Hemma Prafullchandra is Chief Technology Officer of Microsoft Microsoft 365 Security and Compliance at Microsoft.

Hemma Prafullchandra is Chief Technology Officer of Microsoft

Hemma Prafullchandra, Chief Technology Officer at Microsoft

After starting out as a networking software engineer based in Palo Alto, CA thirty years ago, Hemma moved into the security sector and grew from a software engineer into engineering and product management. 

After roles at three further start-ups and three public companies developing security-related solutions, Hemma teamed up with Microsoft as their CTO for Microsoft 365 Security and Compliance. 

Today Hemma’s role sees her inform the vision and product plans, and work closely with customers, partners, analysts and industry bodies to deeply understand their needs and build mindshare of Microsoft’s cybersecurity strategy and solutions. 

The position also marries Hemma’s love for working and innovating in the security space, building mindshare, and helping everyone scale through use of technology, best practices, and standards.

GRC World Forums caught up with Hemma to discuss trends on the tech horizon, and the business challenges these trends present as data protection, security and privacy requirements tighten worldwide.

Hemma: The main trends that are dramatically changing the modern business landscape begin with the pace of technological innovation, which will continue to accelerate – it is anticipated that in the next decade we will experience more technological advancements than in the past 100 years. The technology vendor ecosystem continues to multiply at a significant rate even in categories where there are clear market leaders.

Many organizations now leverage a diverse set of technologies (such as BYOD, IoT, systems, networks, SaaS/IaaS, multi-cloud to many security, compliance and privacy solutions) from numerous vendors. This leads many organizations, for example, to almost become a de facto “technology provider,” themselves.

Digital transformation and AI adoption are also key trends, both driving greater use of cloud and edge computing, IoT and robotic process automation. Hyper-automation, per Gartner, is “a business-driven, disciplined approach that organizations use to rapidly identify, vet, and automate as many businesses and IT processes as possible”. As revealed in Gartner’s ‘The Executive Guide to Hyperautomation’, “by 2023, the number of active citizen developers at large enterprises will be at least four times the number of professional developers.”

I also see a massive generation of telemetry/signals, use of data across silos, and use of data analytics to decipher customers’ needs and behaviors, which in turn will fuel improved user experiences and faster business decision making and growth.

The hybrid workplace constitutes a further key trend. Accelerated by the pandemic, hybrid demands reinventing communication and collaboration to enable productivity, transparency, and individualization, as organizations race to recruit and retain talent. According to World Economic Forum (WEF) 2022 agenda, talent scarcity is one of the primary lenses through which we will see the entire world of work.

Regulation will take a leading role in defining the corporate landscape. We are under a constantly evolving, global regulatory tsunami, and almost every nation is working on cybersecurity and privacy related laws and policymaking. There is some collaboration across nations but with sufficient differences to create ongoing complexities to manage regulatory compliance and also the unintended (negative consequences) e.g. data privacy regulations restricting the flow of data, including data that’s critical to security operations. The WEF identified this as the second highest challenge of 2021. Cooperation is key as we move forward.

And lastly, cyber threats continue to present an ongoing and escalating challenge for both the public and private sectors around the globe. As identified in Microsoft’s Digital Defense Report by Microsoft Security, it’s no longer effective to view these threats solely through the lens of a specific criminal or type of crime. Rather, cyber threats are perpetrated by a large, diverse, and complex economy, often available to commit a variety of attacks, such as disruption, fraud, theft, and spying. It could be financially motivated, or nation state supported, or both. 

Hemma: Accountability of digital transformation outcomes definitely constitutes as one of these challenges. Similarly, adoption of more cloud-based technologies has expanded beyond traditional IT and more business functions/leaders are now involved.

According to LinkedIn research, IT only retains its status as the most influential voice in a third (39%) of technology buying decisions, down from a staggering 75% in 2014. This means that privacy and data security governance programs must span an entire organization, which they always have from a compliance perspective, but now in order for the programs to succeed, specific accountability and user education must be spread across the organization. 

The organizational culture must also reflect the growing business dependency on data and the obligations to protect it must be met by all involved. Scaling the data governance and privacy programs becomes even more complex as they must also consider all the cloud-based infrastructures and providers where data may be housed, processed, and accessed from. Nearly all organizations are now multi-cloud dependent across their SaaS and IaaS usage which makes monitoring and adequately managing these third-parties super difficult and requires automated approaches to scale.

With the massive collection of data, data exploration and analytics, generation of contextual insights and the need for speed to use the new learnings means that the privacy professionals are constantly learning themselves and are required to quickly ‘bless’ specific uses with no established norms or precedents or suggest changes to adequately safeguard and comply. So, it becomes a double whammy – evolving regulations and increasingly ambitious business usage of data and insights. The “data supply chain” from lineage to usage is often not understood by all involved to determine the best technological protections to implement. Most privacy professionals are not equipped with the knowledge and experience to tackle these tasks at the speed required.

Further challenges will lie in data hygiene through hybrid work environments. Sensitive data is likely to be littered across too many systems, including some unmanaged systems; for example, using personal/home equipment, that may not meet the necessary security requirements as individuals often favor productivity over “temporary violations of corporate policies”.

Disruption may also surface due to citizen developers automating business workflows and logic in potentially new and unanticipated ways. This could create new data security and privacy exposures that are unknown to the governance processes and technologies deployed.

Finally, given the proliferation of the market and user challenges with integration, and the increasing capabilities and intelligence, including for those using certain technologies like cloud-based services, many are looking to managed cybersecurity services/solutions. There is a marked variation in the ability of these providers to help measure compliance and provide alerts to users of issues/incidents to help manage the increasing attacks and complexity of the environments.

What can organizations do to start addressing these issues more effectively, and how can Microsoft help?

Hemma: Organizational culture and mindset should build on distributed empowerment and accountability. Revamped and required privacy training for every employee on a regular cadence is an absolute must – once a year is no longer good enough. 

Senior leaders should also ensure that technology providers are vetted, have strong privacy and data protection policies in-place and most importantly are transparent. We, at Microsoft, take this obligation very seriously and believe that privacy is a fundamental human right that requires a commitment to provide robust data protection for every individual and organization. You can read more about our policy and approach on this issue here.

For citizen developers, training is essential for safe and optimal use of no code/low code technologies such as Microsoft PowerApps, Microsoft Power Automate and Power Platform. These with Microsoft Azure Active Directory Conditional Access, Microsoft Endpoint Manager policies, and Microsoft Defender for Endpoint will support greater business transformation and remain secure and compliant. 

Next, all data should be discovered, classified, and protected and governed per policy and lineage identified to meet compliance and data protection requirements with Microsoft Information Protection, Microsoft 365 Data Loss Prevention, and Microsoft Purview.

Finally, it is advisable to proactively identify and help protect against privacy risks, empower employees to make smart data handling decisions, and automate and manage data subject requests at scale with Microsoft Priva Privacy Management solution.

Is there enough collaboration between governments and industry to tackle data security challenges in the US and beyond?

Hemma: There are many ongoing discussions between the private sector/industry and the government in each nation. Beyond global fragmentation, even within individual countries or regions, there is often further fragmentation, either due to state-level or other jurisdictional efforts and policies or to inconsistencies across sectors. 

As an organization, keeping abreast of these and making sure you are compliant is daunting for most and often unattainable for small businesses. Microsoft security, compliance and privacy solutions help organizations of any size to understand and meet their obligations.

In Europe, we announced a new commitment for our public sector and commercial customers in the EU and EFTA: a promise to enable them to process and store all their data in the EU by the end of 2022, with the exception of data for which there’s a need to maintain flows outside of the EU, in particular to enable security operations. 

Our services continue to operate in compliance with European laws and regulations. But with this ambitious plan we are going above and beyond our prior commitments and regulatory requirements to meet our customers’ preferences and expectations for increased data residency and control and to help Europe realize its digital ambitions.