Securing the Enterprise

Why Microsoft's Vasu Jakkal sees cybersecurity as a 'symbol of hope'

The Microsoft security executive told Protocol that she’s driven by the potential to help people feel safe in their digital lives.

Microsoft's Vasu Jakkal

Microsoft's Vasu Jakkal wants to keep the positive front and center.

Photo courtesy of Microsoft

When it comes to cybersecurity, it's easy to focus on the negative. The bad news feels so unrelenting, and the threats — along with the complexity of those threats — seem like they're getting worse all the time.

Microsoft's Vasu Jakkal, however, wants to keep the positive front and center.

At its core, cybersecurity is about helping people feel safe, according to Jakkal, corporate vice president for security, compliance, identity, management, and privacy at Microsoft. And bringing a focus on that “mission” is a much better foundation to start from when thinking about cybersecurity, she said.

While you shouldn’t ignore the bad news, fundamentally, "security is not this dark thing, this bad thing," Jakkal told Protocol. Rather, "it needs to be a symbol of hope, and positivity, and innovation, and creativity."

The potential to help people feel safe in their digital lives, Jakkal said, is why she "fell in love" with security and what she feels has given the most purpose to her career.

At Microsoft, Jakkal heads strategy for the company's security software and services business, which grew its revenue by almost 45% to reach $15 billion in 2021. Prior to joining Microsoft in mid-2020, she was chief marketing officer and executive vice president at cybersecurity vendor FireEye. She began her career at Intel, where she started out in engineering and ended up, more than a decade later, as a product marketing leader for the chipmaker.

Jakkal spoke to Protocol about why she went into the cybersecurity industry, how the role of identity has changed in security, the promise of passwordless authentication, and what businesses need to do to adopt a "zero trust" security strategy.

This interview has been edited and condensed for clarity.

What drew you into cybersecurity?

It actually has roots in my childhood. I grew up in India, and it was a very different life, very different circumstances. Very humble beginnings. My father was an engineer, and my mom stayed at home and took care of the house. I'm the first woman in my family to actually have a job outside the house.

But technology was a foreign thing. It was just not there. There was no internet. I fell in love with technology through watching "Star Trek." I think I was 9 years old, and I saw "Star Trek" — and I was like, "I want to be in that ship."

I did a bachelor's and a master's in electrical engineering. I just love learning. I landed in silicon engineering, and Intel was my first job. That's when I started realizing that security is so fundamental to how we design technology, and first understood the value of [building in] security at the very beginning. Along the journey, I fell in love with security.

When you look at Maslow's hierarchy, after food, water, shelter, the next [major need] is safety. And safety used to be just physical safety. But today it’s also digital safety, and when that gets compromised, then we lose trust in the technology. That's why I joined security — I felt like my purpose in life is to create an environment where everyone can do their best work and live their whole lives. But how do you do that if you don't feel fundamentally safe?

With the growth of attacks using credentials, what has stood out for you when it comes to identity security in recent years?

The first is that before the pandemic, there was a different world. The network was the perimeter in many ways — you went inside the network and that was the first level of defense. Now we live in a different world. Since the pandemic, identity has become that first level of defense. And that's a massive shift. We now live in a boundary-less world.

And so more and more, identity is that perimeter and that boundary that protects us. This is a world in which identity has now become the fabric of all security. You’ve got to get that right. The conversation starts there.

I'm the first woman in my family to actually have a job outside the house.

Secondly, the number of password attacks [has] increased so vastly. Just last year, it was 579 attacks per second. But now it's 921 attacks per second. Most attacks are very common attacks — there's password spraying, there's credential theft, there's phishing. So the learning there is, it doesn't need to be very sophisticated, actually, [when it comes to] identity attacks.

Another learning is that the rate and pace has increased. And by that I mean, along with the number of attacks, the time it takes for an attacker today to get into your system is alarmingly short. It takes less than two hours [from] when someone clicks a phishing link to the attacker getting full access to your inbox. That's crazy.

The last learning is we really need foundational hygiene, which we still don't always have [with] identity. Multifactor authentication is one of my favorite topics. And I love passwordless. I think there's so much elegance to that solution — great experience and great security.

What do you think needs to happen to accelerate MFA adoption among businesses?

I think there [needs to be more] awareness on how critical protecting your identity is, and how critical MFA is — and about how it can be really easy to do [MFA]. It can be very frictionless. So that's awareness training that we need to do.

The second thing is, there is this hypothesis that security is a security team's job, not everyone's job. That's absolutely incorrect. So there's a cultural dynamic. [Businesses need] a security-first culture.

And we have to make [MFA] frictionless. This is why passwordless being a key component of MFA matters so much. I think that a frictionless experience is going to help the adoption of MFA.

How important do you think the latest industry standards from the FIDO Alliance will be in terms of expanding passwordless more broadly?

Security is a giant team sport, and everybody needs to participate. It can't be any one company.

So last year, when we announced passwordless, we were one of the first to work with the FIDO organization. This year, we announced a collaboration between many vendors and FIDO. That's important because we all use multiple devices. I have a laptop from a different vendor, and I have a phone from a different vendor. I may have a television from a different vendor. And I'm using my technology and my applications seamlessly across those [devices]. So if there isn't collaboration [between vendors], then you might say, "Well, my phone's really secure, and I have passwordless on it. But I can't carry that on another device." That collaboration is what FIDO enables.

Since the pandemic, identity has become that first level of defense.

YubiKey has been a great partner for us. I'm excited about the promise that I'm seeing there for passwordless. And with passkeys, Apple is doing some really interesting things. That standardization is going to be so important. So that's what the promise is for collaboration and standards bodies — of open standards. It's really putting the user at the center of it.

Besides MFA and protections for identity, what else do you see as the biggest security priorities for most businesses right now?

As a defender, it's really important to secure [using] defense in depth. If I step back and look at zero-trust architecture, I would say that's what we need to do. We need to verify identities explicitly [and then] manage access. There was a day when you'd enter an organization and you'd get blanket access to everything. That's very risky. And so you need to make sure that you're giving the right permissions. Our announcement around cloud permissions management that we did in June at RSA is a big example. It's shocking how many people have access to things they shouldn't.

And then there’s advanced security, and also compliance and data security tool sets. So you're thinking outside-in — you're thinking about threat protection, cloud security. But you're also thinking about insider risk, information protection, data security, device management.

But it starts with identity security at the core, and verifying explicitly by checking credentials, and using an engine called conditional access. That is saying, I'm going to give you access conditionally — based on who you are, what you used to log in, where you’re logging in from, what you’re trying to log into.

So bottom line, with everything that needs to be done in cybersecurity, you're still glad you got into this field?

I love it. It feels like I am in an "Avengers" superheroes movie. It is mission-driven. It is highly innovative. So I feel I was very lucky to just collide into security. And I'm excited about the promise of it. I'm excited about what we can do to create a safe world, and build trust — in each other and in our technologies.

More from Securing the Enterprise