typically read and watch television. My advice is to feel very comfortable doing your nonsense reading on the plane; this is your time and it’s okay to relax. My other tip is to bring a backup battery, in case you can’t charge your devices on the plane.

Going back to your DJ roots, if you had your own podcast or radio show, what would you cover?

I currently produce My Cyber Why on Medium, because I’m fascinated by people in this industry and the passion that motivates them.

If I were to do a show about non-cybersecurity topics, I’d probably do one about my dogs. What are they thinking about all the time? Look at those faces!

Diana’s dream podcast may be about her dogs. (Source: Diana Kelley)
She loves her doggos. (Source: Diana Kelley)

Lastly, please settle a debate: Is a pop tart a ravioli?

Pastry ain’t pasta! So, no.

For more of Diana Kelley’s insights, follow her on LinkedIn, Twitter, and her writings on the Microsoft blog and on Medium. She is a contributor to the Microsoft Security Intelligence Report (now available in its 24th edition as both a downloadable report and interactive site).

Microsoft Cybersecurity

Stories from the frontlines of security, compliance, and digital transformation

Stephanie Lio

Written by

Product Marketing Manager at Microsoft. Creative, curious, & customer obsessed.

Microsoft Cybersecurity

Stories from the frontlines of security, compliance, and digital transformation

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade