During 2024, Microsoft unveiled a new Deputy CISO (dCISO ) strategy as part of its broader Secure Future Initiative (SFI). To understand the reasons and potential for this evolution of the CISO role, we spoke to Ann Johnson (Corporate Vice President and Deputy CISO) and Mark Russinovich (CTO, Deputy CISO and Technical Fellow, Azure).
Microsoft’s deputy CISO strategy
When Igor Tsyganskiy became corporate CISO at the end of 2023, he decided he needed specialist assistance in specialized areas. Microsoft is a massive and massively complex organization, and every aspect of the CISO role is equally larger in scale and scope.
The result, introduced through 2024, is a total of 14 dCISOs handling risk across the different functions within Microsoft. Each one reports to Tsyganskiy and, where relevant, the head of the product or service concerned.
“I am responsible for the customer security management office – the CSMO,” explains Johnson. “We are responsible for all external engagement for the office of the CISO.” Other dCISOs are aligned to the core Microsoft products, but the company also gets inbound requests from customers and partners. How does Microsoft secure itself? Can we benchmark against Microsoft? How do you do threat hunting? What products do you use?
“All those questions come up regularly,” she continues, “So my function is responsible for being the front door to help our customers with their relationship with Microsoft’s Office of the CISO – to make sure we’re sharing and benchmarking and doing industry best practices and doing threat intelligence sharing. My job is to keep the product-aligned dCISOs doing their day jobs but bring them into the conversations as needed.”
Russinovich is one of these product-aligned dCISOs. “Igor decided he needed dCISOs as part of a body that were experts in their local domains and affiliated with the product groups or the horizontal services that they would be serving,” he explains. The result may seem complex, but the purpose is to facilitate the correct information to the correct destination.
Apart from coming under the remit of the global CISO (Tsyganskiy), the product-aligned dCISOs also report to the senior business leader for their own product. Russinovich is dCISO for Azure. “So, I report to Scott Guthrie, who’s the executive vice president that leads the cloud and AI division at Microsoft,” he adds. Guthrie reports to Satya Nadella.
Azure may be a central product, but there are also horizontal aspects associated with Azure spanning multiple product groups – and the dCISO concept of individual experts in specific areas can appear to become confused. “I’m also the dCISO for core operating systems, given my background with Windows and Linux. And in a third area, I am responsible for engineering systems – which spans multiple groups, and on which the whole company depends.”
These latter responsibilities are an example of the horizontal element of the dCISO program. While it all may appear incredibly complex, it is nevertheless designed to provide clarity. The purpose is to ensure individual product business leaders get focused but expert information about their own responsibilities, while the overall company – right up to Nadella – gets a complete and integrated picture of the company’s security posture for both it and its products.
Are Deputy CISOs the future for the CISO role?
Are Microsoft’s dCISOs signposting the future for the CISO function? The answer seems to be yes, in principle at least, if not necessarily at the scale of Microsoft’s program.
“Igor is having CEO level conversations,” comments Johnson. “He is meeting with senior executives in governments and organizations globally, as well as running Microsoft’s core security program. He is involved in governance; he is involved in risk; he is involved in compliance. All CISOs have a very expansive scope.”
But, she adds, “If you combine that scope with the scale and complexity of Microsoft as an organization, with all the different platforms we have, and all the different communities we serve globally, and all the different products we bring to market… the job is too complex.”
Russinovich says much the same. “Microsoft is a massive company in terms of employees, products and services. It’s impossible for one person to be an expert in all of this, whether it’s security or anything else. Some of the risk decisions require familiarity and deep expertise, as well as the bandwidth ability to have deep conversations with the different engineering leaders they’re working with.”
This, he says, is something that a single CISO cannot do. “It’s just not humanly possible. So, Igor is distributing the responsibilities in a way that will let us scale and still have the big governance and accountability covering the whole company. You can think of the dCISOs as the CISO for the domains assigned to them.”
Johnson agrees. “I posit that most of our dCISOs are functional CISOs. And in other works, they would be called the CISO, because of the scope and scale of their responsibilities.”
Microsoft may be unique in its size and complexity. But the difficulties faced by its CISO, Igor Tsyganskiy, are the same as those faced by all CISOs – just writ much larger. The expansion of the CISO role from governance (security), to include compliance (legal), internal app and external product development (engineering), integration with business leaders (business knowledge and communication skills), artificial intelligence (data scientist) and more, implies the solution adopted Tsyganskiy should be considered by all CISOs.
The basic concept isn’t entirely new. In recent years, there has been a growth in Business Information Security Officers {BISOs). “Large, global banks have long had the concept of the BISO,” says Johnson. “They would have a BISO for retail banking, or a BISO for high net worth. I do see more organizations structuring themselves in this way as the world gets more complex and as organizations grow.”
The need for intermediary domain experts exists. These intermediaries may not be called dCISOs (or BISOs) in smaller companies, but for larger and more complex companies, Microsoft’s dCISO program is mapping an attractive way forward.
What does it take to be a Deputy CISO at Microsoft?
Johnson believes her start in cyber was a bit accidental. Although she had an interest in technology, her academic career was in political science. After college, she worked for a few tech companies (“I needed a job,” she says), but not in cyber.
But it wasn’t fulfilling. “I decided I wanted to do something different, and at the time, I had a company RSA Security hardware token for VPN access. I’m a technologist at heart. I find I’m passionate about technology and learning new things. So, I went and learned everything I could about this RSA Security hardware token and how it worked. I applied for a job at RSA Security, and I was lucky – they hired me in 2000.”
She was now in cyber, and her career took off. After 13 years, she was VP, global IPV & global accounts at RSA. She moved to Qualys as president and COO, and then Boundless Spatial as CEO. From there, she moved to Microsoft as general manager of the enterprise cybersecurity group in 2015 and continued up the ladder until she became corporate VP and deputy CISO in 2024.
Russinovich’s entry into cyber was based on a litany of academic qualifications in computers and engineering. The passion had started earlier when he got his hands on an Apple II. That kicked him off, and he decided he wanted to learn as much as he could about the internal workings of computers. “I went to Carnegie Mellon and got a degree in Electrical and Computer Engineering. I got a master’s degree at Rensselaer Polytechnic Institute (RPI) and then went back to CMU for a PhD in electrical and computer engineering.”
After an academic career that spanned almost a decade, he ventured into industry to understand commercial computers. “That’s when I started to develop my understanding and knowledge of the internals of Windows 3.1, 95, NT, and Windows 2000.” In 1996 he co-founded and was chief security architect for Winternals.
Winternals understood the inner workings of Windows and developed tools to let admins get deep into the OS and do things that would otherwise be difficult or impossible. One of these tools was Sysinternals. During this time, he developed strong connections with Microsoft, so when MS acquired Winternals in 2006, they got Russinovich as well – initially as an architect in the Windows division working on the kernel and on taking Windows to ARM processors.
At the same time, he became increasingly interested in the cloud and a new small Azure group within the company. “I saw that the cloud represented a huge opportunity to create, effectively, the world’s operating system. Azure launched in February 2010. By July 2010 I had joined Azure.”
By 2014, he had become CTO for Azure, and by 2024 he was CTO, deputy CISO, and technical fellow at Microsoft Azure.
Despite their different paths and different careers, both Johnson and Russinovich have achieved elevated positions in security leadership within Microsoft. It is worth considering what they each believe are the primary qualities that enable such achievement.
“Agility, flexibility and resilience,” says Johnson. “This job isn’t always fun, and the threats change and evolve every day. You need a strong sense of who you are. You need to be willing to go with the flow and you must be really resilient. People who last long term are all of these.”
Russinovich believes it is the ability to communicate and collaborate. “You have to work across many stakeholders, so the ability to communicate and collaborate is essential,” he says. “If you alienate people, which I’ve seen happening… if you alienate your stakeholders, you become ineffective.”
It is encouraging that both top Microsoft dCISOs believe that such career success can be achieved by anyone with the right attitude. “Personally, I like to understand technology to a deep level. But it isn’t absolutely essential,” explains Russinovich.
“You can delegate things, just like Igor is delegating his need for deep understanding of everything to a pool of dCISOs. Some level of technical understanding will always be crucial, because otherwise you’re just completely disconnected. But I think you can be an effective CISO without being as technically deep as I personally like to be.”
Johnson agrees that you can have a successful career in cyber without prior cyber qualifications. “You need to have the aptitude. You need to be willing to learn every day. You need to be willing to accept what you don’t know, and you need to network,” she says.
“Go to Black Hat, go to RSAC, take some SANS courses, take some LinkedIn Learning courses… whatever you need to understand the industry fundamentals. Then you decide your best fit. Cyber isn’t just forensics or reverse engineering. There are cybersecurity marketers, cybersecurity lawyers, cybersecurity HR, cybersecurity executives, cybersecurity PR and more. Think about where you can fit to get started; but don’t be so narrow that you think, ‘Oh, I’m not a deep cyber technical person, so I can’t work in cybersecurity’. Cybersecurity is an entire industry with every domain, so think about where your skills fit, and invest in learning.”
Advice
Good advice is a useful career tool, especially when good advice is heeded. We asked these two dCISOs to explain the best career advice they had received, and what advice they would give to emerging and potential future leaders.
Russinovich believes the best advice he ever received came from his father: ‘when you find something you’re interested in, learn as much about it as possible.’
“That,” he adds, “is what inspired me to go get a PhD in computers.” Confirmation that this is, indeed, good career advice comes from Johnson’s progression. Her cyber career kicked off when she became interested in a hardware token (‘I went and learned everything I could about this RSA Security hardware token and how it worked’).
Johnson herself believes the best advice she received came from a leader when she was new to management: ‘People don’t understand the impact of what they say.’
“I didn’t understand what he meant at first, but then I realized I needed to modify my standard direct form of communication. I had to remember that communication is all about the receiver, and I had to learn to adapt my communication style so that the receiver understood what I was saying, as opposed to treating everyone the same way and running people over. So, learning how to communicate effectively is one of the most important things anyone can learn in their career.”
For advice he would give to someone with ambition for leadership in cybersecurity, Russinovich continues his emphasis on learning. “Right now, I would say go learn about artificial intelligence: its current state, its strengths, and its limitations. Understand how it is applied, because it’s part of every single job. AI is front and center right now – that is what I would highly recommend.”
Johnson’s first advice is to understand that you don’t know what you don’t know. Only then can you accept what you don’t know, correct it, and keep advancing. “We have people that get a little full of themselves because they’ve had some success, but then they stumble because they stopped investing in learning and growth.”
Her second advice is “Don’t let people tell you ‘No’. Don’t let people look at your background, your experience or your education, and say ‘you can’t be in this field’. Sometimes you must just keep going and prove you can be the person you want to be. But I say again, the only way you can do this is to be willing to continue learning every day.”
Future threats
Apart from advice – which helps us understand how current leaders have reached their position (advice received) and what they have learned (advice given), it is informative to know what cybersecurity threats they see coming. Although there is always a bias toward their current position, this doesn’t lessen the value.
Russinovich sees two major areas. “The primary threats are nation state actors and artificial intelligence,” he suggests. “We see nation state actors boldly attacking corporations, such as Microsoft, to get at their customers. I don’t see that trend ending anytime soon.”
His second concern is artificial intelligence. “AI is becoming more and more part of anything that you do with cybersecurity, whether it’s attack or defense. Attackers will be leveraging AI to probe systems, and to attack systems in an automated manner that wasn’t possible before.”
Johnson doesn’t disagree with this micro view of threats but suggests the macro overview will remain largely similar as today. “I don’t think the threat landscape evolves all that much,” she says. “It continues to be financial attacks such as ransomware and BEC. It continues to be nation states, largely for either espionage or intelligence gathering.”
Her view is that the motive, intent, and target of different cyber adversaries doesn’t change – only the details of how attacks are engineered. An example can be seen with adversarial AI. It could help detect vulnerabilities, craft new malware, improve social engineering, and automate attacks. It may speed, improve and scale the attacks, but financially motivated and nation state adversaries already use vulnerabilities, malware and social engineering.
Related: CISO Conversations: Kevin Winter at Deloitte and Richard Marcus at AuditBoard
Related: CISO Conversations: Julien Soriano (Box) and Chris Peake (Smartsheet)
Related: CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From Qualys
Related: CISO Conversations: Frank Kim (YL Ventures) and Charles Blauner (Team8)
