This post is a little late to write but finally I have some downtime and can get it done. In December, I moved into the Cyber Security team of Microsoft Enterprise Services.
Most people who follow my blog or know me from the communities, will know me as a PowerShell or Cloud and Datacenter Management MVP. At Microsoft over the last 4.5 years I have been working on Cloud and Automation projects primarily. So, Cyber Security sounds like it could be a big change, I wanted to share a bit of the thinking and motivation behind my move. Just basically to journal my own career a bit and in case it helps anyone out there to reframe a dilemma that they might be having themselves.
It’s actually a long overdue move, I first was in discussions with managers in the Cyber Security team over a year ago, but, in Microsoft, things take time and people in roles change, but this move did finally go through.
So, why Cyber Security? Why does someone go from a heavy Cloud and Automation focus to what, as some might term cyber security – “selling insurance” (no one wants security until they are breached!).
In short; “cos DevOps”.
Over the last 2-3 years I have been fairly heavily involved in DevOps and “as-code” communities, as well as working on these kinds of projects through Microsoft. In this time I saw a consistent theme; DevOps initiatives at the grassroots or mid-levels would stall as soon as they hit their ITIL and Security hurdles of large enterprise organisations.
This was consistent when speaking to my Modern Apps colleagues at Microsoft who get Developers and and running with DevOps projects. The pattern in large enterprises generally goes like this:
- Developers start DevOps initiatives and think it will allow them to bypass Ops. Once they realise they cannot bypass Ops to get their new app or service Live, the project stalls, till they work out some integration with Ops to include all the relevant platform standards
- Ops are (usually) actually quite willing to get involved in DevOps initiatives (once Ops get onboard with Devs and everyone sorts out their politics then things move quite well) and sometimes even start “as-code” initiatives themselves. However, Ops sometimes forget about ITIL and Security, or, they spend an immense amount of time figuring out how to get a DevOps/as-code initiative running while still satisfying ITIL and Security team constraints
- This is the major sticking point, which is usually down to the way both ITIL and Security teams in an organisation have established themselves and grown, What usually needs to happen next is many conversations to help the security teams (who in many cases have alienated Ops and Devs over the years) to understand how IT is changing and what their new reality needs to be. This goes along with identifying what Security risks are identified in the organisation, what controls are necessary and how do these become part of DevOps Pipelines. How does compliance-as-code and modern reporting work. How does accountability for security shift away from the security team and to product owners. And, a whole plethora of other topics.
This was a problem to which I felt I would like to be a part of the solution, my prior automation and DevOps knowledge, along with my background in Identity and dealing with Security teams set me up fairly well for this.
As well as that side of it, there was an opportunity to help internal Microsoft colleagues with a DevOps approach to solutions we sell from Microsoft Services. Microsoft Services delivers a lot of standard solutions to customers (which are obviously customised where necessary for the target customers environment) which use a lot of PowerShell and Automation to give our solutions a consistent delivery state globally. In the Cyber Security team, there was opportunity to start bringing more of a DevOps “wrapper” around how these solutions are managed and maintained. So I started to become involved in this area too.
Lastly, Cyber Security is an area I have a real passion for. It’s perhaps one of the most important issues of our time, and a daily challenge which too many people in IT struggle with. They get it wrong. It costs jobs. It costs bonuses. It costs customers of companies who have been breached, or everyday people who are not even customers of the companies who were breached because they didn’t even know this company had their data! It’s so easy to make fatal and career-ending mistakes with technology and as more and more digital transformation happens and more services and process become digital and automated, the risks are ever increasing.
I really felt like Cyber Security in Microsoft Services was where I could bring together my prior Identity experiences, my most recent Cloud, Automation and DevOps experience and bridge two worlds both for colleagues internally and with Microsoft customers. The right managers and senior colleagues agreed, so it happened 🙂
With every role change comes a change in manager, and my previous manager (Denise) was the best I have come across. It made me apprehensive to move to a different team, but as great managers tell you when you have an opportunity to advance your career and increase your impact “Go! Why are you still here?!”. Despite her reluctance to lose me she absolutely helped my transition to happen.
When you have a great manager, recognise and appreciate them.
So, what can you expect from me in the communities and if this blog does get resurrected successfully? Definitely more of the same (PowerShell, Release Pipelines, Azure DevOps, DSC, etc.) along with the addition of previous skills which I am re-sharpening (AD/ADFS/PKI), and of course things like Credential Theft Mitigation, MIM, Compliance-as-Code, Azure Policies, Azure Automation, Azure Firewall, Azure AD, Azure AD Connect … basically everything Microsoft! Because the great thing about Security is that you need to understand how so many things work to not only identify and quantify the risks, but also to be able to use the technologies to your advantage.
For the foreseeable future, my job will be to help Security minded customers and colleagues understand and embrace a DevOps/as-code future, I look forward to sharing what I learn. Microsoft has incredible security capabilities and I look forward to helping our customers understand them, deploy them and maximise the value they get from them.
As for the ITIL side. Well. I can’t fix everything!