During a recent visit to Australia, Microsoft corporate vice-president of security Vasu Jakkal spoke about the current cyber threat landscape, her approach to director duties and why she is determined to see more women involved in STEM.
As corporate vice-president of security at Microsoft, Vasu Jakkal provides regular briefings to Microsoft’s board of directors on the company’s security strategy. Since taking on the role in mid-2020, she has been responsible for the company’s security, compliance, identity, device management and privacy business, along with the marketing strategy for each product portfolio.
During the past year, Microsoft’s cybersecurity business has grown to US$20b, double what it was before Jakkal joined the company. This is a reflection both of the threat landscape facing Microsoft’s 860,000 customers, and its strategy under Jakkal. Microsoft has positioned itself as one of only a handful of security companies that can provide an end-to-end security platform for enterprise customers.
Microsoft previously limited protection services to Microsoft Azure and Windows, but it recently expanded to cover all major platforms and clouds — including Google Cloud, AWS, Android, iOS, and Mac OS. It has a suite of six product lines to protect devices, identity, data, apps and the cloud.
“The growth comes from our portfolio expansion,” says Jakkal. “Our approach now is to look at every door, window and roof for a vulnerability. Our customers tend to start out with one solution and adopt more.”
When Jakkal briefs the board on the cyber risk landscape facing Microsoft itself, she focuses on how the spend on cybersecurity translates into tangible outcomes. She highlights security improvements that have occurred across a variety of areas, including the protection of devices, data and privacy more broadly. “Our board of directors is very involved in cybersecurity,” she says. “However, security tends to be highly technical and the board of directors operates at a high altitude. I am in the weeds, so my challenge is to translate cybersecurity risks into potential economic impacts and how that relates to fiduciary duties.”
Jakkal develops a data strategy plan that includes the return on investment for each category of spend — but keeps the details at a high level. “To tell the board that we have doubled our spend [on cybersecurity] doesn’t mean a lot if you don’t know how the solutions are working for you,” she says. “An assessment of the spend is critical.”
Data under attack
Jakkal notes that the most common concerns customers raised with her were around data security. She says that the threat landscape continues to evolve, with attacks both more frequent and sophisticated in nature.
“When I joined Microsoft in 2020, there were around 579 password attacks per second,” she says. “We ended 2022 with 1287 password attacks per second. At the same time, defenders have a shorter window in which to respond. It used to take attackers a long time to access critical data once they were inside an organisation. Now it is an average of just 72 minutes from the time that a user clicks on a phishing link.”
Added to this is the global shortage of IT security professionals, the rise of ransomware in the gig economy and a ready availability of cybersecurity attack tools.
“The barriers to entry for attackers are really low right now, which is why every industry around the world is being targeted,” says Jakkal. “It’s not just healthcare, financial services and education as it used to be — and it’s no longer just large enterprise. The situation is going to remain challenging for the foreseeable future.”
In her element
In March 2021, Jakkal took on her first non- executive director role when she joined the board of Element, based in California’s Silicon Valley. Element helps industrial enterprises digitise and extract value from the data generated through operations. “Element looks at operational technology and IoT [Internet of Things], and how to use the power of data to provide a better return on investment,” she says.
The role appealed because it was a chance to expand her horizons and Jakkal relished the idea of helping a smaller organisation to grow. “Operational technology in manufacturing is not my sweet spot,” she says. “I come from the IT security side of things. I wanted to learn about a different space and I have found it to be a different world. I fell in love with the company’s mission and people. They are great human beings doing all the right things and striving to scale. I wanted to add value and I felt that culturally, I would be a good fit there.”
Jakkal was recruited to the board for her expertise in cybersecurity, but her contribution as a board member is very different from her role at Microsoft. “I need to be thoughtful because there’s a difference between a governance role and a management role,” she says. “I am not in an operations role at Element and I don’t want to dictate what they need to do. I ask a lot of questions, instead.”
She has helped Element’s security team create a template when preparing their board presentations. “The template can be used as a benchmark to explain how they got from point A to point B, and where they are headed next. They are strategic about the way they use data to illustrate business developments.”
Diversity on the agenda
Jakkal enjoys the intellectual challenge of being on a board, and strives to make such positions more accessible to women in tech. “I love being in a position of curiosity and asking lots of questions,” she says. “I also enjoy putting on a different hat, asking the tough questions and holding the leadership team accountable.”
A number of women at Element have approached her because they want to take on senior leadership roles. After carving out her own career path, Jakkal is only too happy to help. “It feeds my soul,” she says.
Jakkal believes that diversity in the tech sector and in cybersecurity specifically is an imperative, because more diverse teams are more creative and make better decisions. This is backed by a number of studies, although change remains slow to materialise.
“I often say, security is for all, and security requires all,” she says. “Security teams are under immense strain due to the rapid pace of change and complexity in threat actors, but also due to a shortage of talent. Women, and people from more diverse backgrounds, are desperately needed to help address this talent gap.”
While working for Intel between 1999 and 2012, Jakkal founded the Women at Intel network and served as its co-chair. She sought to increase the number of leadership opportunities for women across the global conglomerate.
In 2020, she and other female tech leaders in Silicon Valley co-founded FirstBoard.io, which aims to help women obtain their first board positions by providing networking opportunities, matchmaking services, education and development programs. “A few years back, we looked around and there were not a lot of women on boards, so this was a very intentional effort to help women to get that first seat on a board,” says Jakkal. “It was, in fact, how I was able to get my first board position.”
Entry is open to all women, with potential candidates vetted by an advisory committee to determine who is most board-ready. After someone obtains their first position, they are encouraged to give back to the community in a mentoring or teaching capacity. Its leadership team is rotated out every few years so that a variety of women get the chance to be involved. “We are very active in Silicon Valley, although we would like to have global reach,” she says.
Jakkal’s career journey was filled with challenges. Born in Pune, India, now known for its vibrant business and tech sector, she says being a female focusing on scientific endeavour was practically unheard of. “I’m the first woman in my family to hold a job outside the house.”
Jakkal studied electrical engineering and won a scholarship to study in the US. “I was a student in the early 1990s and there were not many women in STEM,” she says. “I didn’t have any role models and I remember just not having a voice. Often, I was the only woman in the room. At some point, I had the realisation that I needed to speak up and be bold.”
Jakkal believes that the STEM sector is far more diverse than it used to be, while still having some way to go. “We still have a lot of work to do, both as cybersecurity specialists and as women — and definitely as boards of directors, too,” she says.
The US has unveiled its new national cybercrime strategy, which puts private-public partnerships at the heart of bolstered security measures.
The Biden-Harris administration released a National Cybersecurity Strategy in March. The plan will be overseen by the National Security Council. Microsoft CVP of security, compliance, identity and privacy Vasu Jakkal notes that protecting customers from ever-evolving threats involves forging partnerships with the global security community and government agencies. “Implementation of the National Cybersecurity Strategy will raise the security bar for technology providers and strengthen the global supply chain,” she says.
Below is a summary of the strategy’s proposed pillars.
Five Point Plan
- Defend critical infrastructure by expanding the use of minimum cybersecurity requirements in critical sectors. It will facilitate faster and broader public- private collaboration to better defend critical infrastructure and essential services. It will also update federal networks and the incident response policy.
- Government agencies will set up efforts to prevent malicious cyber actors from threatening national security or public safety. It will achieve this by collaborating with the private sector and international partners with a special focus on tackling ransomware.
- Responsibility for managing the consequences of poor cybersecurity will no longer rest with the most vulnerable end users, but instead shift to software vendors and service providers. The government will promote the security of personal data and ensure federal grant programs promote investments in secure and resilient infrastructure projects.
- The US will develop next- generation technologies and infrastructure by reducing systemic technical vulnerabilities in the internet and across the digital ecosystem. It will prioritise cybersecurity research and development for next-generation technologies, including post- quantum encryption, digital identity solutions, and clean energy infrastructure — and grow its national cyber workforce.
- The US will leverage international partnerships to counter cyber threats. It will undertake joint preparedness, response, and cost-imposition activities — and work to create more secure global supply chains for information and communications technology
This article first appeared under the headline 'Defending the Castle' in the June 2023 issue of Company Director magazine.
Already a member?
Login to view this content