The room got a little bit quiet. I think this is live. Good morning, everybody. I'm Brad Zelnick with the Deutsche Bank Software team. Welcome to the DB Tech Conference. Once again, delighted to have everybody, both here in the room and online that's listening in. For this session, I am truly delighted to welcome none other than Microsoft's EVP of Security, Mr. Charlie Bell. Charlie, thank you so much for being here with us.
Oh, it's great to be here. What a nice setting!
I learned that you're from sunny Irvine, California.
Yeah, I grew up down here, so I know the whole area, and it's kinda nice to get back out of the smoke and into the sunshine.
Well, well, we're all glad to be here with you. Thank you so much, and really looking to learn a lot about Microsoft and its strategy and security. Thank you so, so much for joining us. If you don't mind, maybe—
Silence. That's important.
Yeah, that would be-
You may wanna take that.
I always take a call from my mom, even if she calls while I'm out here.
Not my mom.
Okay, so we're-
But I would take that call.
So maybe if you don't mind, for those that don't know you, could you just take a minute to explain your role at Microsoft and what your mandate actually is?
Sure. Well, maybe the best way to do that is to wind the clock back to when I first started thinking about doing something new when I was at Amazon. I was at Amazon for 23 years, for those of you who don't know. In January of 2021, Jeff Bezos said he was gonna step away, and I thought about it, and I thought, "Wow, this is gonna be a different world." I could keep doing what I'm doing. I'm having a good time. We're building a cloud. But I thought about it and thought, "You know, if I'm gonna do something new, this is the moment." Because of my age, I thought, I get into things deeply. I can't, I can't do the few years and out thing.
So I thought, "Well, if I'm gonna do something new, I should really analyze it, think about it, and either stick with what I'm doing or do something else." The thing that got me right away is something I'd seen over the years with customers in cloud computing, the growth and the problem in security. It really bothered me because I didn't see an end in sight. It was actually getting far worse. There was this whole shared responsibility model. It was very difficult for customers. I thought about it a lot, and the more I thought about it, the more it grew on me. It was funny because I was talking to my wife, and she's, by the way, a brilliant woman. You could look her up someday.
But she said: "You know, you should talk to Satya Nadella." I said, "What?" She said: "No, you should talk to Satya. Microsoft is doing a lot in security, and it's a great company." And at the moment, I said, "Okay, fine." So within a week or two. She knew Satya, by the way. There's an old story there. Back in the early 2000s, before Satya was Satya, she had tried to recruit him to Amazon, and of course, he was trying to recruit her to- I met her at Amazon. She was one of the senior leaders there. And so she called up over there at Redmond, and on a Saturday, I was talking to Satya, and the thing that impressed me is, first of all, he'd I didn't know it.
He'd already formed what Microsoft calls a Customer Solutions Area around security because he saw what a problem this was. As the more I talked to him... By the way, he didn't try to sell me at all. I wasn't recruited. He wasn't trying to push: "Hey, Charlie, you ought to join Microsoft." He was just listening and asking questions and then answering my questions, and I was mostly interested in how was he thinking about security? But the result of that conversation, I talked to the two major engineering leaders he has there, Rajesh Jha, who runs the productivity end-user side of the business, and Scott Guthrie, who runs the Azure cloud side of the business. It was a really great conversation. What I...
I realized a lot of things. I realized, one, it was an engineering company. Microsoft was really inventing a lot, but also very thoughtful about how you, how you do that at scale. And so, and of course, the security problem, the more I thought about the security problem, the more I realized that, one, the company that was really gonna solve this issue, was gonna be a provider, because you see so many things as a provider, and this I knew from running a cloud. You just see how customers are both, currently using things, where their problems are. You see where they're going, what they're doing, what their issues are. I was very much attracted to the fact that Microsoft had really, I'd say, the three pillars of...
In addition to the security business, had the three pillars of services in the cloud that we're gonna read on this problem. One is providing an infrastructure cloud. That's really important. The other is the end user and productivity world, because bad actors start with people. That, that's one of the, we're the weak link in this. And then, of course, the identity business that Microsoft had, because when you move to a world of zero trust, you have to know what you're talking to, who or what you're talking to, and Microsoft had far and away the largest capability in all those areas. And so, so yeah, I talked to Satya, came over about two years ago.
He'd formed the CSA, but what he hadn't done is taking the products, the engineering products, from Scott and Rajesh and united them in one organization. And so I brought those things together, so my mandate is all things security. By the way, he also has Bret Arsenault, the CISO, report to me, and so I own protecting Microsoft. I own the-
Interesting
...internal security of Microsoft as well. And there's a lot of first party equals third party, and there's a lot of learning that goes on there. Microsoft is ground zero for attackers, and so we learn a lot, a lot from that. But yeah-
Excellent.
That's my mandate.
Thank you very much for that. And you've touched on a bit of my next question, but I'll still ask. I mean, the momentum just in recent years in security has been nothing short of impressive. At a high level, can you start by giving us a sense for the overarching strategy and the couple of key things that you think really differentiates Microsoft in a security context, in what is a highly competitive, even noisy market?
Yeah. Well, like I said, one of the things I thought about carefully was the breadth and scale of the problem. I mean, one of the things we have to realize is, this problem is not getting smaller, it's getting larger. The estimates of the take, the negative drain on the world's economy that bad actors represent, have gone from $6 trillion. I think it's estimated now to be $10 trillion in 2025. And it's growing faster than the Indian economy, which is the, I think, the top in the top 20 GDPs, it's the fastest-growing economy. So the problem is getting more difficult, and you need to solve it with an end-to-end offering. You've got to cover the full spectrum because attackers work...
They start with end users. They'll phish somebody, compromise an account. They'll use whatever privilege that person has to lever up to somebody with real privilege or that person, and use that to move laterally through the environment. And they'll use all of the pieces. They'll use the network, the identity, email, productivity applications, main applications, infrastructure. They use all of it. So end-to-end is really the, you know, our thinking about what is gonna solve this problem. And you know, we focus on all those areas. I think you know, I think the world is moving that direction. If you-- You know, I've seen some CISO surveys where there's a pretty radical shift in their thinking.
I think, going back, like, 10 years, generally they pieced together solutions by getting, quote, "best of breed," but literally hundreds of different solutions, to read on the security problem, and now they're going after, consolidation. They're trying to figure out how to get, get end-to-end, so. And attackers find the seams between things. That's, that's part of what's driving this.
Makes sense. Charlie, I think it was in December that Microsoft had disclosed that security is, is a $20 billion-plus business at the time, growing north of 30% year-over-year, versus the broader security market, which I think is growing somewhere in the teens. Obviously, the backdrop has become a, a bit more challenging since then. Can you talk about what you've seen in terms of customer demand and your ability to take share in this environment? 'Cause, I mean, clearly you have a consolidation play that's quite unique.
Yeah. Well, I think we're one of the major beneficiaries of the consolidation move. You know, we see healthy growth. You know, we're now 1 million organizations protected, and that number grew by 26% last year. Really interesting is that the number of customers who are using more than four workloads, that number has gone up by 33%. So it's an increase in intensity, I think, that's going on. I think there was a lot of optimization that people were doing, but typically you see that happen over a short period of time.
Over the long period of time, the way I think about it is, it's what I said, like, we're going to a $10 trillion drag on GDPs, and that's gonna grow. I've seen some estimates that say it could pass the U.S. economy's GDP by the 2030s, if we don't get ahead of this. So, it's-- That to me is the signal of demand. And so I think there's gonna be a lot of need for security products going forward.
It's a strong signal, and it doesn't seem to be abating. It's been the same story for years. Maybe, you know, with that, I think it was in 2021, Satya announced plans to invest $20 billion in security through 2026. Obviously, there's very few, if any, other players out there that can credibly make that kind of statement and have the wherewithal. Can you talk about your R&D prioritization and the criteria that you use, how generative AI might impact the composition and perhaps even the level of overall investment going forward?
Yeah. Well, that, you know, that was one of the reasons I came to Microsoft. I looked at the assets that Microsoft had and the leadership, Satya's propensity to bring those to bear on security. You know, the first thing that you know if we're going to turn the corner on all this, the first component is data. Like you know we talk about the asymmetry of the attacker, that the attacker can come at you from any point, and you have to defend the entire perimeter that you own. But we have an asymmetry in our favor. It's data. We get to see the entire environment, and one of the beauties of being a cloud provider is you don't just get to see one environment, you get to see lots of environments.
There's a data asymmetry that works to our advantage. You know, we do 65 trillion signals a day processed within our products, and the fact that we have all that data, I think is a huge advantage. Bringing that to bear with the investments that we're making is super important. We brought together, you know. The industry likes to take all the products and break them into these cute four-letter acronyms. You know, everything from SASE, XDR.
SIEM, SOAR.
SIEM, SOAR. Yeah, we like to break it all up, and that's-- By the way, you know, you think about the fragmented world we've been in, it's certainly natural to wanna talk, have names for all the fragments that you talk about. But we've basically blurred the lines between things like SIEM and XDR and SOAR, and all the things that you have to do, really. If you're gonna be end-to-end, you've gotta blur those lines, and it starts with data. And so there's a lot of investment in that. And by the way, that's a prerequisite for probably the biggest change that we're gonna see in security, the one that's gonna finally, I think, turn the corner. You know, the big part of-
You can have all the data in the world, but if you can't see it and act on it and use it, it, it doesn't matter, and we haven't been able to do that so far. It's one of the challenges in the security industry is the siloing of expertise. You know, you think about, there are companies that know how to do network security, there are companies that know how to do email security and maybe do something in identity or endpoint. Each of these companies has an expertise, and they all wanna branch out from their expertise. But fundamentally, you gotta be able to get across all of it, and to do that, it's AI. You've gotta be able to take all of this data, all of the signal, and understand it.
And because no expert in your SOC or in your development organization building a proactive defense, nobody really can understand all of it. The AI can. The AI can both on the, we call it shift right, on the- just be very good at responding to attacks. The AI can move very fast and see across a whole bunch of variables and take action. And then in the proactive sense, the AI can look at a very broad environment with lots of different technologies and understand across all of it, what needs to be done. And so, that was, by the way, some of my thinking when I came over. You know, one of the things I saw was, that just astounded me in my old job, was GitHub Copilot.
It was just amazing, because, you know, we were thinking obviously about the same kind of thing. It was amazing how good it was. And as I, you know, really dug into it, what I realized is, the partnership that Microsoft had with OpenAI, it goes way back. That-- It's an R&D partnership, the understanding that Microsoft has of that LLM technology and what it could do, it was pretty clear that there was a lot to do there, in security, and so that's really opened the door. I think, you know, it's even, it's even gone faster than I thought. When I saw what GPT-4 could do, as a core of building AI capability, that is the other thing that I think gets us around the corner, and we can finally have it be an asymmetry of the defender.
I mean, they're using AI. They're using AI as well, right?
Ah, but the beauty is, they don't have the data that we do. We get to see the whole environment. They still have to go after their thing, but we get to see all-- By the way, we get to aggregate everything that all of them are doing, too. And so, so I think we have a, we now finally have an advantage with, with AI.
That maybe leads to my next question, which is back on a theme that we've touched on, which is consolidation, which I feel like, you know, has been a promise of the industry. Any newcomer who stumbles upon the problem and the domain naturally would say, "Okay, just..." You know, the customer just wants to make it stop, and they're swimming in all these point products. But, you know, it's always cybersecurity has always been this arms race, consolidation long the promise.
Why do you think consolidation is finally happening now? What gives you the confidence that the history of fragmentation, for which, you know, we've seen pockets of consolidation, next-gen firewall, what some of the endpoint players have done b ut there's still more vendors on that RSA show floor every year than, you know, we can easily count. But what is it that helps to buck that certainty that's always been for quite some time?
Well, you know, it's like many other things. You have ideas about something that should happen, and you look at the technology, and it's just not mature enough to do it. And then you finally reach a point where you get technological maturity. It's why I came to a provider, because it's-- You look at the capability you have at Microsoft in data, like, just being able to process huge amounts of data. When I'm talking about 65 trillion signals a day-
Sure
... you talk about massive inputs of data that come from customers as they're building their unique environments. You know, you've gotta be able to process huge amounts of data. You've gotta be able to do it in real time. And we finally have that ability. You know, we can handle huge, huge volumes, you know, petabyte-scale logs coming in. You know, the ability to issue queries across all of that, being able to do it in real time and respond, all the messaging systems. A lot of, a lot of the cloud technology has really begun to enable this. I think the other one is the AI side.
I think the fact that you can now bring AI to bear and look across some of these signal silos, if you will. I mean, we've always had the seeds to it. You know, we've talked for a long time about zero trust. Well, the aggregator of zero trust has been Microsoft's Conditional Access. I saw that from the other side. You know, you have identity system that basically went through a whole kind of maturation of that. We protected ourselves with passwords, and we figured out that we needed MFA. We needed multi-factor authentication. We needed something else that we had that said, "Yeah, I'm Charlie. You can trust me." And then those things started to get intercepted, so now you need-...
An AI that can look across the infrastructure and say: "Well, I'm looking at your end user variables, I'm looking at your system variables, I'm looking at your IP address, the system you're on, identifiers. Hmm, I think you're Charlie. You're not Charlie. You're not going in." So, there's been a lot of capabilities that have been built over the years, and that's kind of how technology works. You continue to layer things up, but I think we finally have enough technology to do it. And, I also think, you know, I go back to Satya, his understanding of this being kind of fundamental to the human progress on technology.
You know, one of the reasons I wanted to do it, and he shares this view, is that, if you're a technology company, you win if people can confidently move forward. They can adopt new technologies. Like what's going on with AI right now, GenAI. You know, I got to be able to just use it. I can do tremendous things with it if I feel I can do it safely. But if I'm afraid because I'm seeing bad things happen out there, I don't want to use it.
I won't buy it. And, so security, that goes all the way back to Bill, all, like, around 2001 or 2002, when he did the trusted computing memo. Microsoft figured out that it really doesn't have a business if people don't feel confident moving forward. So I think we're in, you know, we're in a spot where it's in everybody's interest, it's Microsoft's interest. We're going to continue to invest in it and make it easy for people. Move it into the background, security by default. Eventually, if we really get over the hump, you guys won't even be talking about it.
One day.
One day.
And it's all about trust. That resonates with me quite a bit. If I go back to March, just several months ago, the response that Microsoft proclaimed to the world, to all the things that we're talking about, the $trillions in loss to our economy, the shortage of talent that really understands cyber, the fragmentation that customers are forced to deal with. The answer, or one of the, was Security Copilot, which I believe combines the capabilities of GPT-4 with proprietary Microsoft security models. Can you remind us what the product is, maybe some of the feedback that you're getting in preview, even potential monetization structure, and what milestones should we be looking to as investors going forward on the progress of Security Copilot?
Well, at first, this isn't just, you know, ChatGPT looking at a vulnerability and kind of telling you about it. Like, this is-- In order to do the security side, hopefully, maybe you guys have played with Microsoft 365's ability to summarize an email or something. But to do the security side, you've got to- you get down into a lot of very technical analysis of signals, you know, looking at logs coming off a machine. If we think about it, this is kind of a little different application of generative AI. And it's-- You know, we often say security is a team sport.
Well, within the AI world, building a Copilot is a team sport. It's not just the LLM, it's specially trained models. For example, one thing that the LLM has to be able to do is query data. Well, how is it gonna do that? Well, you, you have to have separate capabilities that know how to do that. And so it's a systems problem. And what was exciting to me is, you know, I, I came to Microsoft, well, it was two years ago. It was end of August 2021, and we were just getting started on LLMs and security.
And now, when we look at all the things that we can do across the board to stitch this together, you've got to be able to go after not just the data that we have, the signals that we have, you've got to be able to let the customer bring signals, and it has to be done safely. You know, one of the challenges, I think, in the AI space, when you start systematizing large language models, is that, oh my gosh, this thing is going to be looking at a lot of data. How do I protect the data that I'm accessing? How do I make sure that this customer can take their stuff and not have customers be able to see it or do something, or it gets into the model in some way?
You know, that all has to be guaranteed through separation. And then the other thing is, you got to make sure these models cannot be manipulated. One of the challenges is, you know, that large language models operate off of prompts, and people can manipulate what the answer is gonna be by doing things with them. So we do a lot of red teaming, understanding both the base model and all of the separate models and the combination of the system, how it's gonna behave. And so that's actually taken quite a while. That's been a long journey for us.
It's something where I think being part of the R&D for development of ChatGPT, GPT-4 has given us a lot of understanding of the problems and how to go solve them, and also let us work with, you know, OpenAI and what kind of things have to be done at their level, but also our own capabilities. So, the way I'd say it is, it's a journey. You know, we've got private preview with a few customers. We're working with them. I think the first reaction a customer has to this, they're astounded.
Like, the fact that they were able to have this thing tell them not only, you know, "Here's the problem that you have, but here's what you should do to stop it right now." You know, I think it's the same reaction I had the first time I saw the capabilities that we were producing. I just-- It will change security forever. But it's-- So it's a fundamentally new way of doing things. It's also pretty, I'll call it R&D and resource intensive. You know, as I said, it's not just taking ChatGPT and saying, "Summarize an email." It's really a whole bunch of things that you've got to go do at a systems level to make things work.
You know, it's back and forth between us and the core teams that own the models at Microsoft and OpenAI. So we're on a long journey. It's gonna be-- You know, we're gonna begin introducing things to customers, I think a little more broadly later this year, and we'll roll it from there. I think, you know, as far as monetization, the only thing I can say, it's gonna be a lot of investment on our part. It's a lot of GPUs to go spend.
By the way, the other thing about these security models is, you know, you guys go to the web, and you start playing with ChatGPT or Bing, and you start going back and forth. Well, each time you do it, you're doing an inference. When you do security models, you're doing a lot of inferences. Like, in order to do the systems-level job we do, it's resource-intensive. So this is gonna be a, it's gonna have to be a separate important business for Microsoft.
How do you maybe, on the topic of monetization, balance the interests of direct monetization versus indirect monetization and creating trust, and therefore, you know, just better sell-through of the rest of the security portfolio and Azure and Office and other Copilots and everything else? I mean, it's-
Well, we do that.
Big Microsoft, and I know Amy's not gonna let you spend money on spending all these GPUs without a return, but there's a-
But we do.
There's a big picture here, right?
We do that. We. You know, again, one of the reasons I was excited about working at a provider is that there's a flywheel between a paid security business and a free security business. So the provider is gonna provide security by default, embedded in the Windows. We just did a bunch of stuff with Windows.
We continually launch all kinds of new things with Windows, for example. We've done a tremendous number of things with our identity offering, Entra, and it just comes in. It just. It's. Customers get it. And that part of the business gives customers the confidence to move forward with products. So there is indirect monetization. It's in the interest of the provider to make sure that people are safe from the get-go. But there's a flywheel, because you learn, you get to build on top.
You get to find the unique needs of customers who say, you know, banks, for example, have some very severe regulatory requirements for segmentation of duties. And so, okay, they're gonna need very special functionality to be able to do that. You know, the analogy I use is, you know, you got a car, everybody buys a car, some of you buy snow tires for your car, so you're gonna buy extra stuff that you need. So there's always gonna be monetization here. And this is an incredibly important area, I think. But there will be things we provide as part of the products themselves as well.
That's helpful, helpful context. I wanna be respectful of the time, and there's so much to talk about, Charlie. Such a broad topic, but maybe pivoting to another acronym. I think it was big news just a couple few months ago. Microsoft announced its entry into the SASE market with Microsoft Entra. Why is this an area where you feel you can really win, and how should we think about Microsoft's value prop as you get further away from securing Windows core, Microsoft 365 apps and Azure services?
Well, so first of all, I wanna say, one of the key parts of the conversation with Satya that got me at Microsoft was I was probing him to understand, is this about protecting Microsoft products or how do we think about securing things? Because back of my head, my thought was, one of the things I've observed is you can't say it's my cloud or no cloud. It's gonna be a multi-cloud world. People are gonna use many things.
That's, historically, you go look at technology, everybody's always used a polyglot of technologies. If nothing else, they get them through acquisition, or they've been using them for a long time, but, but they'll adopt new ones. And the thing that resonated with me is he was all over protecting everything, and that ding, ding, ding, that's end-to-end. That's how you become end-to-end.
You say, "Look, I don't care whether it's..." And we do. We launch the security world that we have at Microsoft. We protect AWS, we protect GCP, we protect other people's technologies. And we're very committed to the whole end-to-end idea. And so when you think about SASE, maybe it's best to kind of wind back a little bit and really think about what does zero trust really mean? Zero trust is about, I don't trust anything. Like I have a system. If the moment the system starts to default, trust something and say, "Yeah, yeah, you're okay," without checking, well, that's an entry point. It doesn't have to be the network. Like, we've often talked about zero trust, like it was some kind of networking thing.
Well, zero trust is a very broad concept, but we've been doing the core of that for a while. So Conditional Access in Entra. So the ability, as I said, to take a whole bunch of variables, some are network variables, a lot of them aren't, and say, from an AI perspective, "You should have access. No, you shouldn't have access." That ability, a natural extension of that, is to do the things that we just announced with Entra. But I think the idea is if we're gonna be end-to-end, we've got to be able to do all of those things for customers. And they tell us that, you know, we don't-- This isn't us just saying, "Hey, what do we think we ought to go do?" This is customers saying, "Hey, you guys really need to be giving us this capability.
Got it. Makes sense. If we look back in five years, what metrics should we think about to know if you've been successful? And what security-related objectives and measures are all of Microsoft's business units held accountable to? I mean, I remember many years ago, before you had arrived, that I had heard of, actually related to, to Azure AD, where there was a metric by which many of the businesses were measured. It was one of the many criteria or objective of how many, how many identities did you bring into Azure AD? What's, you know, over a multi-year horizon, how do we know that you really crushed it and?
Oh, wow.
You achieved your goal, and how do we think about measuring that?
Well, I mean, I do think revenue is a good one because it means customers see value in what you're doing.
Sure.
That's sort of an obvious one. And, you know, we're really proud of crossing the $20 billion mark, so that, that was kind of a big milestone. But, you know, actually I-- One of the things that would make me super happy is if we stopped talking about that GDP loss being bigger than the U.S. economy in the 2030s.
Like, if suddenly the whole trajectory is changing, and we look at 2025 and we say, "Hey, maybe that $10 trillion loss didn't come true," you know, that would be-- Or to see some tilt in that trajectory, that would be a really big milestone, I think, for us. But yeah, I mean, we'll continue to the number of organizations protected. We track all kinds of very detailed metrics on protected users and everything else. But, yeah, I would say the big one is that we've made changes trajectory on that on that growth in what's happening out there.
Cool. Charlie, we are just about out of time. Is there anything we didn't get to that you wished I had asked, that you wanna impress upon folks? I mean, the work that you're doing is obviously incredibly important to Microsoft's success, but it's important to the world. Any final thoughts?
Well, just, you know, sometimes we talk about this kind of loss, and you guys see headlines all the time, and, I, I'd want everybody to, to be optimistic about this. You know, one of the things that got me here was I, I really love the idea that human progress is all about technology. You know, you apply technology to new problems, you get to solve new problems. And I think we're gonna be able to do that. I think, you know, the key is the asymmetry I talked about. The fact that we're gonna be able to aggregate across a large volume of data, using AI. We're going to be able to turn the corner on this thing.
And so, yeah, I mean, look, you look at what nation states are doing with, you know, what Russia's doing to attack and what China's doing to attack, and North Korea and Iran. You know, we have a whole unit that spends a lot of time, in those, in those areas, understanding those, those adversaries. And it can be kind of, kind of depressing sometimes.
But, but I, but I think-- Look, I, I don't think human nature is gonna change. I think there's gonna be some bad people out there, and they continue to do things. So I think this industry is gonna be pretty healthy, but I wouldn't want anybody to think, "Oh, my gosh, I gotta run for the hills and hide." I think we're making some real progress on this, and I'm, you know, excited to do it.
Cool. Well, we're all counting on you. Charlie, thank you so much for being here at the Deutsche Bank Tech Conference. This was really, really great.