Why Copilot Fails Without Data Security

Mark Smith: 0:19
Welcome to the MVP show. My intention is that you listen to the stories of these MVP guests and are inspired to become an MVP and bring value to the world through your skills. If you have not checked it out already, I do a YouTube series called how to Become an MVP. The link is in the show notes. With that, let's get on with the show. Today's guest is from Norway. She works at Crayon as a cloud solution architect. She was first awarded MVP in 2024. She was named one of Norway's 50 foremost women in technology. She enjoys a good day out on the boat during summer and a hot cup of coffee with a good book during winter Perfect. You can find links to her bio and socials in the show notes for this episode. Welcome to the show, Asne.


Åsne Holtklimpen: 1:13
Thank you. Thank you so much for having me and, yeah, that was right.


Mark Smith: 1:16
Wow, that's cool. That's cool. I'll let you tell me how do you pronounce your full name Osne Holtklimpen.


Åsne Holtklimpen: 1:24
Holtklimpen.


Mark Smith: 1:26
Excellent, excellent, holtklimpen. Wow, yeah, I can see how people struggle with it. Like you were saying Incredible.


Åsne Holtklimpen: 1:39
Yeah, the.


Mark Smith: 1:40
Danish people are the ones who actually get it the most. Not the Norwegians, but the Danish, wow, wow. So does it originate from?

Åsne Holtklimpen: 1:44
there. No, it is Norwegian, it's just my family who has it, so it's from an old farm, so I'm a farm girl originally.

Mark Smith: 1:53
Nice, nice, very cool. I always start with food, family and fun. What do they mean to you? What are you into when you're not doing work?

Åsne Holtklimpen: 2:03
Well, I was asked the same question the other day because somebody asked me where I got the energy to do all the webinars and all the things I do. And I'm like I don't have. I live for what I do. So I'm like, what do I actually do for fun? Well, I try to exercise, um, I try to. I try to go out with friends sometimes, uh in, and if somebody can feed me sushi while going out with friends, I'm happy. But uh, but it's uh. No, I love, I love what I do, uh, and I I think I use all my energy towards doing what I do. So when the workday and all the things like when I've done my blogs or whatever, when I'm done with that, I'm just flat out. So I try to recharge with a little bit of exercise and a little bit of sushi, and then I'm happy to go. I like it.

Mark Smith: 2:54
So what do you do? Tell us about your job and what you do in the tech space with Microsoft.

Åsne Holtklimpen: 3:00
Well, originally I'm from the old SharePoint farms, so I've been working with SharePoint for about 20 odd years and of course Teams came along and that was a sort of a natural adoption to start with Teams. And then we had a little pandemic amidst all this after Teams arrived. So I've been sort of thrown into getting Teams up and running for everyone and with Teams the focus on information security came very clear to me. So I started with that. I started with trying to get people to sort out the information security how teams were set up, what to use when and try to I wouldn't say dumb it down, but try to get people to understand it, because IT was talking over people's heads and nobody was saying how we should use it and how we should facilitate setting up the teams and orchestrate our information structure and all that. So basically I started just speaking a lot about that and try to get people to understand.

Åsne Holtklimpen: 4:06
Doing webinars, doing videos when the pandemic hit too hard, we couldn't go anywhere. So obviously YouTube was a great medium. It didn't go anywhere. So obviously YouTube was a great medium. And then Copilot arrived and that was sort of put on top of everything I was already talking about and then suddenly I was a Copilot MVP basically. So it's been a ride.

Mark Smith: 4:33
It's interesting that you're a Copilot MVP with that security background, because I feel to implement Copilot correctly with an organization, you need to take a security posture you know to really one, not expose PII data and risk data leakage. Even if that risk is only an internal risk. It's still a risk all the same and I like Microsoft's move to a zero trust model with tools like Purview and what you get with Entry ID and the various security tools. When you talk to organizations about implementing Copilot, what are the type of discussions you're having? Well?

Åsne Holtklimpen: 5:17
it's a start with the basics. As you said, we've been struggling with this for a long time. We've been talking about information security for a long, long time and nobody's been listening. Everybody's like, no, we don't have that much value, we don't have that much data. No, we're quite secure. And everybody did the lift and shift from file service when the pandemic hit because they had to get access to data. So everybody did either a lift and shift to SharePoint or a team and no control whatsoever.

Åsne Holtklimpen: 5:49
And I feel that when Copilot arrived and I keep telling people that we need to go back to the foundation, we need to go back and see what we need to do to get everything secure and Some are listening and some are still like, no, everything's fine, we don't have anything that's that bad. And if I'm lucky and I get access and can do an analysis and see how things are, I usually find a lot and they start listening a little bit. But it's like we've been standing yelling and yelling and yelling get this ordered, get this ordered and people are still having a hard time trying to listen to it. And security has never been sexy, right? So IT people have talked about security both in network, in entra in devices.

Åsne Holtklimpen: 6:43
We've been talking about security for such a long time and we still have customers who can't see the point of having MFA. And now we're like, yeah, you need to secure information as well. So it's sort of, oh no, no, another thing. So we still struggle to get through it. But usually I say that if you start with classification, if you start, just start with the small things you can easily add on later on, but just start with a classification and try to get that going, and then at least you have started, and then you can take your time and add more security on top of that, as long as you get something rolling. But we still struggle. It's weird.

Mark Smith: 7:35
The situation that you explained then, which was, if I get access, when people are saying, no, we're all secure, we're fine, there's nothing really important on our network. This is something I've heard another MVP talk about. And as soon as they give him that access and then he does a range of queries and he shows them what he can find with, you know, using search and whatnot and I've used this talk track for a while now security by obscurity, right? Is that? Because people can't see it. They're like, well, nobody can see it and they don't understand that AI looks for patterns and can uncover that, and somebody that doesn't necessarily as strong at search they don't need to be because a prompt is enough to get them off to the races.

Mark Smith: 8:28
When you do that with an organization and you're wanting to get those quick wins and those oh my gosh, I didn't realize moments from them and oh, okay, we do need to do something. What are you typically searching for? Is it kind of like exposed credit card numbers? Is it passwords? Is it perhaps dodgy conversations? What are you looking for that will really light them up to go? You know what. We do need to do something serious.

Åsne Holtklimpen: 8:55
Usually I do like the Norwegian personal identity numbers because that's part of the sensitive information that we are required by law to make sure that we don't find credit card numbers. We have a little bit of that but we're not. I don't think that Norway is, we don't, we don't share that as much like default. So it's more. It's more the personal identity numbers. And then I have health, like different diseases and stuff like that health you know. So I go in and usually use a keyword search list with all the different health criteria I have, and then, of course, the 90-day number.

Åsne Holtklimpen: 9:39
And we've had a lot of cases in Norway where we had public institutions going and oh, we found this many numbers and this information was open to everyone within the organization and things like that. So I can sort of I usually take those news reports and say that this is what happened and this is the find they got you know and just show them this is gonna this, this will be something that I'll find with you as well. Maybe not as many, maybe more, you never know, but this will be found because I'll find with you as well. Maybe not as many, maybe more, you never know, but this will be found because you don't have anything to sort of remediate things like that. When you have emails, you know you've got a CV, you've got a question for somebody that's going to be hired, and then you have identity numbers all over the place. So usually I find a lot of them with no control.

Mark Smith: 10:31
So what's your next step? So let's say, the company has said you know what, okay, we do have a problem, we need to do something. Is there a particular Microsoft tooling configuration? What is it that you start to do to take them on a journey of you know, to security, to data security?

Åsne Holtklimpen: 10:50
well, I use purview, um with just about anything data security related, because that's obviously my, my field, and I have great co-workers and I know entra and I know a little bit of Intune and all those sort of devices as well. So I facilitate them as much as I can do, but then I drag them with me into what we prefer to do is sort of a workshop with our customers, and then we can sort of okay, we found this, we found this, we found this and we found this and this is how that's going to affect you and your environment if you don't do anything about it. What we suggest is that you do this and that will affect the end users like this, because they need to. I, everyone, like all the customers we talked about, uh, talk with not about, but talk with. Uh, they have like, well, that's going to take us so many hours, it's going to take a lot of time, it's going to cost us so many money and uh, you know they have the and obviously, the end users. They're very worried about the end users, uh, how we're going to handle them. So we try to. We try to say that, well, this is this little thing, here is what you need to do. It's not going to take that much time. We can help you. And this is going to affect end users like this, because they need to let the end users know as well.

Åsne Holtklimpen: 12:18
So basically, I do the purview thing, I do the classification. Well, I tell them to do the classification because obviously they need to decide it before I start anything, and then I sort of add on the little features you know and then you have the policies and then you have sensitive info types to detect and add labels on the information. And then you do the data loss and you sort of add on the list and I try to make it like in small packages so it seems easier to consume, because all IT people want to throw everything at a customer or at an environment all at once and then they sit there, the management sit there and just we can't do this. This is too much. But if you sort of package it and we start with this little bit and then we wait for two months and then we start with this little bit, so I love Purview.

Åsne Holtklimpen: 13:18
I think it's an amazing tool and I wish more people could see it and I wish more people could start using it and start to see that it's not that hard to get started. Um, you just need to access it and sort of you. Well, obviously you get uh, you get the wizards as well. They're there, they'll help you, and with co-pilot on top of that, you know, just just do it, just start sorry.

Mark Smith: 13:47
So I'm gonna ask you a license question because you work for Crown and obviously it's something that they do. How, if someone was like oh my gosh, what is this Purview thing and how do I get started with it? Is it part of the E5 license SKU or is it a bolt-on SKU? Is there levels to purview? How do you talk about it from a licensing perspective?

Åsne Holtklimpen: 14:15
Well, I don't have a doctorate in licensing and you need one now. Nobody does. But with the EC package you get a lot of the features, but what you get with the E5 or the E5 compliance, you get the automation. That's what I usually say, that if you go up to E5, you get the automation. But you can do it, can do labeling and you can do a policy and you can do a lot with the E3 license. But E5 will get you all the automatics and the ability to maybe, maybe, maybe, get 100% labeled files and data. But with the E3, you need to do a lot manually.

Mark Smith: 15:01
Right, right, that's brilliant. That's a nice clear-cut clarification. So so do you kind of work on? You know you have this phased approach, which I think is so important because you know if you throw everything at it, all of a sudden nothing works for anybody, and then you're dealing with just complaints left, right and center. Do you kind of have a maturity assessment model that you run with an organization that you know you might be starting the most journey?

Åsne Holtklimpen: 15:39
You might not even tell them you're going to get them to this point but over the course of a period of time, whatever is you're going to get them from, let's say, uh to a zero trust posture. Do you kind of do you have that kind of thought process in your head? Yeah, obviously, because when you, when you first get to know a customer, you just suddenly see that, oh, we're not in teams, so there's, we can't, we can't start with labeling, because they're actually not, they're not sorted in teams, they don't. They maybe have one team and they use teams for meetings and chats and that's it. So then it's like, okay, I need to take a step back. And okay, first of all, we need the foundation, we need to see how we can use teams and we need to see how we can use sharepoint, and then I then I usually add on after that, as well as with purview. You know we need to see how we can use SharePoint, and then I usually add on after that, as well as with Purview. You know we need this first because nothing's going to work unless we have the files in M365, right, because how can you use Copilot on top of that? How can you? You can't do anything if you don't have it there.

Åsne Holtklimpen: 16:26
So I sort of, and usually they're they have some ability to listen to that because they're like, oh, I thought we used Teams. I'm like, no, yeah, you use it for meetings but nothing else. And that's also something that we see from the pandemic. I have a friend who always say that assumption is the mother of all fuck-ups. That assumption is the mother of all fuck-ups and it's basically this because the management after pandemic they think that everybody used Teams and everybody understood how they used Teams. And then we have new hires that came after the pandemic. We have users who are just panicking and just go back-to-back meetings and never did anything else than meetings. So there's a lot of assumptions going on that everybody's full on in Teams and everybody's understood how we use the files.

Åsne Holtklimpen: 17:22
So basically, there's usually a little step back and get the overview on how everything sorted before I actually get to the chance to say that we need to classify the data. And I have companies who come to me and say we're going to start using CodePallet. So I'm like, yeah, I can help you out. And then we have a look at everything and I'm like, well, you don't have anything in Teams. You're like where's your data? Oh, it's on the file share. Okay, so we need to's. That's going to change, yeah, so so, uh, there's a lot of cleaning, there's a lot of house cleaning, so yeah good, good, very interesting.

Mark Smith: 18:04
Now let's look at co-pilot. What? What's your involvement being in co-pilot? You know what are we looking at? A bit about 80. Is it 18 months old now? Year and a half old, roundabout, isn't it? What type of work are you doing in the Copilot space?

Åsne Holtklimpen: 18:21
Well, we've done a lot of work with Microsoft. They've had a lot of funding programs for customers, so we've done a lot of workshops with them, with our customers. So we've done a lot of workshops with them, with our customers. And I do a lot of back to the basics because, like I said, companies come to me that want to start using Copilot. Everybody's excited and then you have a look at the environment, like, yeah, we got a lot of work to do here before we used Copilot and it wasn't in Norwegian, I think May last year, so almost a year it't in Norwegian, as I think May last year, so almost a year, it was in Norwegian. So, obviously, a lot of waiting there to get it up and running. The public sector in Norway they really want to start using technology quite early on, so they're quite good at adapt technology.

Åsne Holtklimpen: 19:17
And I'm afraid of saying this basically because we have a digitalization department in Norway, the public sector, who said that everybody in the public sector should use some sort of AI before 2025, by the end of 2025. I'm like, okay, okay, yeah, that's great, but how, uh, why what? There's no guidance? There's no. There's no like how should we use it? There's no. There's no teaching moment here, for for anyone, it's just we need to use it before 2025. It's like they're afraid of being I can't. I don't understand I don't know the word here but they're sort of afraid that they're going to miss the train, basically. But it's like no, no, no, we can't go out and say that the public sector need to use AI before 2025 because they're not ready. They're not all in the cloud, they're not ready for it at all. And so now they're moderated and saying it's going to be before 2030, but there's still no guidance, there's still nothing to help them get started. There's nothing there.

Åsne Holtklimpen: 20:30
So that's something I'm now trying to speak out a little bit on, trying to see if I can find a way in there and say that we need to give them something, we need to have some sort of guidance for them. So this has been one of the things we've been hearing a lot. We get the public sector coming to us, we need to use Scope Alert and we're like OK, we'll have a look at your environment and then we'll, like I said, take the step back, because it feels like I'm pouring water on everyone. Just calm down, calm down, we're going to get there, but we just need to do a little bit before, and we do a lot of public web webinars out to people. I do a lot of talks on different types of seminars and all that Speaking about information security first and foremost. Then we can use CodePallet. So it's been like I said I'm supposedly MVP on Copilot, but I'm more of an information security foundation and yeah, so important.


Åsne Holtklimpen: 21:44
Yeah, it is, and you can't have Copilot without it. So that's what we see all the time and that's what I've been doing the last year and a half.

Mark Smith: 21:55
I like it. I like it. Asne, thank you so much for coming on. You have taught me a lot and I hope the listeners find the value here as well.

Åsne Holtklimpen: 22:05
It's been fun. Thank you so much for having me.


Mark Smith: 22:21
Hey, thanks for listening. I'm your host business application mvp mark smith, otherwise known as the nz365 guy. If you like the show and want to be a supporter, check out buymeacoffeecom forward slash. Nz365 guy. Thanks and see you next time. Thank you.