Brad Zelnick:Good morning, everybody. I'm Brad Zelnick with the Deutsche Bank software team. Welcome to the DB Tech Conference. Once again delighted to have everybody, both here in the room and online that's listening in. For this session, I am truly delighted to welcome none other than Microsoft's EVP of Security, Mr. Charlie Bell. Charlie, thank you so much for being here with us.

Charlie Bell:Oh, it's great to be here. What a nice setting.

Brad Zelnick: I learned that you're from sunny Irvine, California.

Charlie Bell:I grew up down here, so I know the whole area, and it's kind of nice to get back out of the smoke and into the sunshine.

Brad Zelnick: Well, we're all glad to be here with you. Thank you so much, and really looking to learn a lot about Microsoft and its strategy in security. Thank you so much for joining us. If you don't mind, maybe. If that's important, you may want to take that. I always take a call from my mom, even if she calls while I'm up here.

Charlie Bell:;Not my mom, but I would take that call.

Brad Zelnick:;So maybe if you don't mind, for those that don't know you, could you just take a minute to explain your role at Microsoft and what your mandate actually is?

Charlie Bell::Sure. Well, maybe the best way to do that is wind the clock back to when I first started thinking about doing something new. I was at Amazon for 23 years, for those of you who don't know. And in January of '21, Jeff Bezos said he was going to step away. And I thought about it, and I thought, "Wow, this is going to be a different world. I could keep doing what I'm doing. I'm having a good time. We're building a cloud." But I thought about it and thought, "You know, if I'm going to do something new, this is the moment because of my age," I thought. I get into things deeply. I can't do the 2 years and out thing. So I thought, "Well, if I'm going to do something new, I should really analyze it, think about it, and either stick with what I'm doing or do something else."

And the thing that got me right away is something I'd seen over the years with customers in cloud computing, the growth in the problem in security. And it really bothered me because I didn't see an end in sight. It was actually getting far worse. There was this whole shared responsibility model. It was very difficult for customers. And I thought about it a lot, and the more I thought about it, the more it grew on me.

And it was funny, because I was talking to my wife and she's, by the way, a brilliant woman. You could look her up someday. But she said, "You know, you should talk to Satya Nadella." I said, "What?" "No, you should talk to Satya. Microsoft is doing a lot in security, and it's a great company." And at the moment I said, "Okay, fine." So within a week or two--she knew Satya, by the way. There's an old story there. Back in the early 2000s before Satya was Satya, she had tried to recruit him to Amazon and, of course, he was trying to recruit her to--I met her at Amazon. She was one of the senior leaders there.

So she called up over there at Redmond, and on a Saturday I was talking to Satya. And the thing that impressed me is first of all--I didn't know it--he already had formed what Microsoft calls a Customer Solutions Area around security, because he saw what a problem this was. And the more I talked to him--by the way, he didn't try to sell me at all. I wasn't recruited, he wasn't trying to push, "Hey, Charlie, you ought to join Microsoft." He was just listening and asking questions and then answering my questions. And I was mostly interested in how was he thinking about security.

But the result of that conversation, I talked to the two major engineering leaders he has there--Rajesh Jha, who runs the productivity and user side of the business, and Scott Guthrie, who runs the Azure cloud side of the business. And it was really a great conversation. I realized a lot of things. I realized, one, it was an engineering company. Microsoft was really inventing a lot, but also very thoughtful about how you do that at scale.

And of course, the security problem, the more I thought about the security problem, I realized that, one, if the company was really going to solve this issue, it was going to be a provider. Because you see so many things as a provider. And this I knew from running a cloud. You just see how customers are both currently using things, where their problems are, you see where they're going, what they're doing, what their issues are. I was very much attracted to the fact that Microsoft had, really, I'd say the three pillars of--in addition to the security business--had the three pillars of services in the cloud that if we're going to read on this problem.

One is providing an infrastructure cloud. That's really important. The other is the end user productivity world because bad actors start with people. That's one of the weak link in this. And then, of course, the identity business that Microsoft had, because when you move to a world of zero trust, you have to know what you're talking to--who or what you're talking to. And Microsoft had far and away the largest capability in all those areas.

And so yes, I talked to Satya, came over about 2 years ago. He had formed the CSA, but what he hadn't done is taken the products, the engineering products, from Scott and Rajesh and united them in one organization. And so I brought those things together. And so my mandate is all things security.

By the way, he also has Bret Arsenault of the CISO report to me. And so I own protecting Microsoft. I own the internal security of Microsoft as well. And there's a lot of first party equals third party, and there's a lot of learning that goes on there. Microsoft is ground zero for attackers, and so we learn a lot from that. But yes, that's my mandate.

Brad Zelnick:;Excellent. Thank you very much for that. And you touched on a bit of my next question, but I'll still ask. The momentum, just in recent years in security, has been nothing short of impressive. At a high level, can you start by giving us a sense for the overarching strategy and the couple of key things that you think really differentiates Microsoft in the security context in what is a highly, highly competitive, even noisy, market?

Charlie Bell: Yes. Well, like I said, one of the things I thought about carefully was the breadth and scale of the problem. One of the things we have to realize is this problem is not getting smaller; it's getting larger. The estimates of the take, the negative drain on the world's economy that bad actors represent, have gone from $6 trillion, I think it's estimated now to be $10 trillion in 2025. And it's growing faster than the Indian economy, which is, I think, in the top 20 GDPs, it's the fastest-growing economy.

So the problem is getting more difficult, and you need to solve it with an end-to-end offering. You've got to cover the full spectrum, because attackers work--they start with end users. They'll phish somebody, compromise an account, they'll use whatever privilege that person has to lever up to somebody with real privilege or that person and use that to move laterally through the environment. And they'll use all of the pieces. They'll use the network, the identity, email, productivity applications, main applications, infrastructure. They use all of it.

So end-to-end is really our thinking about what is going to solve this problem. And we focus on all those areas. I think the world is moving that direction. I've seen some CISO surveys where there's a pretty radical shift in their thinking. I think going back like 10 years, generally they piece together solutions by getting, quote, "best of breed," but literally hundreds of different solutions to read on the security problem. And now they're going after consolidation. They're trying to figure out how to get end-to-end. And attackers find the seams between things. That's part of what's driving this.

Brad Zelnick: It makes sense. Charlie, I think it was in December that Microsoft had disclosed that security is a $20 billion-plus business at the time, growing north of 30% year over year versus the broader security market which, I think, is growing somewhere in the teens. Obviously, the backdrop has become a bit more challenging since then. Can you talk about what you've seen in terms of customer demand and your ability to take share in this environment? Because clearly, you have a consolidation play that's quite unique.

Charlie Bell: Yes. I think we're one of the major beneficiaries of the consolidation move. We see healthy growth. We're now a million organizations protected, and that number grew by 26% last year. Really interesting is that the number of customers who are using more than four workloads, that number has gone up by 33%. So there's an increase in intensity, I think, that's going on.

I think there was a lot of optimization that people were doing, but typically you see that happen over a short period of time. Over the long period of time, the way I think about it, it's what I said. We're going to a $10 trillion drag on GDPs, and that's going to grow. I've seen some estimates that say it could pass the US economy's GDP by the 2030s if we don't get ahead of this. So that, to me, is the signal of demand. And so I think there's going to be a lot of need for security products going forward.

Brad Zelnick: A strong signal, and it doesn't seem to be abating. It's been the same story for years. Maybe with that, I think it was in 2021, Satya announced plans to invest $20 billion in security through 2026. Obviously, there's very few, if any, other players out there that can credibly make that kind of statement and have the wherewithal. Can you talk about your R&D prioritization and the criteria that you use, how generative AI might impact the composition and perhaps even the level of overall investment going forward?

Charlie Bell: Yes. Well, that was one of the reasons I came to Microsoft. I looked at the assets that Microsoft had and the leadership, Satya's propensities to bring those to bear on security. The first thing that if we're going to turn the corner on all this, the first component is data. We talk about the asymmetry of the attacker, that the attacker can come at you from any point, and you have to defend the entire perimeter that you own.

But we have an asymmetry in our favor. It's data. We get to see the entire environment. And one of the beauties of being a cloud provider is you don't just get to see one environment, you get to see lots of environments. And so there's a data asymmetry that works to our advantage. We do 65 trillion signals a day processed within our products, and the fact that we have all that data, I think, is a huge advantage. So bringing that to bear with the investments that we're making is super important. We brought together--the industry likes to take all the products and break them into these cute four-letter acronyms. Everything's CASI, XDR, SIEMS, or--yes, we like to break it all up. And by the way, if you think about the fragmented world we've been in, it's certainly natural to want to have names for all the fragments that you talk about.

We basically blurred the lines between things like SIEM and XDR and SOAR, all the things that you have to do--really, if you're going to be end-to-end, you've got to blur those lines, and it starts with data. And so there's a lot of investment in that. And by the way, that's a prerequisite for probably the biggest change that we're going to see in security, the one that's going to finally, I think, turn the corner. The big part of--you can have all the data in the world, but if you can't see it and act on it and use it, it doesn't matter. And we haven't been able to do that so far.

One of the challenges in the security industry is the siloing of expertise. You think about there are companies that know how to do network security, there are companies that know how to do email security and maybe do something in identity or endpoint. Each of these companies has an expertise, and they all want to branch out from their expertise. But fundamentally, you've got to be able to get across all of it, and to do that, it's AI. You've got to be able to take all of this data, all of the signal, and understand it. And because no expert in your SOC or in your development organization building proactive defense, nobody can really understand all of it.

The AI can. The AI can, both on the--we call it "shift right" on the--just be very good at responding to attacks. The AI can move very fast and see across a whole bunch of variables and take action. And then in the proactive sense, the AI can look at a very broad environment, lots of different technologies, and understand across all of it what needs to be done.

And so that was, by the way, some of my thinking when I came over. One of the things I saw that just astounded me in my old job was get a Copilot. It was just amazing because we were thinking, obviously, about the same kind of thing. It was amazing how good it was. And as I really dug into it, what I realized is the partnership that Microsoft had with OpenAI, it goes way back. It's an R&D partnership. The understanding that Microsoft has of that LLM technology and what it could do, it was pretty clear that there was a lot to do there in security.

And so that's really opened the door. I think it's even gone faster than I thought. When I saw what GPT-4 could do as a core of building AI capability, that is the other thing that I think gets us around the corner, and we can finally have it be an asymmetry of the defender.

Brad Zelnick: They're using AI as well, right?

Charlie Bell: Ah, but the beauty is they don't have the data that we do. We get to see the whole environment. They get to go, they still have to go after their thing, but we get to see all‑‑by the way, we get to aggregate everything that all of them are doing, too. And so I think we now finally have an advantage with AI.

Brad Zelnick: That maybe leads to my next question, which is back on a theme that we've touched on, which is consolidation, which I feel like has been a promise of the industry. Any newcomer who stumbles upon the problem and the domain naturally would say, "Okay, the customer just wants to make it stop." And they're swimming in all these point products. But cybersecurity has always been this arms race, consolidation long the promise. Why do you think consolidation is finally happening now? What gives you the confidence that the history of fragmentation for which we've seen pockets of consolidation, next-gen firewall with some of the endpoint players have done, but there's still more vendors on that RSA show floor every year than we can easily count. But what is it that helps to buck that certainty that it's always been for quite some time?

Charlie Bell: It's like many other things. You have ideas about something that should happen, and you look at the technology, and it's just not mature enough to do it. And then you finally reach a point where you get technological maturity. It's why I came to a provider, because you look at the--the capability you have at Microsoft is data, just being able to process huge amounts of data. When I'm talking about 65 trillion signals a day, you talk about massive inputs of data that come from customers as they're building their unique environments. You've got to be able to process huge amounts of data. You've got to be able to do it in real time. And we finally have that ability. We can handle huge, huge volumes, petabyte-scale logs coming in, the ability to issue queries across all of that, being able to do it in real time and respond all the messaging systems. A lot of the cloud technology has really begun to enable this.

I think the other one is the AI side, I think the fact that you can now bring AI to bear and look across some of these signal silos, if you will. We've always had the seeds to it. We've talked for a long time about zero trust. Well, the aggregator of zero trust has been Microsoft's conditional access. I saw that from the other side. You have an identity system. It basically went through a whole kind of maturation of that. We protected ourselves with passwords, and we figured out that we needed MFA. We needed multifactor authentication. We needed something else that we had that said, "Yep, I'm Charlie. You can trust me." And then those things started to get intercepted, so now you need an AI that can look across the infrastructure and say, "Well, I'm looking at your end user variables, I'm looking at your system variables, I'm looking at your IP address, the system you're on, identifiers. I think you're Charlie. Um, you're not Charlie. You're not going in."

So there's been a lot of capabilities that have been built over the years, and that's kind of how technology works. You kind of layer things up. But I think we finally have enough technology to do it. And I also think--I go back to Satya, his understanding of this being fundamental to the human progress on technology.

One of the reasons I wanted to do it, and shares this view, is that if you're a technology company, you win if people can confidently move forward. They can adopt new technologies, like what's going on with AI right now, Gen AI. I've got people that just use it. They can do tremendous things with it if I feel I can do it safely. But if I'm afraid because I'm seeing bad things happen out there, I don't want to use it. I won't buy it. And so security, and that goes all the way back to Bill, all like around 2001 or 2002, when he did the trusty computing memo. Microsoft figured out that it really doesn't have a business if people don't feel confident moving forward.

And so I think we're in a spot where it's in everybody's interest. It's in Microsoft's interest and we're going to continue to invest in it and make it easy for people--move it into the background, security by default. Eventually, if we really get over the hump, you guys won't even be talking about it.

Brad Zelnick: One day. And it's all about trust, and that resonates with me quite a bit. If I go back to March, several months ago, the response that Microsoft proclaimed to the world, to all the things that we're talking about--the trillions in loss to our economy, the shortage of talent that really understands cyber, the fragmentation that customers are forced to deal with--the answer, or one was Security Copilot, which I believe combines the capabilities of GPT-4 with proprietary Microsoft security models. Can you remind us what the product is, maybe some of the feedback that you're getting in preview, even potential monetization structure, and what milestones should we be looking to as investors going forward on the progress of Security Copilot?

Charlie Bell: Well, first, this isn't just ChatGPT looking at a vulnerability and kind of telling you about it. In order to do the security side--hopefully, maybe you guys have played with Microsoft 365's ability to summarize an email or something. But to do the security side, you get down into a lot of very technical analysis of signals, looking at logs coming off a machine. If we think about it, this is kind of a little different application of generative AI. And it's--we often say security is a team sport. Well, within the AI world, building a Copilot is a team sport. It's not just the LLM, it's specially trained models.

For example, one thing that the LLM has to be able to do is query data. How is it going to do that? Well, you have to have separate capabilities that know how to do that. And so it's a systems problem. And what was exciting to me is I came to Microsoft in--well, it was 2 years ago. It was end of August '21. And we were just getting started on LLMs in security. And now when we look at all the things that we can do across the board to stitch this together, you've got to be able to go after not just the data that we have, the signals that we have, you've got to be able to let the customer bring signals. And it has to be done safely. One of the challenges, I think, in the AI space when you start systemizing large language models is, "Oh, my gosh, this thing's going to be looking at a lot of data. How do I protect the data that I'm accessing? How do I make sure that this customer can take their stuff and not have Customers B able to see it or do something or it gets into the model in some way?" That all has to be guaranteed through separation.

And then the other thing is you've got to make sure these models cannot be manipulated. One of the challenges is that large language models operate off of prompts, and people can manipulate what the answer is going to be by doing things with them. So it's a lot of‑‑we do a lot of red teaming, understanding both the base model and all of the separate models and the combination of the system, how it's going to behave. And so that's actually taken quite a lot. That's been a long journey for us. And it's something where I think being part of the R&D for development of GPT-4 has given us a lot of understanding of the problems and how to solve them, and also this work with OpenAI and what kind of things have to be done at their level, but also our own capabilities.

So the way I'd say it is it's a journey. We've got private preview with a few customers. We're working with them. I think the first reaction a customer has to this, they're astounded. Like the fact that they were able to have this thing tell them not only, "Here's the problem that you have," but, "Here's what you should do to stop it right now." And I think it's the same reaction I had the first time I saw the capabilities that we were producing. I just--it will change security forever.

But so it's a fundamentally new way of doing things. It's also pretty, I'll call it R&D and resource intensive. As I said, it's not just taking ChatGPT and saying, "Summarize an email." It's really a whole bunch of things that you've got to go do at a systems level to make things work. And it's back and forth between us and the core teams that own the models at Microsoft and OpenAI. And so we're on a long journey. It's going to be--we're going to begin introducing things to customers, I think a little more broadly later this year, and we'll roll it from there. I think as far as monetization, the only thing I can say, it's a lot of investment on our part. It's a lot of GPUs to go spin.

By the way, the other thing about these security models is you guys go to the Web and you start playing with ChatGPT or Bing and you start going back and forth. Well, each time you do it, you're doing an inference. With security models, you're doing a lot of inferences. Like in order to do the systems-level job we do, it's resource intensive. So this is going to have to be a separate, important business for Microsoft.

Brad Zelnick: How do you maybe, on the topic about monetization, balance the interest of direct monetization versus indirect monetization and creating trust and therefore just better sell-through of the rest of the security portfolio and Azure and Office and other Copilots in everything else? That being Microsoft, and I know Amy is not going to let you spend money on spinning all these GPUs without a return. But there's a big picture here, right?

Charlie Bell: We do. We do that. Again, one of the reasons I was excited about working at a provider is that there's a flywheel between a paid security business and a free security business. So the provider is going to provide security by default embedded in--we just did a bunch of stuff. We continually launch all kinds of new things with Windows, for example. We've done a tremendous number of things with our identity offering, Entra. And it just comes in. Customers get it. And that part of the business gives customers the confidence to move forward with products, so there is indirect monetization. It's in the interest of the provider to make sure that people are safe from the get-go.

But there's a flywheel, because you learn, you get to build on top, you get to find the unique needs of customers who say--banks, for example, have some very severe regulatory requirements for segmentation of duties. And so okay, they're going to need very special functionality to be able to do that. The analogy I use is you've got a car. Everybody buys a car. Some of you buy snow tires for your car. So you're going to buy extra stuff that you need. So there's always going to be monetization here, and this is an incredibly important area, I think. But there will be things we provide as part of the products themselves as well.

Brad Zelnick: That's helpful context. I want to be respectful of the time, and there's so much to talk about, Charlie, such a broad topic. But maybe pivoting to another acronym, I think it was big news just a couple, few months ago, Microsoft announced its entry into the SASE market with Microsoft Entra. Why is this an area where you feel you can really win, and how should we think about Microsoft's value prop as you get further away from securing Windows or Microsoft 365 apps and Azure services?

Charlie Bell: So first of all, I want to say one of the parts of the conversation with Satya that got me to Microsoft was I was probing him to understand, "Is this about protecting Microsoft products or how do we think about securing things?" Because in the back of my head, my thought was one of the things I've observed is you can't say, "It's my cloud or no cloud." It's going to be a multi-cloud world. People are going to use many things.

Historically, you look at technology, everybody's always used a polyglot of technologies. If nothing else, they get them through acquisition or they've been using them for a long time, but they'll adopt new ones. And the thing that resonated with me is he was all over protecting everything. And that, ding-ding-ding, that's end-to-end. That's how you become end-to-end. You say, "Look, I don't care whether it's"--and we do. We launched the security world that we have at Microsoft. We protect AWS, we protect GCP, we protect other people's technologies, and we're very committed to the whole end-to-end idea.

And so when you think about SASE, maybe it's best to kind of wind back a little bit and really think about what does zero trust really mean? Zero trust is about, "I don't trust anything." Like I have a system. Yet the moment the system starts to default trust something and say, "Yeah, yeah, you're okay," without checking, well, that's an entry point. It doesn't have to be the network. Like we've often talked about zero trust like it was a kind of networking thing. Well, zero trust is a very broad concept. We've been doing the core of that for a while, so conditional access in Entra, so the ability, as I said, to take a whole bunch of variables--some of them are network variables; a lot of them aren't--and say from an AI perspective, "You should have access," "No, you shouldn't have access." That ability, a natural extension of that, is to do the things that we just announced with Entra.

But I think the idea's if we're going to be end-to-end, we've got to be able to do all of those things for customers. And they tell us. This isn't us just saying, "Hey, what do we think we ought to go do?" This is customers saying, "Hey, you guys really need to be giving us this capability."

Brad Zelnick: Got it. Makes sense. If we look back in 5 years, what metrics should we think about to know if you've been successful, and what security-related objectives and measures are all of Microsoft's business units held accountable to? I remember many years ago before you had arrived that I had heard of--actually, related to Azure AD--where there was a metric by which many of the businesses were measured. It was one of the many criteria or objectives of how many identities did you bring into Azure AD. Over a multiyear horizon, how do we know that you really crushed it and you achieved your goal, and how do we think about measuring that?

Charlie Bell I do think revenue's a good one because it means customers see value in what you're doing. That's sort of an obvious one.

Brad Zelnick: Sure.

Charlie Bell: And we're really proud of crossing the $20 billion mark, so that was kind of a big milestone. But actually, one of the things that would make me super happy is if we stopped talking about that GDP loss being bigger than the US economy in the 2030s. Like if suddenly the whole trajectory's changing and we look at '25 and we say, "Hey, maybe that $10 trillion loss didn't come true." That would be--or to see some tilt in that trajectory. That would be a really big milestone, I think, for us.

But yes, we'll continue to the number of organizations protected. We track all kinds of very detailed metrics on protected users and everything else. But yes, I would say the big one is that we've changed the trajectory on that growth in what's happening out there.

Brad Zelnick: Cool. Charlie, we are just about out of time. Is there anything we didn't get to that you wished I had asked that you want to impress upon folks? The work that you're doing is obviously incredibly important to Microsoft's success, but it's important to the world. Any final thoughts?

Charlie Bell: Well, just sometimes we talk about this kind of loss, and you guys see headlines all the time. I want everybody to be optimistic about this. One of the things that got me here was I really love the idea that human progress is all about technology. You apply technology to new problems, you get to solve new problems, and I think we're going to be able to do that. I think the key is the asymmetry I talked about, the fact that we're going to be able to aggregate across a large volume of data using AI. We're going to be able to turn the corner on this thing. Look. You look at what nation states are doing, what Russia's doing to attack and China's doing to attack and North Korea and Iran. We have a whole unit that spends a lot of time in those areas, understanding those adversaries. And it can be kind of depressing sometimes. But I think--look, I don't think human nature is going to change. I think there's going to be some bad people out there and they'll continue to do things. So I think this industry going to be pretty healthy, but I wouldn't want anybody to think, "Oh, my gosh, I've got to run for the hills and hide." I think we're making some real progress on this, and I'm excited to do it.

Brad Zelnick: Cool. Well, we're all counting on you. Charlie, thank you so much for being here at the Deutsche Bank Tech Conference. This was really, really great.

Charlie Bell: Thanks for having me.