Interview: Sarah Armstrong-Smith - Chief Security Advisor for Microsoft
The 21st-century has experienced rapid digitisation, with the Covid-19 pandemic only accelerating the online expansion. Though there are several benefits to virtual businesses, there is also a key risk that can bring a company to its knees with a simple click.
We sat down with Sarah Armstrong-Smith, Microsoft’s Chief Security Advisor, to learn why hacking and other online threats should be taken seriously by organisations. In our interview, she revealed what it was like working on the Millenium Bug in 2000 and why we should encourage gender-equal representation in STEM.
Q: You have been the Chief Security Advisor at Microsoft Europe since 2020, what has been your proudest achievement in this role?
“For me, I actually joined Microsoft one week after the UK went into lockdown. So I've actually spent my entire Microsoft career to date from this very office! It's been quite interesting for me to be literally in the middle of a global pandemic, joining a new company, but also seeing the inner workings of Microsoft.
“Throughout everything going on, we had to keep Microsoft up as an entity - Microsoft has over 160,000 people worldwide. But they also had to make sure the current customers were supported, and that’s all of the global Cloud and the data centres and all of those types of things. Because of the pandemic, we've seen a massive acceleration to the Cloud as well, particularly collaboration sites like Teams.
“We almost got a triple whammy, if you like, of all of these things coming together; the capacity that was required, the help and support with all of these things that have been going on. To see that from the inside and see how Microsoft rose to the occasion and how they help customers has been phenomenal.
“For me, it doesn't really matter how bad things get. We've talked about some of these big, big crisis moments that we've had over the years - I always focus on the opportunities. So, ‘what can we learn this?’, ‘what can we do better?’ And that's where I get really excited. I'm really proud to be able to work for such an amazing company.”
Q: Having worked on the Millenium Bug, what did you learn from the potential threat?
“I think having a background in business continuity has really enabled me to think about the big picture, those worst-case scenarios – ‘what’s the worst thing that could happen?’.
“We need to think wider, we need to think about incidents that are not just relevant to our own company, but issues that go cross-sector and even across the world. That scope and scale are really important, and some of these major events have also triggered global changes, as well.
“So I think back, and I would say 9/11 was a really good example of a major incident, at massive scale, that we probably never seen before, how that was televised and the shock that came with it. It really brought home the impact of terrorism, and again, how important business continuity is at that scale.
“I bring that forward to what’s going on now, the global pandemic and this crisis, it's really brought home just how much we're all connected and how dependent we are.
“That’s from small businesses up to those large enterprises as well. So, ultimately, when we're thinking about these threats - it's not just about business continuity but cyber security attacks as well - it's really about thinking holistically, thinking much, much, much wider.
“It's really about having resilience to all of these types of attacks and types of threats.”
Q: As a cybersecurity expert, what is the biggest threat businesses face and what advice do you have for them?
“It's very interesting. We think about cybercriminals and the type of attackers, and they're inherently opportunistic - they absolutely love a crisis. And what a crisis we've seen over the last 12 to 18 months! So, they're really taking advantage of this.
“We've seen a massive increase with regard to phishing attacks, or really preying on people's fears and emotions. So, they pretend to be your bank, they might pretend to be just offering support. They might pretend to be a charity and those types of things.
“It's really trying to fool you into a false sense of security, to try to get you to give up credentials or click on links. We've also seen a massive increase with regards to ransomware, specifically targeting healthcare or other critical infrastructure. I think what's been interesting to us is there's almost no company is out of bounds - they're small, large enterprises, these frontline services.
“And even to us, it was quite shocking. You’d think, ‘surely in the middle of a pandemic, you wouldn't attack a hospital, you wouldn't attack the emergency services’. But they did, particularly when we're talking about ransomware because they feel that they're more likely to pay if they're being backed into a corner.
“I think there's a real psychology behind the way that cybercriminals act and the way that they take advantage of the situation. It’s important that we're mindful with regards to what's going on and how these changing tactics and techniques are going to continue to evolve.
“It really comes back to that kind of business continuity, which means constantly asking questions: ‘what if somebody could get access to our systems? What if somebody could disrupt our services? What if someone could get access to our data? If that data is leaked, what's the impact of that? And therefore, where do I put my priorities?’
“So, we're no longer just talking about cyber security in. We have to think again and have more of a holistic response, where we're thinking about ‘if we have these types of incidents, what's the business doing?’ It's very much about thinking much wider.”
Q: Considering the pace of digital transformation, how can businesses keep up with such rapid transformation?
“I think it’s important to reflect on the fact that security is intrinsic to almost every business, particularly when we're talking about digital. So, we really need to think much wider, much broader.
“As we've talked about, really with a global pandemic, many companies are really evaluating their business models, their working practices. They’re asking, ‘what happens next?’ Do we all go back to the office? Do we continue to work remotely? The reality is we're going to work in this hybrid environment, where people have more choices about where they work from, what type of devices they use.
“And that ability to embrace the Cloud is really important because it enables them to try new designs, spin up projects very, very quickly, which they might not have been able to do previously because of the time it takes to procure servers and storage and spin up projects and all of these types of things.
“So it really comes down to speed and scale, and that's really one of the benefits of the Cloud. It's really about taking advantage of all of these different things that are available and just really explore.
“I think that's the bit I love, really. We're talking a lot about being agile, which is the ‘fail fast, fail often’ philosophy, which is if you want to try something new, if you want to have these innovative projects, try it out, get some insight, run some analytics, and it doesn't work? Close it down.
“I think that's where the agility and the flexibility of this kind of digital transformation is, it enables companies and even individuals to experiment a lot more.”
Q: With a passion for women in business, what more needs to be done to improve gender inclusion in the workplace?
“I think it sometimes sounds like a bit of a cliche, but we really need people who can think outside of the box, who can think and act differently. And that is why diversity is so important, but it's about diversity of backgrounds and experiences and culture.
“It's not about being a woman, per se, it's about being able to celebrate all of our differences and how we can utilise all of those differences to be our best advantage. I think one of the things that we've been reflecting on is the need to have different perspectives and viewpoints, because if we all have thought the same thing we would come out with the same answer, in essence, and that is not what's going to help us to innovate.
“I also think it's important that we remove this kind of false barriers and misconception that [technology] is principally a career for men, or that you have to be deeply technical to work in cyber security because that's not the case at all.
“It's about encouraging people to remove these false barriers – ‘this is a career for men, this is a career for women’ - I think that's really key when we're talking about inclusion.”
Q: What led you to cybersecurity, data protection and digital transformation?
“I've been working in the technology environment for over 20 years now, and I chase this back to sort of 1999 – all those many years ago! I was actually working for a water utility company on the Millennium Bug or Year 2000 programme, and many companies were on really large transformation programmes to recode a lot of their computers and servers.
“The theory was, at the stroke of midnight, a number of computers and servers would meltdown, because of the way that the year ‘2000’ was actually coded into a number of different systems.
“And really, for me, from a young age I've always been driven to keep asking ‘why’ and ask abundant questions: ‘what if the systems go down?’, ‘what if we can't get people to work?’, ‘what if what if’ - all of these types of things. And I didn't really understand at the time that what I was looking at was business continuity.
“For me, it just felt like common sense to keep asking these ‘what if’ questions. I always look at that as the point, as where I started my career. From business continuity, it pivoted over the next 20 years or so, into disaster recovery, cyber security, fraud, crisis management - all of that comes under the banner of resilience. And that is how my career has evolved.”
Q: How has gender inclusion in the workplace evolved since the start of your professional journey?
“When I was at Fujitsu - I worked at Fujitsu for 12 years before Microsoft - I was actually coaching with the Women's Business Network for three years. We set ourselves a mission to have more women in tech and senior roles, as opposed to just more women in general.
“So to put that into perspective, Fujitsu is the biggest Japanese employer in the UK. They have 12,000 people, of which about 3,000 are women. And then one of the objectives we set was to be a Times Top 50 Employer for Women.
“The entry criteria for that is really tough, really hard. And we said, ‘we’re going to be bold, ambitious, and we want to do all of these things - we want to make sure we're doing the right thing’. What was interesting to us, as well, was that when you compare men to women in these types of environments, the statistics on women and the ratio to men is always going to be a lot lower.
“As I said, Fujitsu has always been around 25-26% women, but they had the objective to get that to 30% and then over X number of years to bring that up to 50%. That sounds very, very positive if you're a woman, not so great if you're a man. If I was to increase the number of women to 50%, I’d have to potentially remove 3,000 men from the organisation. And that's not really what we're saying, but that is how some of these messages are perceived.
“So we really have to be careful when we're talking about this so that what might sound good for one group, doesn't then sound like a disadvantage for another, and that we don't fall into the trap of positive discrimination, where we have any kind of quotas and people feel like they're just a number as opposed to an individual.”