Microsoft launched its Cybersecurity Governance Council in 2024, and with it, named a group of deputy chief information security officers that ensure comprehensive oversight of the company’s cybersecurity risk, defense, and compliance. These leaders work in tandem with product and engineering leaders across the company to create accountability and advance cybersecurity protection for Microsoft, our customers, and the industry.
This third installment in our Deputy Chief Information Security Officer (CISO) series highlights Kumar Srinivasamurthy, Geoff Belknap, and Ann Johnson. These three leaders’ collective insights reveal how cybersecurity resilience hinges on human sustainability, cultural adaptability, and intentional leadership.
You can read Part 1 and Part 2 of this series to learn about more Microsoft Deputy CISOs.
Introducing the leaders
- Kumar Srinivasamurthy, Vice President, Bing Fundamentals and Deputy Chief Information Security Officer, Consumer.
- Geoff Belknap, Corporate Vice President and Deputy Chief Information Security Officer, Core and Mergers & Acquisitions.
- Ann Johnson, Corporate Vice President and Deputy Chief Information Security Officer, Customer Security Management Office.
Q: How did you get your start in cybersecurity?
Kumar Srinivasamurthy: “I have always loved breaking things, even as a kid. Cybersecurity came naturally to me. My first job was doing penetration testing where I was deliberately trying to break Office and Exchange, and now, I help prevent people from doing such things.”
Geoff Belknap: “When I was a kid, I wanted to be a cop, or a firefighter, or a pilot. I wanted to help people. And it turned out, I was good at technology. As I built a career in tech, I got introduced to security. To me, that was a great way to combine what I was good at and what I liked, because if you’re good at technology and you really care about helping people and beating the bad guys, cybersecurity is a good field to be in.”
Ann Johnson: “I was working for a company that was carrying an RSA Security hardware token for VPN access. I started researching RSA Security, and I became fascinated by the technology. I learned everything I could about it, applied for a job there, and was lucky that they hired me.”
Q: How did you come to Microsoft, and what keeps you here?
Kumar Srinivasamurthy: “I joined as part of university recruiting. I figured I would join for a year, and that became five years, and now I’ve been here since before the new hires were born. What keeps me here is that I love solving difficult problems and making a difference, and I get to do that with some of the brightest minds in the world.”
Geoff Belknap: “I joined Microsoft in the spring of 2024, and prior to that I spent some time at LinkedIn leading security there. I’m always looking for roles that create an impact, and I don’t know where you can have a bigger impact than Microsoft. What keeps me here is I have yet to have a boring day…although I wouldn’t mind having a boring day, just once.”
Ann Johnson: “Microsoft recruited me. They had made some acquisitions and saw there was an urgency from customers to secure their data on the Office systems and the Microsoft Azure platforms. They did not know how to talk to customers about it, though, and I did. So, I came on to help talk to customers and incubate the security business. That was in 2015, and I have been here since.”
Q: Tell us about your current role and responsibilities.
Kumar Srinivasamurthy: “I am a Deputy CISO where I focus on security and compliance across the organization, including Microsoft Edge, Bing, MSN, Ads, Copilot Consumer Division, and more. We strive to provide world-class services, so that users can be confident that their data is secure and have peace of mind.
My second job is running the Fundamentals team that builds and runs high quality services that improve end-to-end performance, bot detection, traffic routing, and more. When you go to Bing, for example, is it fast? How fast is it? Is it getting slower compared to others? How can we give users a better experience? My team helps with all of that.”
Geoff Belknap: “I’m responsible for Microsoft’s core infrastructure, and I work with teams across the company to ensure our own internal systems and networks are secure. For mergers and acquisitions, I oversee how we merge with, acquire, or divest parts of the business from a security standpoint.”
Ann Johnson: “I lead our Customer Security Management Office (CSMO), which has two important roles. The first is to talk directly to our customers about how Microsoft secures Microsoft, and how we handle the same security challenges and opportunities they face. The second is to oversee all external engagement for our Office of the Chief Information Security Officer (OCISO) so the people who secure the company and our customers every day can focus on doing that. We believe security is an ecosystem where everyone needs to participate, and my team is the front door to making sure that collaboration happens.”
Q: Security is a team sport at Microsoft—how do you emphasize awareness and accountability within your organization?
Kumar Srinivasamurthy: “We use incidents and breaches from across the industry and Microsoft to raise awareness. This helps folks be aware of what could happen to our products and helps us ensure that something like that doesn’t happen to us.
A few years ago, one of our managers started a program called ‘Share your fail.’ Team members would take turns sharing a recent failure. This approach humanized everyone who participated. This is important, because accountability and growth start from knowing it’s ok to make mistakes. We just learn from them and try not to make the same mistake twice.”
Geoff Belknap: “Trust is the foundation of all relationships, so awareness and accountability don’t happen if there isn’t trust. Second to that is making sure that everybody’s aligned with the intent and the goal. I think lack of accountability doesn’t stem from people who don’t want to do well, but rather, they don’t see a connection to what the outcome is, and I think as a leader, it’s your job to help them make that connection. They need to clearly see how their work aligns with the broader business goals.”
Ann Johnson: “We do a tremendous amount of training within my team. We have a regular internal learning series where we bring in other teams to learn about their role. We also tap into the education and awareness team for Microsoft Security (who also sit on my team) and the training they create for all employees. Regarding accountability, my team works with customers every day, and our actions and commitments directly contribute to their ability to protect their own organization. We have a tremendous responsibility to help them and take that very seriously.”
Q: How do you balance the need for security with the need for innovation in your team?
Kumar Srinivasamurthy: “We need to allow teams to innovate and move fast. This means building tools and processes that enable security by default and by design. We want to make the path of least resistance to be secure and efficient.”
Geoff Belknap: “The value of security comes from creating, not stopping or preventing. If you are enabling your business to take risks that its competitors can’t, and you’re doing that securely every day, then you’re enabling innovation.”
Ann Johnson: “Great innovation will have security built into it. You cannot bring new products to market or go into new regions of the world without thinking about the security implications. We are past the point where security is bolted on after the fact, and those who want to innovate no longer view security as a blocker.”
Q: What’s one piece of advice you would give to your younger self?
Kumar Srinivasamurthy: “Many obstacles may seem challenging at first. If you take a methodical approach and have a growth mindset, you will overcome it. All problems are opportunities to learn and get better.”
Geoff Belknap: “Remind yourself that when you choose to have a hard career, it’s really important to take care of yourself. It’s also really hard to take care of other people if you’re burned out, too. Build some good stress management and self-care habits early before you decide to take on the burdens that come with being a security professional.”
Ann Johnson: “I can be ridiculously hard on myself so I would say, give yourself a break. Tiny little mistakes used to get under my skin, and giving myself a little more grace would have made me better in a lot of ways.”
How our leaders help to build resilient security cultures
The insights shared by Geoff, Ann, and Kumar underscore an essential truth: cybersecurity isn’t just about technology or processes—it’s about people. These leaders demonstrate that resilience starts with fostering cultures where trust, accountability, and continuous learning are prioritized.
This principle reflects a broader leadership philosophy where security transcends traditional boundaries. By cultivating environments that encourage learning from failures, establishing clear boundaries, forward-thinking leaders like our deputy CISOs are redefining security’s role. Rather than viewing it merely as a control layer or operational backbone, they’re establishing security as the fundamental foundation of organizational trust.
To learn more about Microsoft’s Office of the CISO, read our previous posts here.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
