Influence Without Authority: Mike Howard’s Playbook for Modern Security Leaders

0:00

Fred:

Hi, I’m Fred Burton here today with Mike Howard. Mike is the former Chief Security Officer at Microsoft, where he led global security operations for 16 years. Prior to Microsoft, he spent 22 years as an Operations Officer at the CIA and began his career in law enforcement with the Oakland Police Department. A recognized security leader and author of The Art of Rodan Leadership, Mike now advises and mentors security executives, emphasizing lifelong learning, innovation, and service-driven leadership. Mike, welcome to the Ontic Connected Intelligence Podcast.

Mike:

Thank you, Fred. Really appreciate it. I really appreciate the opportunity, so thank you so much.

1:10

Fred:

It’s our pleasure. Mike, you spent more than two decades at the CIA before stepping into corporate role at Microsoft. What motivated that transition and what was the biggest adjustment you had to make early on?

Mike:

In terms of going from police to CIA or CIA to Microsoft?

Fred:

From CIA to Microsoft, just transitioning to the private sector. I know it was, I had no idea what I was getting myself into.

Mike:

Yeah. Yeah, interesting question. So I had, I had no desires of leaving after 22 years. I actually had a position as the Chief of Station, but it was domestic, I took a domestic tour, I was always in counterterrorism center for many, many years. going after terrorists and took the domestic assignment in Pittsburgh, which had five states underneath me at the time. And we were there during 9/11. So one of the planes unfortunately went down in Saintsville, Pennsylvania. It was, you know, it was tragic, but the tour itself was very good. And I had fully intended on going on to some other assignments. But then politics kind of reared its ugly head and an assignment that I had been given was taken away at the last minute. And my then wife, who unfortunately passed away a few years ago, she was also with the agency. She had retired already and kind of talked it through, didn’t want to go back to DC, had no idea of the private sector at all. But I did know a person that had successfully made that transition from the old NIS, now NCIS. And we worked with each other in the Philippines back in the day. And so I reached out to him and through, it was a kind of convoluted process, but I ended up getting connected with HR at Microsoft who were looking for a Director of Executive Protection, EP. And I had done a fair amount of that early on in my career at the agency. And that’s how I ended up at Microsoft. But as you well know, because you’ve made the transition, I always knew I could find my way in any enterprise. I would eventually figure it out. But man, holy smokes, the culture change was completely different, completely different.

3:37

Fred:

I hear you, my friend. I literally look back on how I transitioned, and I’m not so sure how I made it. Mike, as you look back, which skills or mindsets from your intelligence career proved most valuable once you entered the private sector?

Mike:

Number one, being able to deal with less than clear-cut, you know, more nebulous situations. One of the things I learned right on the bat, you know, you come from the U.S. Government, USG, and it’s this top-down, more authoritarian kind of infrastructure. If I’m station chief and I say, jump, you jump, right? I’m a security officer at Microsoft, and I tell a business unit owner or some VP, hey, I need you to do X, Y, and Z, they can say, just go pound sand, right? It’s, you have to have influence, sometimes without authority. But one of the other things I learned about, we learned how to, as you know, how to assess people very well, how to assess people for doing our work, but also goes to assessing talent. And I thought using the skills I learned in the agency to assess top talent, The people we needed to drive what was then a pretty broken program at Microsoft in terms of global security. To keep up with where Microsoft was going and where I knew we needed to get eventually, I needed the right people. So being able to assess and develop the right talent and to weed out the naysayers and the malcontents and others, that was definitely a skill. I think also the ability to “recruit”, right? When you get back to that influence without authority, being able to target various vice presidents and presidents of different divisions, letting them get to know you as a person, not as the security person and understanding what, you know, try to explain to them what the value add for their business is by you know, working with us on our security protocols and our program, just recruiting them. And that was invaluable. Instead of trying to pound heads, just having a coalition of the willing at Microsoft, of heavy hitters that were willing to support me and my then nascent program. And then later on, as we became more mature, to really buy off on some of the big bet items that we were going for, like the GSOC and all that stuff. Later on, that paid dividends. So that definitely harked back to the agency days and the things I learned there as an intelligence officer.

6:33

Fred:

Yeah, that’s fascinating. And as you know, intelligence work requires balancing uncertainty, risk, and imperfect information. How can security leaders apply that mindset in today’s complex threat environment?

Mike:

I think it’s even more complex than when maybe I was in the game when we were in the game, right? I mean, things just move faster. And what I think the security leaders need to do is first position themselves in a way so that they have the right frame of mind, knowing that you don’t want anything bad to happen, but something bad is going to happen, right? That’s just the nature of your business. But you also have to make sure that you are really staying abreast of whatever the latest threats are to your particular enterprise. And for every enterprise, there are some similarities, and as you know, some differences. So you really have to be cognizant of what are those threats that are here now. But you also have to really look down range. I think a lot of people don’t do that as much as they should. Really look towards “What are the emerging threats?” And we’ve heard that for years, that term emerging threats, but what are the emerging threats? Like for Microsoft, with the AI revolution and building more data centers and all these other kinds of things, what are the threats to your critical infrastructure for Microsoft, for your new AI sort of investments. I also think you also, in order to really keep on top of this stuff, think about talent, right? Think about, and we did this, tried to do this back in the day. I didn’t want everybody from Microsoft and global security to be from the CIA, right? You find a lot of shops where, CSO is a bureau person, damn near everybody’s a bureau person, right? I don’t want groupthink. You want people from a whole lot of different disciplines that are smarter than me and smarter than those of us in the USG, which I thought we were pretty smart, but I mean, there are a lot smarter people. with a lot of different skill sets that you can bring into the global security sort of ecosystem that are talent in science and engineering and all things that will help you manage those emerging threats in the future.

9:05

Fred:

You know, that’s very well said. I know over the course of my career, I’ve always tried to hire folks based on their quality of mind and then look at some of their experience and so forth. And when you look at a company like Microsoft, which operates at such a massive global scale, Mike, How did you think about designing a security program that was both consistent worldwide and adaptable to your local risk?

Mike:

Great question. The first thing that I had to think about, and I think all leaders need to think about in their own enterprises, is stop thinking of yourself as the security person. I used to tell my troops, we’re business people. Our business happens to be security. So you start off with that mindset. The other thing is you don’t work in a vacuum, right? So I needed to know what the strategy of the C-suite was, you know, in terms of back when I got there, we had very little footprint in China and in India, for instance, but we were starting to, and we could see that that’s where we were headed, right? But global security had very, we had limited bandwidth internationally. So part of it, a big part of it is making sure you’re hooking on to the strategy of the company writ large, right? Where’s the company going? Where are their investments? Who are the people you need to talk to? The global leaders in Microsoft, the regional leaders, the regional VPs and all that stuff, get to understand their programs, where they’re going, what the threats are in those regions. And then again, going back to that talent, hiring the right people. Back in the day, we used to, when we did investigations, when we first started, you know, something happened in France, we’d fly people out of Redmond, Washington. They didn’t speak the language. They didn’t know the culture—made no sense, right? From back when you and I worked, you know, in boots on the ground were people that spoke the language, understood the culture. So a big part of that is to just to make sure you’re aligned with the business if you’re aligned with the business and they understand what you’re all about and how you can help them be more successful then you get not only do you get the buy-in for the program but I found out that you also get the buy-in for more personnel, right? If you’ve got a regional VP in India or France or the UK telling my boss back at headquarters, hey, Mike says he needs a couple more investigators or crisis management people, we support that in the regions. man, that’s golden, right? And in terms of then the local threat, that’s more, obviously with the local authorities, local police, local intel, you know, FBI, the Joint Terrorist Task Force, all those things that work together with your own intel analysts to kind of triage the threats. You know, in our case, we’re on the Seattle Redmond area where Gates and Ballmer and all the different heavy hitters lived. And also making sure that you’re staying tight with all the other companies and their Intel organizations, right? So it wasn’t just Microsoft, it was Dave Komendat at Boeing, right? Weyerhaeuser, Amazon, all these folks that we could bring together to share Intel information on threats, not just to our principals, but to other folks as well, right? And that, if you can marry that Intel piece, analysis piece, with the really good solid context with other private sector organizations, public sector, and then of course, internationally staying aligned with the business, that will go a long way to helping you scale when you need to scale and to stay on top of growth, which, like Microsoft, had unprecedented growth during the time I was a CSO. It was a fun time to be there, exciting time, but you had to make sure you stayed on top of it.

13:52

Fred:

Mike, from your perspective, looking back, what advice would you give to professionals transitioning from the government, either one of the alphabet soup agencies or intelligence roles, into corporate security positions?

Mike:

Number one, be proud of the fact that you have a skill set that the private enterprise needs, right? Don’t ever let anybody tell you that, oh, you’re just a government person, that doesn’t work, that transitions, it can transition very well. But the most important thing is to understand that, how businesses run, right? That was the biggest hurdle, like for me anyway, you know, like I didn’t know anything about business. I couldn’t, I didn’t know what P&L was, right? P&L, what does that mean? You know, and, but you have to really like, it could be as basic as watching CNBC before you make the transition over a period of time to understand how enterprises work. One of the other things, and it’s something that we learned on the job, but there’s a document that publicly traded corporations have to file once a year with the SEC called the 10-K, and we roll up on the finance department. And my boss at the time was a Chief Accounting Officer. And so that was his job, his team’s job to put the 10K, which is basically nuts and bolts to SEC about what your business is all about and where your strategy is going. But also, there’s a big section in there on risk. And that risk is not just physical security risk, it’s logical security risk. it’s enterprise risk. And so that’s something that if you’re coming out of the USG and you’re going into the private sector, that’s a golden nugget that other people don’t have. If you were to study that before you went to work for another corporation or you’re contemplating working for several corporations and you’re interviewing, for instance, having that 10K, that’s golden. But you really have to understand what that company is all about, where they’re going, what their strategy is, understand the numbers. You don’t have to be an accountant, but you have to have a pretty good understanding of how companies work. And I think that’s one of the biggest problems is with people coming in from the public sector is you really don’t know. At least I didn’t. And I learned fairly quickly, and it was good. It was a great education. But if I could take my heart back to the time when I left, and if I had those kinds of tools that I knew about, those kinds of tools would have helped me a lot better in transitioning over to Microsoft.

17:01

Fred:

Yeah, that’s very sage advice. You emphasize that leaders are never finished developing. What practices have helped you continue growing as a leader, even after decades at the highest levels, Mike?

Mike:

Yeah, I love that question. I think, number one, it starts with an attitude that you don’t know everything. You and I have both run into so-called leaders in our careers, both public and private, that think they know everything and they can’t learn anything. That’s when you start regressing as a leader. So a big deal of that has to do with mindset. So yes, while I’ve been lucky enough to have some great leadership positions, both in public and private sector, I stay, I keep reading. I keep reading and rereading biographies, you know, leadership books. I’ve written a few, obviously, but I still read and I still look at Colin Powell’s 13 rules, even to this day. I have mentors that I continue to, once in a while, call upon, right, if I have questions. And I just think that, especially in today’s world, leadership can take many different forms because the workplace has changed so much where, you know, there’s a lot more remote work. So what does that mean? There’s a shift to try to get people back, which I have no problem with. I think that’s a good thing from the team building perspective, but there’s still a lot of remote virtual work being done. How do you translate leadership skills when you’re not necessarily face-to-face with everybody all the time, right? And so I just think that making sure that you just don’t think that you know everything about leadership, because leadership has changed over the years. We grew up in a really top-down kind of structure. You and I have both learned in the private sector how that doesn’t necessarily work. And so we have in our careers, respective careers have had to adjust and adjust successfully. And I dare say leaders of today are gonna continue to have to adjust in a more connected world in some sense. But a more disconnected world in terms of I’m not seeing my troops every day or they’re scattered around the world and we don’t have the chance to just meet in a conference room once a week or whatever. So to me, that means that you have to be even more agile and in order to do that, you have to keep studying. For me, it was biographies of people, because one of the things you learn from biographies is that, whether it’s Churchill or Ronald Reagan or whoever, they all had their failures, but they overcame them. And that gave me a lot of support during times that were really tough. And I think biographies is one of the best ways to keep honing your leadership skills.

20:33

Fred:

Yeah, that’s great advice. Now, Mike, we ask every guest this question, so I’m not putting you on the hot seat, but I figure you can take it anyway. What does the phrase Connected Intelligence mean to you?

Mike:

So when I hear Connected Intelligence, there’s the obvious low-hanging fruit of kind of what we talked about earlier, right? You have intelligence entities, intelligence analysis entities, and you’re connected to each other, right? So you’re sharing information. That’s kind of the low-hanging, we’re sharing information. But Connected Intelligence to me also has, you know, sort of this other connotation that you’re connected in terms of looking at what are the global problems that we all are facing in today’s world, right? And a lot of that has to do with threats, whether it’s physical threats or threats to the environment, threats to whatever. To me, Connected Intelligence means that you’re looking more on a macro level from an intelligence perspective at all kinds of threats and seeing where there’s a nexus right to any of these threats. So we tend to be very siloed in my opinion. So there’s the terrorist threat and there is the threat against networks and then there’s environmental threats and then there’s whatever right but when you peel back the layers um what’s to say that this terrorist threat may not be looking at the ecosystem, the ecology, the natural resources threat to try to get something that they need. Obviously going out to the network is one thing, but these things are interrelated and connected, but they’re not often looked at that way. And I think that having a Connected Intelligence means to me that you’re looking really broadly at a whole host of threats not just myopically, which you have to do, obviously, to have specialists on Hezbollah or have specialists on protecting your data centers or networks, but I think you also should have those types of analysis where you’re looking broadly and seeing, yeah, where are the touch points? Is there something that’s happening in this world that could affect this world that we might be able to get it in front of if we thought about it this way, right? And so when I think of Connected Intelligence, that’s kind of what I think about.

Fred:

Well, Mike, I want to thank you for everything that you’ve done in your career, the way you’re giving back, the way you’ve mentored folks and I really want to thank you for taking the time to be on the Ontic Connected Intelligence Podcast today.

Mike:

Yeah, well, thank you so much, Fred, and thank you so much for the opportunity and letting an old warhorse out to talk every so often. I appreciate that.

Fred:

I think you still have a lot to say, so thank you. 

Mike:

All right, brother. Thanks.