Digital Business

Secure transformation requires cultural change: Lessons from Microsoft’s journey

Sep 30, 2022
Secure transformation requires cultural change: Lessons from Microsoft’s journey

What does it take for an established software leader to gain the momentum to transform itself into a world-class security provider? As Microsoft has proven, in an era when digital transformation is imperative, an organizational culture imbued with trust and collaboration is just as essential as innovative technology.

At the CXO Silicon Valley Summit on September 15th, Kavitha Mariappan, EVP, customer experience and transformation at Zscaler, hosted Vasu Jakkal, chief vice president (CVP), security, compliance, identity, and privacy at Microsoft, for a conversation discussing strategies for driving secure digital transformation in a cloud- and mobile-first world. 

Jakkal’s experience leading Microsoft’s security business—from the ground up to $15 billion in a short period—speaks to her well-honed leadership skills and the power of team collaboration. She pointed out that cross-collaboration is truly at the heart of Microsoft’s transformation, allowing buy-in on transformation initiatives that help Microsoft protect more than 785,000 customers.

Mariappan opened by asking what the audience could learn from that journey. "What can you share with our CXOs here today about Microsoft's own transformation journey as all of them here aspire to transform their own organizations from legacy IT to cloud and mobile-first?"

Shame and blame have got to go. Trust and collaboration are the keys to success

It used to be that, when a cyberattack hit a company, people would start pointing fingers. Historically, there was a cultural aspect to the security industry that involved shaming and blaming. Jakkal says this is an outdated, counterproductive model. “This points to a terrible culture,” she says. “The CISO role cannot be set up to fail. That would be a failure on the entire team because the CISO role is so critical for success.” 

For security to succeed, she says, “You have to drive cultural transformation as a company.” As she points out, the entire management team and the board of directors need to be on board, not just the CISOs and the CIOs. Barriers need to be broken down so that everyone can work together. “Internally, positions in IT and security have to be elevated to have a seat at the table,” she remarks. The goal is to be able to have a brutally honest conversation that answers the quintessential boardroom question: “How secure are we?” 

Use incidents and statistics to generate awareness and support for security

Jakkal shares that, in early 2020, the SolarWinds cyberattack was a “moment of reckoning” that helped drive security awareness across the entire enterprise—from employees at all levels to the board. In 2020, hackers breached IT company SolarWinds, injecting malicious code into the company’s software, which is used by more than 33,000 organizations. This large-scale attack left private companies and government agencies vulnerable for months. SolarWinds was a turning point that led to a fundamental change in how organizations operate, with a heightened focus on transparency and honesty.

“We were one of the first software companies to say, ‘This attack is happening. Here’s what this means. We don’t have all the answers, but we are going to work together and find them.’ That was a huge cultural transformation that we went through,” she recalls. 

Jakkal shares some sobering statistics that further highlight how critical security is to businesses and why it needs to be supported across the entire organization.

Jakkal recommends using statistics like these to drive awareness and cross-functional support for security across the enterprise. “A security team can never protect you against all of these attacks,” she asserts, “We have to make this about the entire company and the organization. That’s why it’s really important to embrace the team sport culture.”

Security awareness training, she says, is a critical element in driving a security-oriented culture, and the way it is presented—as well as how often—is just as vital as the actual content. “We’re finding that it’s important to make training interesting, fun, and engaging. Training is not just ‘one and done’. We refresh our training so it’s not boring,” she says.

Embrace security as a driver of innovation and a business enabler

Jakkal explains that—in addition to collaboration—empathy and understanding for what customers are going through in their own transformation journeys were key to Microsoft’s success. “It’s not that easy to just ‘move to the cloud’, especially if you have an on-premises and hybrid architecture and you don’t have the resources to support it,” she relates.

"Organizational change becomes a critical mandate in order to truly transform your business operations," added Mariappan. "I mean, we know digital transformation today is a technology journey, but it really is also a business enabler."

It was Microsoft’s culture of empathy that helped the organization see the opportunity and the need to offer security products in the first place. “We became a security company not because we set out to be a security company, but because we were protecting Microsoft and our products,” she points out. “Our CISO plays a big role in product strategy and innovation,” she remarks. 

Exemplify a culture of curiosity, open-mindedness, and learning

Following the SolarWinds attack and the cultural transformation it initiated, Microsoft began working with outside partners, including Zscaler, who brought unique core skills and competencies to the table. Jakkal noted there are now more than 300 companies participating in the Microsoft Intelligent Security Association (MISA) ecosystem. But it wouldn’t have happened without that cultural shift toward collaboration. “We learned that it’s going to take all of us,” she says. 

We have a culture where we want learners around the table, not knowers. Our leadership team meetings start with that growth mindset, that curiosity of ‘what am I learning?’ That’s how we run Microsoft,” shares Jakkal. “Our CEO is such a great role model for that growth mindset. He reminds us every day to be learners.”

Jakkal points out that open dialogue stems from a healthy culture: “If we can work together and say, ‘Here’s what matters. Here are the threats that are happening in the world. Here are the threats that are relevant to me in my world. Here’s what my posture looks like for those threats, and here are the gaps.’ Then we can have a conversation.”

Process is great, but don’t underestimate the importance of trust

Jakkal describes Microsoft as a “very disciplined” operator and shares the company’s well-defined process for working together: “There’s a very clear accountability model, and it’s matrixed. We have solution-area leads. Each solution area has two strategy days per year when we sit with our CEO and his direct reports on how we think of the strategy, our key priorities, and what success looks like for those key priorities. Once we have that in place, we are in execution mode. And we are continuously reiterating. We have monthly product and business reviews. We have weekly team meetings. We use Objectives and Key Results (OKR) models to make sure that we have cross-collaboration success.”

OKR is a collaborative goal-setting methodology used by teams and individuals to set challenging, ambitious goals with clearly articulated results. OKRs help track progress, create alignment and encourage engagement around measurable goals. Even with this solid process in place, Jakkal emphasizes it was really Microsoft’s culture that moves the needle.

“Most important is the trust that we have. I use a model by Patrick Lencioni from his book Five Disfunctions of a Team to understand conflict and harmony within our teams. We are big on adaptive leadership,” she explains. “We've learned that transformation, as much as it's about technology, it’s also about culture and people. And it's about bringing humans along. When you have trust with someone, magic happens.”

What to read next:

Adopting a zero trust mindset: best practices from leading IT executives

Change agents needed: How top IT executives ensure their organization’s security, resilience, and succes