Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

CRO Wisdom Episode 11: Renee Forney, Senior Director – Azure Hardware & Security, Microsoft

Atul Vashistha:

Hi, everyone. Welcome to the next episode of CRO Wisdom. I’m delighted to have today with me, a dear friend and a cybersecurity and overall security expert, Renee Forney from Microsoft Azure. She’s a Senior Director, Microsoft Azure Hardware and Security. Renee, welcome to this episode.

Renee Forney:

Oh, great. Thank you so much, Atul, for having me. Always a pleasure to chat with you.

Atul Vashistha:

Thank you, Renee. So Renee, one of the questions I always ask the risk leaders that are on this episode, because their backgrounds are so different, how did your career start in risk management?

Renee Forney:

Well, a lot of people probably don’t know this, but I actually started my career coding. I designed software initially. And so I think in one way or another, I’ve always been in risk management, because as a part of coding, you’re doing secure coding. So you’re either trying to minimize or mitigate the risk at that point, so that’s just something that came natural to me.

Atul Vashistha:

Wonderful. A little bit more, so how did that progress from coding into actually into risk management?

Renee Forney:

Wow. I’ve been doing this a long time, so to go way back in the day, I was in network management, network administration. And so as a part of that, I began to figure out how am I going to secure the network? So securing the network was a primary focus. And so of course, you have to be risk-minded when you’re thinking about how are you going to secure it? What mitigations are you going to put in place? So as a by-product of being a security professional, I just easily transitioned into risk management.

Atul Vashistha:

That’s wonderful. So Renee, let’s move to the risk environment that we have around us today, and how enterprise is dealing with it. What should be or are priorities of risk leaders today?

Renee Forney:

I think risk leaders today should focus on making sure they have a good understanding of the threat landscape for whatever environment they’re in. Doesn’t matter which sector you’re in, but make sure that you understand the operations of that sector, so that you can clearly get a level of some type of visibility on the threat landscape, in relationship to your environment. And then that will help you identify, what are the things that I need to put in place to be able to manage our risk?

Atul Vashistha:

Renee, I just remembered something. When I first met you, you were at DHS. How is the risk landscape different today that you find, compared to when you were in the federal government?

Renee Forney:

Oh, wow. It’s moved very quickly. It is never changing. The adversary has gotten more skilled, but we too, where we are, having some challenges in keeping up. We too have more tools at our disposal as well. And so when I think about over that period of time, it’s been great because there’s a heightened awareness now. I think at some point, only the tech people cared about what was going on. And now, the risks are affecting the day-to-day operations of an individual, which makes it more relatable to folks.

Atul Vashistha:

Right. So Renee, that brings me to COVID and the impact. And one of the things we’re seeing very clearly is that customers are moving from point-in-time assessment to continuous monitoring. Talk to us a little bit about how do you see that transition, and what would be the things companies should do, enterprises should do to make sure that this transition goes well?

The advancements that we’ve seen in our open-source intelligence have really been spun by the advances in AI and machine learning. It’s now placed us in a position where we ourselves, as humans, can be alerted to anomalies faster. But it’s now moved into the space where the machine itself can assist us in responding, which puts us all in an overall better position.

Renee Forney:

Well, I think one of the things that people have to come to grips with is the fact that they’re going to have to get away from, or understand the true value of what I call the three ring binder point-in-time assessment. No longer can we just rely on those. We’ve passed that point now. We are where we are. So I look at it from more of a multi-layered approach, multiset of defenses or mitigations that we can possibly put in place, to help get a better understanding of what our risk posture is.

Using continuous monitoring is one avenue for us to get there. Now, I know when I talk to folks, they have issues around, “Oh, there’s so many false positives,” or things like that. But to me, I am a belts-and-suspenders lady. And I believe in if there is a challenge, let’s find a way to be able to deal with that challenge.

So, one of the ways that I did that was I set up an environment where I use multi sources, multi open-source intelligence sources. But to mitigate the false positives, where you’re just relying solely on the tool and the configuration of the tools that support the feed that you’re getting. I’ve set up a workforce of individuals who came from, and I’ll say this, a veterans workforce. Because when I thought about it, again, at my years at DHS, I thought about all of the people who worked in our watch floors and security operation centers around the world. And I was like, okay, how can we use that talent to bring that outside of a government or military perspective, and bring that into the private sector, to help build that skill, build that muscle in that area?

So, I pulled in, I was lucky enough to be able to pull in some key professionals, both inside the US and also in Europe. Once we brought them in, and these are people who are already skilled in triaging content, understanding how to look at the false positives, understanding how to look at information in such a way, to figure out what’s important in there. And what is this information really telling me? Look beyond the ones and zeros of what they’re receiving.

So, once I established that workforce, brought them into the environment and then made sure that they were married up with individuals who had domain knowledge that you wouldn’t believe, about the area by which we were operating, and brought those two together, that there provided us such a great and clear picture of the information that was being provided by the open-source intelligence. That’s where the rubber met the road and made that information, coming from the OSINT, credible. It put it in such a way that it allowed us to then go to business and have actionable items that we could address.

And so, I don’t want folks to think that some of the things that they hear about it are reasons to just turn away from it. We have to be able to bring them into our environment, and figure out a way to make it work for us. It’s really one of the closest things that we have, in order to give us that real time visibility, or any type of indication that there are some things that possibly need additional attention, where at that point, we might need to go in and do a point-in-time assessment.

So again, I think a variation of a point-in-time assessment incorporated with the open-source technology that’s available to us now, the intelligence has gotten better. And I will say that. So when you talk about the length of time that I’ve been in this field, I have seen it grow and I have seen it get better. And so I really do think that it’s a positive thing for organizations to implement, but understanding you have to have the right resources in your organization to make it effective.

Atul Vashistha:

Yeah. No, absolutely. Renee, you’ve talked about this picture, open sources. I think one of the things that we notice very often is that when companies are looking at that picture, they’re often limiting themselves to looking at the financial risk and the cyber risk of their third parties. But very clearly, we recognize the risk aperture should be much wider. Can you talk to us about what else should they be looking at?

Renee Forney:

Oh, absolutely. The one thing that I can say, as you said, the last couple of years, I’ve had the pleasure of working across multiple sectors. So I’ve done energy law enforcement, national security, the financial sector, and now in hardware manufacturing. And so each one of those has their distinct differences. But there is one thing that ties them all together, and that’s the IT infrastructure that supports those individual environments.

So, understanding what is happening within those environments, understanding having a very, very strong cyber insight as to how it’s affecting your organization, I think is very key. But that’s not where it stops. Looking at things like ESG and our social responsibility area, is another key area of risk that’s important to us now.

And I think there’s one other area of risk that people don’t think of often. And that’s ethics. Ethics in our workforce. I don’t know if you knew this about me. I’m actually an adjunct professor at Morehouse College. And so I have the pleasure of teaching software engineers about ethics, and how it relates to the environment that they are going into. And the power that they have, given the technology that’s there, and the effects of that. And how that can be affected in a negative way, if we have unethical members of our technology workforce. And so I just think that’s a risk that we need to begin to look at.

Atul Vashistha:

So Renee, I have not forgotten our planned collaboration on the ethics of AI. Remember that?

Renee Forney:

Yes, I do. Yes, I do.

Atul Vashistha:

So Renee, talk to us a little bit about what impact automation is having on risk management. And then what are positive/negatives that we should be aware of, as we think about automation and AI in risk management?

Renee Forney:

Well, the advancements that we’ve seen in our open-source intelligence have really been spun by the advances in AI and machine learning. It’s now placed us in a position where we ourselves, as humans, can be alerted to anomalies faster. But it’s now moved into the space where the machine itself can assist us in responding, which puts us all in an overall better position.

So, I think utilizing the technology, where it might’ve been designed for one thing, understanding that the impacts of it put us in such a better place when it comes to detection and response.

Atul Vashistha:

Right. No, I think that’s well put. I forgot to ask you a question. So Renee, when we were talking about these different risk domains, you said ESG, financial, cyber, compliance, operations, location, end parties. Too often, companies have a solution that’s very specific to that domain. They have a compliance, and a finance, and a cyber, and they’re all silos.

Renee Forney:

Yep.

Atul Vashistha:

Any thoughts on how to overcome those challenges of these silos? Because you’re not getting a singular view of all the risks related to your third parties, right?

Renee Forney:

Absolutely. Absolutely. What I am seeing now in industry, there is a big push to get a handle on operational risk. And so without having that comprehensive view, it puts you in a position where you just don’t have visibility into your operational risk, because where the risk lies is so stovepipe. And because it’s stovepipe, you put yourself in a position where there are decisions being made in a silo, that could actually affect the overall operations of the organization. So I do think that that’s an important thing that’s being addressed now. And folks are realizing that, hey, we need to do something in this space.

Atul Vashistha:

So Renee, let’s switch to you instead of the industry. So Bloomberg recently declared chief risk officer, risk manager to be a hard job. What are your thoughts on that?

Anyone coming into the risk management field at this point in time, should hold dear to their hearts something that I’ve always done as a technologist. It doesn’t matter what domain you go in, but do everything that you can to learn that domain. Learn it, learn how it operates. Learn where it has opportunities, where it has challenges. Learn how it communicates with the rest of the world.

Renee Forney:

I think it is, but it goes directly to our previous question. So without having that chief risk officer who can be the person that provides that comprehensive view, so we’re not saying that those individual areas where the risk is being addressed, and managed, and massaged, and brought to the top does not need to happen. But it all needs to come together at some point, where someone has purview over all of them, in order to help us better understand our operational risk.

Atul Vashistha:

Right. Right. The position is definitely elevated, and the benefit and the contribution is definitely elevated.

Renee Forney:

Absolutely. Absolutely.

Atul Vashistha:

So Renee, what resources do you rely on to make yourself a better risk leader?

Renee Forney:

I spend a lot of time interacting with industry groups and my industry peers. So I believe in having a network of people who are operating in the same space that you are, to rely on their best practices. Sometimes it takes a minute to get things written and published, and things like that. But when you’re a part of an industry group that is focused on risk management at different levels within an organization, and different areas, whether it be technology, finance, wherever the risk may lie, and you can come together and have open conversation and share best practices, that’s truly where I have found my best information.

Atul Vashistha:

Yeah. No, I’ve seen you on these calls as part of the risk board, so I absolutely know your contribution to that.

Renee Forney:

Thank you.

Atul Vashistha:

So Renee, my final question. What advice would you have for future risk leaders, as they think about their careers?

Renee Forney:

Wow. So I think that anyone coming into the risk management field at this point in time, should hold dear to their hearts something that I’ve always done as a technologist. It doesn’t matter what domain you go in, but do everything that you can to learn that domain. Learn it, learn how it operates. Learn where it has opportunities, where it has challenges. Learn how it communicates with the rest of the world. Learn what are the key areas that will help propel that organization to the next level. And what are the key items that are mission-critical to keeping that organization functioning?

When you can understand the organization as a whole, it makes it so much easier as a risk management professional to then bring in and help others who are on that probably business side, understand the type of risk that you and I would be bringing forth to them. And so if you don’t put yourself in a position where you understand how they think, see it through their eyes, it just makes it so much more difficult to have that risk management conversation. Meet them where they are.

Atul Vashistha:

Renee, what great advice. Learn deeply, and make sure you’re paying attention to the connective tissue, all that’s around it.

Renee Forney:

Yes, absolutely.

Atul Vashistha:

Renee, thank you so much for making time today, and sharing your wisdom with our audience. Thank you.

Renee Forney:

Oh, thank you., Atul. As always, it is a pleasure to chat with you. So thanks a lot.

Share on twitter
Share on facebook
Share on linkedin
Share on whatsapp

Speakers

Renee Forney


Senior Director - Azure Hardware & Security

Microsoft

Renee Forney is a C-suite Executive, strategist and trusted advisor to senior government officials and Fortune 500 business leaders known for turning critical inflection points into opportunities. She encourages a robust approach to digital transformation, multi-cloud strategy, AI, Cybersecurity, and strategic IT investment to achieve corporate goals. With trust and transparency, she interfaces with government leaders, senior industry executives, corporate boards and international stakeholders.

Atul Vashistha


Chairman and CEO

Supply Wisdom

Atul Vashistha is recognized globally as a leading expert on globalization, governance, and risk. He has authored three best-selling books: The Offshore Nation, Globalization Wisdom and Outsourcing Wisdom. Atul pioneered the global sourcing advisory space in 1999 when he founded Neo Group and is also the founder and Chairman of Supply Wisdom. Founded in 2012 as an early warning service for business disruption risk, today, Supply Wisdom® is the market leading patented real-time and continuous risk intelligence and monitoring solution. Atul serves on the boards of the US Department of Defense Business Board (Vice Chair), IAOP, Shared Assessments, and Zemoga.

Recent Conversations

Stay Updated

We will notify you when a new conversation is posted

Recommend a Speaker