‘We need to get rid of passwords’: Meet the woman pushing cyber security to ‘grow up’

Microsoft’s Ann Johnson on her ‘accidental’ career and avoiding smart speakers

"Cyber security, in my opinion, needs to grow up a bit." Ann Johnson, senior vice-president with Microsoft and lead for the company's enterprise cyber security, is trying to change things from within. "I'm trying to use this platform to change the industry, not just to bring tech to market but to try to change it and make it grow up."

Part of the problem with cyber security, she says, is the language. “We’re militaristic, and we’ve got sand boxes and detonation chambers and blacklists,” she explains.

Johnson recognises that cyber security, like much of the tech sector, has a diversity problem. Although steps are being taken to address it, there are many issues to overcome.

“What we find still is that girls in STEM – in the US at least – there’s about 70 per cent drop off from 12 to 17. It’s all the social messages you have to counteract, and we just continually keep educating.”


It’s somewhat of an uphill battle. Johnson is determined to win that particular fight though, and leads by example on building a diverse team.

“I have a lot of women on my team. And we personally call other women we know in cyber security and say: ‘Hey, we have a great team. It’s open, it’s inclusive, we have this job open, are you interested?’” she says. “We’re still not perfect, but we’ve done a pretty good job of getting women in the door. And we take risks on people. We say, okay, this person may not have a qualification I need but they’ve got a great attitude . . . they want the job, I’m going to take a risk.”

That’s a key point for her.

“Diversity goes beyond just male, female, race; it goes beyond socioeconomic backgrounds, different educational backgrounds,” she says.

“I always say our teams have to be just as diverse as the problems we’re trying to solve. I also mean [diverse in] how they think and their backgrounds and our education. You don’t want all STEM graduates, by the way, because you’ll never train a machine learning engine properly if you have all STEM graduates. So you also have to think outside the box and look at your job descriptions.”

‘Accidental career’

Her background gives her a unique perspective on this issue. She doesn't have a college education in STEM. Although she may be in one of Microsoft's most senior cybersecurity roles, she didn't set out to forge a career in technology. She describes it as "an accidental career", given her qualifications in political science, communications and world history. Things could have gone very differently if Johnson had stuck to her original plan to go to law school on a scholarship she had won, a goal she had had in mind since childhood. However, weighing up the financial options, she moved to Los Angeles and began working in an Apple education reseller.

“I walked into a computer store, I said I know I can talk to people, I know something about computers, and they hired me,” she recalls. “I was always a bit of a geek. I played Dungeons and Dragons. I was on a speech and debates scholarship. I played chess. But when I grew up, I didn’t see my first computer until late in high school.”

While working for the computer company she signed up for every training course she could find that her employer would pay for.

“The thing that fascinated me about computers was that it changed all the time. And that’s what kind of was driving law school too, that I knew I wasn’t going to be a person . . . [sitting] at my desk nine to five every day. It just wasn’t how I was going to be wired,” she says. “I was a writer on the side. And there’s a lot of stuff I did, but none of it was geared towards, you know, being that person that went in every day in the same job. It wasn’t me. So I stayed in computer technology because it was fascinating.”

Johnson says she planned to go back to law school when she was more financially secure; she hasn’t got around to that yet but doesn’t rule it out in the future, just to say she achieved her childhood goal.

Her career in the tech industry has now spanned 20 years, and she has been working at Microsoft for more than three years.

Security threats

In her career, she has seen a lot of security threats come and go. The summer of WannaCry and Petya she was working with cybersecurity firm RSA and it was, she says, “probably the least fun summer I’ve had”.

“I was talking to every bank around the world about the fact that their tokens had been breached,” she says. “I’d have to put on a really thick coat every day and say, okay, they’re not yelling at me personally.”

Not every security threat is as devastating as WannaCry and its ilk. Ransomware is still around, but is often a distraction for another attack, Johnson says.

She doesn’t seem overly concerned about many of the security threats that capture the public’s attention. She doesn’t cover her laptop’s webcam as a matter of course, though she says she doesn’t have a smart speaker in her home. “And I won’t. We all have a limit of what is acceptable,” she says.

“I have minimal IoT devices in my home too. There was a joke somebody came out with about technologists, that we have the least amount of tech in our home, and that if we have something it’s a printer, and we’re frustrated with it all the time. That’s about my house.”

However, there are some things that concern her.

“We’re seeing a huge increase in sophistication of cyber criminals, not nation state, but the cybercrime gangs that are purely robbing money from any avenue they can get it from,” she says. “That worries me because nation states can be fairly predictable. We know where they are. We know we generally know what tools [they] are going to use. We know their motives. We know how they operate. We don’t always know when they’re going to attack, but they’re fairly predictable.

“The cyber criminals aren’t, they’re pretty sophisticated . . . They’re very patient, they do a lot of reconnaissance, and they know how to get in and out really quickly. And so it’s a good return on investment for them.”

Another concern is the monetisation of nation state tool kits, older versions, but still powerful in the hands of an average hacker.

Phishing concerns

Phishing still accounts for 76 per cent of all breaches. “Phishing is still your primary vector. So that’s why we’re trying to get passwords out of the ecosystem; we want everyone to go password-less. If we get passwords out, the cost of attack goes up. Right. And that’s what you want to do, we want to keep raising the cost of attack.”

She advocates for using multi-factor authentication for everyone – not just for consumer applications, but also employees. That will mean using some sort of biometrics, a prospect that concerns some consumers. “At the end of the day, passwords are much less trustworthy than a biometric,” she says.

There is one weapon that could give cyber security the edge: artificial intelligence. “It’s getting to be very important,” Johnson says. “I would say we still have to use it properly.”

Microsoft has deployed some AI elements in its own cyberdefence centre, using them to detect previously unknown malware in milliseconds thanks to patterns in behaviour.

“There’s no silver bullet, but I do think AI is probably a step change, we just have to do it right.

“Things are just getting properly started with machine learning and artificial intelligence, so there is some way to go. But in the meantime there’s still that goal of getting cyber security to grow up.

“We will know cyber security is a mature industry almost when it doesn’t exist anymore, when cyber security is part of everyone’s job in an organisation every day, and your cyber organisation really becomes almost your policy organisation,” she says.

“The person that writes every piece of code, they’re concerned about cyber; the person that configured the computer that goes out the door, they’re concerned about cyber; the person who installs your network, whatever it is, writes an application in the cloud. When it becomes a part of everyone else’s job, and there is no massive cybersecurity orientation, to me that’s maturity.”

She pauses. “That’s a long time away, by the way.”