Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity

Microsoft launched its Cybersecurity Governance Council in 2024, and with it, named a group of deputy chief information security officers that ensure comprehensive oversight of the company’s cybersecurity risk, defense, and compliance. These leaders work in tandem with product and engineering leaders across the company to create accountability and advance cybersecurity protection for Microsoft, our customers, and the industry.

In this series, we will introduce these leaders and share more about their background, their role, and their priorities. 

Q: Tell us about your current role and responsibilities.

Igor Sakhnov: “As Microsoft’s Corporate Vice President of Engineering for Identity, I lead data and platform engineering along with business-facing initiatives. Since April 2024, I’ve also served as Deputy Chief Information Security Officer (CISO) focusing on identity-related security risks.”

Mark Russinovich: “In my role, I work with a large team to identify and resolve the security risks that come up and evolve under the Microsoft Azure umbrella, the core operating system itself, and the groups that make up the core engineering systems that the entire company depends on. In all these cases, we want the risk mitigations to be durable so once they’re done, the system stays secure and doesn’t have to be revisited every year.”

Yonatan Zunger: “My job is to try and think about all the different ways in which things involving AI can go wrong, make sure that we have good, thoughtful plans for each of those things, and develop the right tools so we can design and run the right incident response for AI issues.”

Q: How did you get your start in cybersecurity?

Igor Sakhnov: “It didn’t really start in cybersecurity. My journey began with a deep interest in understanding how systems work and how they interact and perform at scale. Inevitably, the hard question of security surfaces and the interesting aspects of detection and prevention become top of mind.”

Mark Russinovich: “I’ve always been interested in the way computers and operating systems work. In junior high I started working with computers and figuring out the internals, then went to college and graduate school in it. There was a natural intersection with cybersecurity and operating systems design since both involve understanding complex systems, and I started doing more with cybersecurity.”

Yonatan Zunger: “I started my career as a theoretical physicist. I joined Google, spent years building search and infrastructure, and in 2011 I became the Chief Technology Officer of social. This was a few months before the launch of Google Plus, and I discovered that the hard parts of the job had nothing to do with technology. Instead, all the hard parts were security and privacy, and those were interesting problems to me. It quickly became clear that using these technologies in the right or wrong way can have a huge impact on people’s lives. That stuck with me, and it caused me to genuinely fall in love with the field.”

Q: What does your team do, and how do you work with others across the company?

Igor Sakhnov: “My team is responsible for the work and innovation in the Identity space, building a large-scale enterprise identity system. Over the past year, the point about larger systems being identity-driven has really come to fruition, with the new efforts that leverage identity in the network flows.”

Mark Russinovich: “My team focuses on technical strategy, architecture, and security risk management for the Azure platform, engineering systems, and core operating systems. We work closely with teams across Microsoft to implement durable security measures. I collaborate with emerging technology teams to understand customer requirements and guide Azure’s development while ensuring security remains a priority in all decisions and implementations.”

Yonatan Zunger: “We’re a very horizontal team and our work has six core pillars: AI research, infrastructure, empowerment, evaluation and review, incident response, and policy and engagement. Within those pillars are a lot of people working on a lot of things, from doing safety and teaching it to people, to thoroughly testing and vetting every piece of generative AI software that goes out the door at Microsoft, to bringing AI expertise into incident responses, to engaging with all sorts of stakeholders across the world, and talking and sharing with them but also listening and learning.”

Q: How do you balance the need for security with the need for innovation in your team?

Igor Sakhnov: “Balancing is important and hard. We strive to integrate security into the development process from the outset, shifting left and avoiding interruptions. No matter how innovative the product is, it will not get adapted if it is not secure or not reliable.”

Mark Russinovich: “I don’t think it’s an either or, but it is a balance. The second something may turn into a widget or service that people will depend on, you need security, but if you create such a hardened system that no one can use it, you’ve wasted time. We have a commitment to our customers that security is always in the driver’s seat, but innovation is holding the road map, and we’re delivering on that.”

Yonatan Zunger: “Engineering is the art of building systems to solve problems. If you’re building a system that isn’t safe and secure, you aren’t solving the customer’s problem, you’re building a system that will give them more problems.”

Q: What are some of the biggest cybersecurity misconceptions that you encounter?

Igor Sakhnov: “The desire to make the perfect solution. This is why ‘assume breach’ is the mindset I cultivated with my team. Yes, we must focus on the protection at all costs, and we should expect that any protection will be circumvented. How we detect, reduce the impact, and mitigate in the shortest time is top of mind.”

Mark Russinovich: “The assumption that unless you can prove to me something is not secure, it’s secure. You of course must invest in prevention, but Microsoft has said for close to a decade now that you have to assume any system can and will be breached, so you have to minimize the impact and increase how you detect and mitigate those breaches.”

Yonatan Zunger: “The idea that security, privacy, and safety are three distinct things. They’re not. If you’ve ever seen a security team, say, ‘That sounds like a privacy problem,’ and a privacy team say, ‘That sounds like a security problem,’ and nobody fixes it, you know where this story ends. Artificial boundaries like these are a factory of nasty incidents.”

Q: What’s one piece of advice you would give to your younger self?

Igor Sakhnov: “Shift focus from the local improvements and invest heavily into the influence to shift larger organization for all to move in the needed direction. Microsoft’s Secure Future Initiative is a notable example where a central push supersedes all the local innovation we have done over the years.”

Mark Russinovich: “I don’t look back and think about things that I’ve done wrong, but for those that are just starting out in a career or in life, I’d say this: When you find an area that you’re passionate about, learn that area and the areas around it, and learn one level deeper than you think necessary to be effective. My father gave me that advice and it’s what inspired me to pursue computers.”

Yonatan Zunger: “If you ever find yourself in a relationship where you can’t fully be yourself…leave.”

Leadership as the ultimate control layer

Across identity, cloud ecosystems, and privacy, these leaders have independently arrived at similar conclusions: security enables rather than restricts, perfect protection is impossible, but resilience is achievable, and everyone—from engineers to customers—plays a role in defense.

Microsoft’s security transformation isn’t just about technology. It’s about people like Igor Sakhnov, Mark Russinovich, and Yonatan Zunger who demonstrate the diverse leadership needed to strengthen Microsoft’s security posture for our customers and the industry.

Watch for more profiles in this series as we highlight additional deputy chief information security officers, including leaders overseeing cloud infrastructure, customer security, threat intelligence, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity appeared first on Microsoft Security Blog.

Source: Microsoft Security