Interview: Steve Dispensa, VP Of Product Management, Microsoft

Steve Dispensa is the Vice President of Product Management at Microsoft, responsible for the development of Microsoft’s endpoint management suite, including Microsoft Intune and Configuration Manager. Steve joined Microsoft in 2012, following the acquisition of PhoneFactor, a multi-factor authentication company he founded in 2001, which is now part of Azure AD’s MFA component.

In an exclusive interview with Expert Insights, Steve discusses Microsoft’s changes over the last decade, the challenges facing IT departments and security teams in today’s cyber-security landscape, and the importance of breaking down silos and promoting effective communication between IT and security teams to secure the organization while enabling user productivity. This interview has been edited for clarity and length.

You can listen to our full conversation with Steve on the Expert Insights Podcast.

Steve, thank you very much for chatting to us today. To start, it would be great if you could just give a bit of an introduction to yourself, your background, how you got started with Microsoft and your current role?

Absolutely. I’m the VP of Product for the Management division, where we make Intune and Config Manager and the new Intune suite, which we’ll talk more about, I hope. I’ve been at Microsoft now, amazingly, for 10 years. It feels like a blink of an eye to me. I joined through the acquisition of a company I co-founded called PhoneFactor, which turned into the MFA service that’s part of Azure AD now. In my time at Microsoft, I’ve run both Dev and PM organizations in identity and security, and now management. So, I’ve had a long and enjoyable trip through this technology space here.

How have things changed at Microsoft over the last 10 years?

It’s been amazing, almost a revolution really in the company. I joined at the very end of the [Steve] Ballmer era, there was a conversation going on about the ‘lost decade’, and the culture was just completely different than it is today. Satya [Nadella] took over and made what I think was the biggest impact I’ve ever seen a CEO make on the culture of a company. Microsoft is now this incredibly innovative, front-line organization.

Just look at the last months’ worth of announcements that we’ve had. We’re really back on the front edge of the coolest technology in the world, and internally the culture has reflected that. We have some of the most talented people I’ve ever gotten a chance to work with here in the company and the corporate culture has been amazing. So, it’s really quite a change.

We’re really keen to talk more about the Intune platform, so it would be great if you could give a bit of an overview of the platform itself, the benefits it provides, and what sets it apart from some of the other endpoint management solutions that are out there on the market.

Sure. So, Intune has been around for, I think, about 11 years now since we originally launched, and it has turned into the largest endpoint management solution in the market. Intune, together with Configuration Manager, which is a component of Intune, addresses hundreds of millions of users, hundreds of millions of devices around the world, across platforms, across industries. And it’s founded on a pretty fundamental premise, that you can’t have zero trust security if you don’t have a strongly managed endpoint. 

And so, our technology over the years has really gone in that direction. The ability to really strongly manage PCs, mobile devices, Macs, and Linux devices, and impose security policies and compliance policies. And, ultimately, be able to assert that device is well managed and policy compliant before granting access to resources.

We’re seeing a pretty tumultuous time at the moment in the cyber-security space. What are the themes and challenges that you’re seeing across the userbase at the moment?

Yeah, it’s certainly something we’re seeing as well. There’s a couple of trends that are showing up here. One of them is that IT departments are overwhelmed. The number of attacks continues to rise. I’ve been saying this, for years. But just to pick one statistic out that I recently ran across, password attacks are up 222% in slightly over the last year. And that’s just one of many examples. 

There is an increasing persistence and severity of attacks that organizations having to deal with, and yet their IT departments are more stretched than ever before, both in terms of you know, personnel and finding qualified folks to fill roles, but also in terms of budget, which has been a big issue over the last year. And so just the fact that IT is stretched very thin, and security teams are stretched thin, is number one. 

The other wrinkle that I think has created a lot of a lot of intensity is evolving work habits. Basically, as people have changed the way they work. Working more remotely, changing working times and even countries in some cases, has really put additional pressure on SOCs and on IT teams to be responsive to a whole new set of needs. 

Obviously, the corporate perimeter has been dead for years. But this takes it to the next level, when literally everybody in the organization is working remotely or even worse, working at combination of remotely and in the office. So, you have the best of both worlds from a from the scenario mix perspective.

And then the other thing I’ve been hearing about from customers a lot lately is needing to break down the silos between IT teams and security teams. They came from different places traditionally, but the modern reality is that these two organizations have got to communicate in lockstep in order to effectively secure the organization, while still letting users be productive. Those are the themes that we’ve seen popping up more and more lately.

That’s really interesting, particularly on the economic side, seeing budgets being cut in the cyber security space. Is that something that recently has got a lot worse?

Yeah, absolutely. We been talking with customers a lot about how to do more with less, because that’s been the refrain that we’ve heard from our customers. Everybody is under pressure and yet the world isn’t getting any simpler. On the contrary, the attacks are becoming more and more sophisticated. We have seen it, and of course, the whole world has seen it very vividly over the last year with Ukraine and the significant cyber component of that. We blogged about that a couple of days ago on the anniversary of the attack. The economic challenge associated with dealing with the increasingly severe security landscape is certainly something that’s on the mind of CISOs today.

One of the big challenges that we see – to your point on the importance of Zero Trust – is phishing and account compromise. Microsoft’s Digital Defense report states that phishing is generally unsuccessful with good identity management, phishing control, and endpoint management practices in place. How does Intune connect those dots to help teams prevent phishing attacks?

Absolutely, phishing continues to be one of the most important considerations for CISOs. There are strong defenses against phishing: first of all, enabling MFA universally in the organization is step one. And this is a topic near and dear to my heart, I’ve been in the MFA business, in one form or another, for going on a couple decades now. And it really is a proven way to cut out over 99% of identity-based attacks. So, that’s our first message. And then over the last couple of years we have made significant investments in the identity stack around phish-proofing with things like the number matching flow that’s built into Authenticator now using push notifications. That starts to work on that last, less than 1% of attacks that are left over after the basic MFA implementation is done. 

But as you said, it’s not only about verifying the identity, because a verified identity coming from a compromised device is still an attack. And attackers can essentially remotely control a device or steal the authentication credentials of a user if the device itself is not secure. And that’s really where endpoint management and Intune come into play. Within Intune, as a part of the authentication process, we are making sure that security policies are actually applied and actually enforced.

On the endpoint, it’s making sure that Microsoft Defender For Endpoint is on the device, running, and up to date. It’s making sure firewall policies, local drive encryption, secure boot and so many other security policies are actually enforced on the device before we call that device compliant. And until we mark that device as compliant, the identity system is simply not going to let that device in. So, there’s a connection between Azure AD on the identity side and Intune on the device side, which makes sure that both identity and device health are secure before giving the user access to sensitive resources.

How helpful is having those management solutions in place as a way to boost adoption of security policies like multi-factor authentication?

We see it in the statistics that the more widely rolled out endpoint management is, the more widely rolled out MFA is. And even in the case of a user who doesn’t have MFA switched on, device management still adds a huge amount of value. A number of phishing attacks and credential theft attacks are done directly from the endpoint itself. 

And so, ensuring that you actually have a secure and compliant endpoint, before you let the user complete authentication, before you let that user get the authentication token from the directory, still cuts out a percentage of attacks. Obviously, we encourage everybody to deploy MFA as quickly as possible and we made it as easy as we possibly can, but certainly endpoint management, standing on its own, adds a ton of value.

Circling back to your earlier point about how this is integral to Zero Trust, we see a lot of interest in Zero Trust, there has been a big push from the [Biden] administration on adopting Zero Trust. Could you talk a little more to that point around why these solutions are integral for implementing Zero Trust, and rolling it out across the organization?

Zero Trust has really seen an amazing adoption in the last five years and it’s really the result of the disappearing network perimeter that has been in the process for the last 10 years. But really to deploy zero trust, you need a whole set of secure entities along the chain. In my world, I think about endpoints mostly in the terms that “no endpoint is inherently trusted”. 

There’s no such thing as an endpoint that you trust just because of what it is, or where it is. Just because it’s on the corporate network (Corpnet), doesn’t mean you should just trust it. Just because it’s on the Corpnet, doesn’t mean you should give it free access to sensitive resources without any additional security checks. In that world, you need an endpoint management solution in order to both deploy policies, deploy access and so on, but also to actually enforce that those policies are implemented. 

It does no good to just send out configuration for say, anti-malware, if the user is able just to disable the anti-malware software and nobody checks, right? It does no good to want there to be BitLocker encryption turned on, if nobody is enforcing Bitlocker at the point of authentication. And so, the way Zero Trust works at Microsoft is that every single endpoint is treated the same, no matter where they are, on Corpnet or off, no matter who they are in the organization. 

We piece together the trusted endpoint together with the trusted identity and the trusted application. All of those pieces have to come together before the user is given those tokens that give them access to the resources that they’re after. And the Zero Trust part of it means, like I said, it doesn’t matter where you are, who you are, what device you’re running, what operating system you’re running, etcetera, you’re going to be treated the same way, you’re going to have to prove yourself to the system every time.

From my experience, larger organizations are really interested in Zero Trust. And smaller organizations maybe find it a bit more difficult to understand how to implement it or what the benefits are to them. From what you’ve described, it’s about making it much easier to roll it out for organizations of any size. Would you agree with that?

I would. In fact, the larger organizations tend to have more mature programs around Zero Trust, but for smaller organizations, they tend to be more cloud native than the large organizations. They tend to have started life in Azure AD and Intune instead of in Config Manager, and in Office 365 instead of on-premises versions of Exchange and SharePoint. And with that being the case, it really is quite straightforward to deploy Zero Trust. It’s all done from the cloud, it’s fairly automatic.

In one sense, the barriers for the smaller organizations are lower. We’ve done a lot of work over the last few years to make the defaults really easy and really obvious. We have had great luck in really nudging people to deploy MFA from the very beginning for a cloud-native organization. So, I definitely think it’s appropriate for all organizations, and in some sense it’s easier for smaller organizations to deploy, because many of them were born in the cloud, where this is just as easy as it can be.

On the other side of the coin, as someone managing a product that’s being used by hundreds of millions of users, what are the challenges that you have in terms of developing and managing the platform for such a diverse group of users use cases and security challenges?

It’s a great question. It’s one of the reasons that on a personal level I’ve enjoyed my job so much over the last 10 years. Microsoft has an unmatched capability in really high scale enterprise management of the kind we’re talking about. In the management space, I think we’re larger than our next closest competitor by a factor of about three. And dealing with nine figure numbers is great. Over the years, we’ve built up a pretty robust system that’s spread around the globe, spread across public and sovereign clouds, and so on. And as we’ve built our processes and methodologies for development over the years, we’ve had to take into account the fact that any little change we make is going affect, you know, a nine-figure number of users and devices in the world. And we’ve gotten pretty good at that. 

And one of the other, what I call a side benefit, but it’s increasingly becoming a central benefit, of our scale is that the amount of enterprise data and signal that we get is unmatched in the world, in terms of the enterprise space. All of that data and signal gives us new opportunities to make things even better, even faster for organizations and that’s a ton of fun too. I think we’ve been making really good progress on that over the last five years. But if you just look at the last month or two, with the breakthroughs in AI, you can just see how much further we have to go and what the possibilities really are there. That’s an exciting part of the scale that we operate at.

How do you prioritize development, how do you prioritize listening to those different groups and knowing where to go from here?

Yeah, it’s really the magic of product management. It’s a hard question that you ask me. We literally had a conversation internally about this yesterday at the executive level, like, how are we doing this? Because the reality is we get a steady stream of input from customers, large and small around the world. And there are certainly patterns that emerge. Customers want us to continue to make things easier to deploy, more automatic, to use their data in a way that allows more automation and predictability and so on. Those are all totally standard and reasonable.

But then we have different kinds of requests per industry, per worker type, frontline workers versus information workers, etcetera. Education is a huge business for us. That’s distinct in terms of their requirements. And there are small businesses versus enterprise, which have different requirements. Born in the cloud versus on-prem and migrating are different, and so on.

The way we prioritize is obviously customer driven, we have no shortage of customer signal. We all talk to customers daily in the product team, in order to make sure we have a good signal.

We try to do things that benefit the most customers at once, the most users at once. 

Some of those things are user facing, like some of the new things we’ve done in the Intune suite. Some of those things are more platform based, in terms of our ability to scale and grow faster or provide a more reliable service. And we take all of those together and build a plan, once a quarter, for what we’re going to add and what we’re going to go do. And the good news is the world changes pretty fast, and so every quarter we build a new plan and we’re able to take the latest feedback into account. But it’s certainly a big challenge.

With that said, what are the new innovations and new features on the horizon for the Intune platform? How will you continue to improve security, but also make life easier for security teams?

Well, we’re really excited to announce the Intune suite. It goes live on March 1^st, and it’s something literally I’ve been working on since I joined Intune Division three years ago.

I could not be more excited to finally have this see the light of day.

You were talking about how we prioritize. One of the things that came up as a steady stream in our customer conversations over the last three years is that customers that are using Intune for core device management and doing a great job of it. But that they have to add two or three additional solutions to their mix from other vendors in order to do things that, frankly, they had hoped would be part of Intune itself. 

Obviously, our first priority has been producing a world class core management solution and, according to the numbers, a lot of customers are voting that we’ve done that. And so that gave us permission to take a step into some adjacent solution areas. So, for a couple of examples, we’re launching a new solution around endpoint privilege management, which I am really excited about. 

As a user of Windows, since Windows 3.0, I can tell you that one of the most frustrating parts of Windows for decades has been that you have to run, or at least many organizations have to run, as local admin. If you’re going to run as a standard user, it takes a ton of it prep and frankly, it requires users to accept limitations that are not always palatable, not always possible. And so, one of the solutions that we’ll be delivering is an enterprise privilege management solution that allows IT departments to define the conditions that users can elevate under, so that they can run as standard, and then elevate to admin privileges, only when necessary, only for jobs that require it and under full audit and control of the IT department. We think this is going to really trigger a pretty massive change in users going from local admin to standard.

All of these solutions, we picked because we have this ability, at Microsoft, to bring our own unique point of view. In the case of privilege management, we’ve been able to build this directly into Windows itself to utilize some of the machinery that started to appear even in the Windows Vista time frame, but without requiring bolts on pieces of code that don’t always interact well with the base operating system. We can provide this incredibly integrated end-to-end story with Intune, Azure AD, and Windows on the device to really solve that problem. That’s one that we’re super excited about.

On maybe the other end of the spectrum, there’s less flashy problems, but still big problems. There’s been a large increase in the last few years around bring-your-own-device (BYOD) utilization in the enterprise. And organizations have increasingly secured those devices using mobile application management (MAM) instead of mobile device management (MDM).

The MAM mode of Intune is a little lighter weight touch on the device, which is appropriate for your BYOD. But for all this time there’s been this gap around BYOD devices unable to reach into Corpnet to legacy line of business applications. And so, we’re excited to announce Tunnel for MAM-managed devices, which basically allows a micro-VPN from the managed app into Corpnet and directly to the line of business applications the user is trying to access. That’s actually going to unblock a huge number of seats and organizations that are waiting to be able to deploy this to their users. And there’s more in between! But those are a couple of examples of new capabilities in the suite. 

Finally, do you envision the future of endpoint management more generally in the rapidly evolving technology and threat landscape, how do you see trends going in the future?

We believe the trend around doing more with less is going to hold. We believe the trend on hybrid work is going to hold and we believe the trend on security getting ever more complex is going to hold. In the face of those threats, we feel like the future is going to be more and more about seamlessness, integration, and automation. We do believe strongly in the view that the more seamless you can build a solution set, the more integrated a solution set can be, the easier and the lower cost it will be. And so that’s definitely one trend. 

And then in terms of automation, we really do believe that, as I said earlier, the data and signal that we have is going to unblock some pretty amazing opportunities to automate and to bring more predictability into the system for IT pros, so that they can move from being reactive to more proactive with their end-user estate. 

I don’t think that AI takes over everything, and there is no more IT. That’s not a thing that I think will happen. But I do think that the notion of bringing in AI tooling to help users and to help IT pros automate tasks and to give them more tools to be able to respond proactively – I definitely think that is in our future.

Listen to our full conversation with Steve on the Expert Insights Podcast:

Listen on Spotify:

Listen on Apple Podcasts:

About Expert Insights

Expert Insights is a B2B review and research site, trusted by over 80,000 monthly users. Learn more and join our community at expertinsights.com