Copilot Readiness: Protect Data Before You Deploy

00:00:06 Mark Smith 
Welcome to the MVP show. My intention is that you listen to the stories of these MVP guests and are inspired to become an MVP and bring value to the world through your skills. If you have not checked it out already, I do a YouTube series called How to Become an MVP. The link is in the show notes. With that, Let's get on with the show. Welcome back to the MVP Show. Today's guest is from ACT or the Australian Capital Territory in Australia. Sam, welcome to the show.

00:00:43 Sam Brazier-Hollins 
Thanks, Mark. Great to be here.

00:00:45 Mark Smith
It's a long time since I've been in Canberra. A very long time, maybe 10 years. I used to be down there every week.

00:00:54 Sam Brazier-Hollins 
Very good. No, a lot's changed. Unfortunately, we've gone through our fake spring recently. So it was lovely and warm last week. And now it's cold, windy and raining again this week, but it'll change again. So going through the four seasons in a week at the moment.

00:01:05 Mark Smith 
Yeah. The unique thing with ACT, right? It's about 2,000 meters above sea level or something.

00:01:11 Sam Brazier-Hollins 
Not quite that high, but we are high. So we get the full extremes of the nice cold winter and the nice hot summer and a bit of wind just to keep us going. Not as windy as Wellington, though, thankfully.

00:01:21 Mark Smith
Yeah, I know that they used to tell us, I used to almost fly in and out weekly when I was living in Sydney, that something got to do with the altitude sometimes affected takeoff because the altitude of the airport.

00:01:34 Sam Brazier-Hollins 
Yeah, I've definitely had some bumpy flights. I know you have to be careful of the fog, especially in sort of autumn. So you've either got to get the first flight when the plane's already in, otherwise there might not be any planes coming for a few hours, but then you also risk the time when they need to de-ice the plane, so it's very fine balance.

00:01:48 Mark Smith
I've had a crazy landing, well, attempted landing once on a Sydney flight down, and you can imagine the quick flights, right? But we're just fog, fog, fog, fog, fog. And I always sat in 1A as a general rule because I was flying so much. And then all of a sudden, just they full thrust on and we just did a, it felt like a vertical climb to get out of there. And then they're like, we're done, we're going back to Sydney. So yeah, I know what that fog's like.

00:02:14 Sam Brazier-Hollins 
I always find it funny when you get on and they very quickly do the service, they give you a coffee. By the time they're at the back of the plane, back to the front, you've got to try and get it down real quick so they can pack it up and go. And it's one of those ones where you only even want 1/2 cup. It's same on the evening flights, so they give you a beer and you're like, oh, have a bit of a relax and no, not at all. It's always a bit of a race. Look, it's nice to get home quickly.

00:02:32 Mark Smith
Food, family and fun. What do they mean to you living in Canberra?

00:02:36 Sam Brazier-Hollins  
So look, both my wife and I are really into food. We do a lot of cooking and a lot of cooking from scratch. Probably our go-to is a sort of 12-hour deal to make some authentic Mexican food. So it's like making the tortillas from scratch with our old cast iron press and then cooking them, doing like a slow-cooked pork shoulder and pulling that apart. We've got a great market down the road from us. We can get all sorts of weird and wonderful chili selections. So all the things that wouldn't natively go in Australia, so you can get some great flavors out of that. It's one of those things. You spend all that time preparing to bubble it up so quickly, but look, it's a lot of fun and we do get into that. The family, obviously, as my wife and I, we are expecting our first child probably in about a week. So this was real close timing. So I was slightly worried when you reached out, why don't I have to be doing this from the hospital, being like, oh no, sorry, we're going to have to reschedule. So look, that's exciting times. But otherwise, we've got a dog that's been a bit like a child to us for the last seven years and an Aussie shepherd. And my weird fun fact I always talk about when I'm at conferences is that we compete in competitive dog sports and agility. So there'll often be little photos and videos of that. And there's always someone who at the end of a presentation doesn't want to talk about the tech, wants to come up and chat dogs, which is always happy to do. So look for fun, then yes, getting out all our adventures around Australia, always with the dog as well. So he's been across the country, he's been up mountains, he's been in the sea, he's done all sorts of things with us. But otherwise, unfortunately, you can't go in the national parks, which is where I spend a lot of winter. Obviously, we've got the snowfields just down the road from Canberra, so I'm normally down there each weekend, making the most of that. And then in summer, try and get down to the beaches near us. Again, Canberra doesn't have anything there, but we're within two hours of everything. So it's nice to head down there, do a bit of diving or snorkeling. So look, that will be the plan, or would have been the plan. Not sure how that will go with the newborn this year, but I'll let you know next time.

00:04:23 Mark Smith
So good, so good. So you're focused on copilot M365. As you know, for the listeners, the Australian capital area is like the federal government. If you're in the US, it's the capital of Australia and it's where basically all federal agencies run from. Are you mainly working in federal government in the work that you're doing?

00:04:45 Sam Brazier-Hollins 
So federal is our largest client base and it's where I spend still the majority of my time, but more and more we've seen over the last few years a shift. towards critical infrastructure providers. We've seen, look, the Australian government changed some legislation known as the Sockie Act a couple of years ago. And basically, the best way of putting it is it no longer became voluntary for critical infrastructure providers to care about security. Now there's more of a mandate. So we've seen a lot of those sort of coming to us and saying, look, we've seen what you've done for government. Can we have one of those, please? They don't necessarily know what they want. They just know they need to comply. So they say, oh, we'll follow suit because if we do what the government's doing, we're in a very defendable position. a lot of that now. Obviously, they're all in the cloud, they're all using M365, and that's one of those things we spend a lot of time getting it right.

00:05:29 Mark Smith
When we talk about critical infrastructure, are we talking about assets that if they came under a cyber attack of some sort, could potentially impact the lives of people in the country, power stations, things like that?

00:05:43 Sam Brazier-Hollins 
Perfect example. That's one of my go-to is the ones that... Most often pop to mind for people are electricity providers, gas providers, water providers, all those things that we can't really live without, but also, especially for gas, have the potential to go boom if you misconfigure them. And obviously there's all the OT side. So you've got all your industrial control systems, the things that turn power, water, gas on and off. Then there's all the other assets as well. And all the information assets we see is a big one. We've seen so new organizations ran into the cloud, ran into M365 at the start of COVID, so they needed to do it. And it's been one of those things to say, oh, we'll come back to that later. Unfortunately, there's been a number of breaches, especially across Australia in the last couple of years, and a lot of information's getting out. And that's PIRs, people's personal information. And think of all the companies you've signed up for. You can't not give over your personal information when you sign up for water, power, and gas. So it's there. You've got all your financial information as well. And those services don't work if all that goes down. So a lot of that now is working with those clients. Oh, look, we've gone to Microsoft 365, or now we're about to go and start on our copilot journey. This is a good time to check out how we've gone. Or you get one of those questions where they say, Oh, it's secure by default, right? And you say, Well, look, it has the ability to be secure, but only if you turn the right buttons on and off. And then that often leads into those sort of stories that you'd imagine.

00:06:58 Mark Smith
So what are you seeing around adoption of Copilot?

00:07:01 Sam Brazier-Hollins 
The free version of Copilot, the what was being Chat for Enterprise, Microsoft's turned that on for everyone. And we see most clients having a play with at least very, very few have turned that off. We say, look, it's kind of like, Google with more smarts, right? It's a better way of asking a question and getting an answer and getting a reference. So if you're not sure, you need more information, you can click on that. Microsoft 365 copilot is definitely picking up a lot of steam. Federal government's really got behind AI and generative AI in particular and said, look, we don't want to be left behind. We need to get going on that. So a lot of interest in 365 copilot. The challenge with all these things is cost, it's not a free service, there are expenses and it can be quite hard for a lot of clients to show their return on investment. So there's been a lot of challenges around that. But also the data security aspect of saying, again, so many clients took all their on-prem data, We moved it to the cloud some time ago, did their SharePoint service, SharePoint online migration, great. And they've kind of just assumed it's all right. And that's a big part of what we're doing now. It's what we call a M365 Copilot readiness assessment, where we go and look at your data. We find all your sensitive data using things like purview and new sensitive information types, and then look at how shared that is. Is it open to everyone in the organization? Is it shared externally? Is it in certain groups? And then finding that Venn diagram, that magic sweet spot between the highly sensitive data that's also over-shared and then helping clients and agencies go and clean that up first and say, well, look, it's great that your EAs have this giant spreadsheet of everyone's corporate Amexes for booking travel. That's super useful to them, that's fine, but that should not be in a location that's accessible to everyone in the organization. So if someone goes ask Copilot about corporate Amexes, there's a risk that it might show that and that could lead to look fraud 101, right? So there's those great abilities of Copilot being so powerful of finding that information that's been lost somewhere, but then not everyone knows where their data is or what's there. So it's going to help them understand and then lead to those DSPM kind of conversations as well.

00:08:52 Mark Smith
And so are you then setting your environments up those that do adopt to, you know, how much are you getting into the Zero Trust side of things and making sure that, you know, particularly document classification is automatically done, metadata updated, blah, blah, blah, all that kind of stuff. Is that your bread and butter configuring those type of setups for companies?

00:09:14 Sam Brazier-Hollins 
Absolutely. And look, Zero Trust is a great one. I'm glad you mentioned it because it's one that we've seen. It spikes up every sort of year. At some point, everyone will get excited. We'll get back on Zero Trust and everyone sort of changes tact and then it pops up again. The Australian government's recently released some guidance on Zero Trust. Look, we'll say better late than never. But look, it is really, really helpful and it is where we need to go. I think the data labeling is really key. I think Surprisingly, Australian government has been really good at data labeling for a while because it's what they use for classified data. The challenge of that, though, it is all just about classified data. So there's a lot less than thinking about what's sensitive because it's PII, what's sensitive because it's health information, what's sensitive because it's financial. So those challenges are marrying those two up. But we say, look, it's so often people kind of say, oh, we want to do DLP. And we say, great, yep, data loss prevention. something you definitely should be doing. It's not your zero trust journey. Good. How's your labeling? And they say, oh, what do you mean labeling? And you realize there's a lot of it. It's sort of that running before you can walk and having to take that step back, working with those clients and say, well, look, what do you want to do about data? In government, they require that users classify data themselves. You can't use auto labeling. It's got to be user-driven. So you make that decision. And that's good in some ways because it means everyone has to buy in, but the challenge is then you are relying on humans to do it. I'm not a huge fan of auto-labeling of everything. I think there's that bit in between. I like things like Purvview providing a recommendation for label, but still requiring the human to be involved. So you can't wash your hands, say, Oh no, I didn't mean to spill that data. Purvview said it's okay. Look, you have your recommended label, but have a little bit of a thing. We know humans are the best. and most important line of defense in cybersecurity. So I think we wanna make sure they remain in that loop.

00:10:52 Mark Smith
Yeah, interesting, 'cause I've been in some organizations recently where auto-labeling was happening and it was very aggressive. Meaning that, you know, let's say I drafted a Word document, saved it, and then all of a sudden it's got a, you know, a privacy filter on it that, nobody can use unless I, you know, explicitly give them access. And so, and then I saw behavior around then people changing the classification right down just because they're sick and getting the complaints that every time they try to share with somebody. So it's interesting though, that fine line, because, you know, to put metadata on a document, humans typically can't be bothered.

00:11:39 Sam Brazier-Hollins 
Yeah, so that's why I think you need to, what we do is that mandatory labeling. You say, look, before you can hit save, before you can send that e-mail, before you can upload something, you have to enforce it there. I'm a big fan of less is more when it comes to labels. I don't like when you go somewhere and they've got a dozen labels, they're all complex. You need to keep it simple. What's your general public? What's your sensitive but shareable and what's your sensitive and say company only? And we may need one or two more, but keeping it simple I think is good so users don't have to overthink. And your example, this language scene as well, where today I've clicked that label, I can't send that. Okay, let me try the next label down. Hit send. Oh, doesn't let me try the next label down. Oh, that one worked. That's the label I use. And again, you see some organizations, their labels just don't make sense. If you can't instantly look at it and understand, I know what those three or four things do, then people aren't going to use it properly, right? So I think it's, again, it's that funny, that right mix between the technology and the capability, but what's going to work in the real world. But then again, it's. I think it's good to allow users to downgrade labels. And everyone's done that thing where they've clicked the wrong label, but making sure that then you are enabling that auditing and someone in your security team or your SOC is looking at that. Even if they're using something like Security Copilot now, say, well, look at all the files that have had their labels downgraded and pick out the top 10 that we think we need a human to check. And then it might be a five-minute activity for an analyst to open those up and say, oh, yep, those look fine, no worries, they're just misclicks or mislabels versus ones you're like, no, that looks a lot like a whole lot of credit card details. shouldn't be public. We need to go investigate further.

00:13:10 Mark Smith
Yeah, totally, totally. So how are you personally using AI in your job?

00:13:18 Sam Brazier-Hollins 
Okay, that's another great one. Like I have a couple of examples. I'll actually tell a story first about how I use it in my personal life, because this is one of the fun ones One of my other things I do for fun is to play a bit of Dungeons and Dragons. I'm currently the Dungeon Mask and I've been writing a campaign that our group have been playing together since January. And I use M265 copilot to help me with that. So I've got it trained and said, look, Whenever I join this chat, I'm going to ask you questions that are purely about Dungeons and Dragons. It's not about work, it's about nothing else. So I can use it and effectively have pre-trained it so I can just put in the name of a spell or ask it about a monster and it'll give me the stats and it'll make that information available. So yes, we still have our stacks of paper and pens and do all that, but there's always someone has an idea or you need to check something and it's great being able to pull it up and not spend a, wait, give me 5 minutes to flick through this or let me try and Google and find that, it can just pull it over and it knows that context.

00:14:08 Sam Brazier-Hollins 
The reason I like to tell that story is because I think it's good to think about interesting use cases. And I found that for work. It's that pre-staging saying, hey, I want to talk about this topic, Copilot, and now I'm going to ask you a series of questions and go and pull that information together. But a lot of people get upset and say, I asked Copilot to find this and it couldn't find it.Why didn't it work? You realize, well, you've used an acronym without any context. We've had a conversation about it. We know what we're talking about, but you've turned to this machine and kind of assumed it can read your mind and know that background. But if you sort of give it that little bit of input, you get so much more back.Well, my favorite one is still the meeting recordings and teams and the notes. So obviously we're consultants. A lot of time means you're doing big workshops with clients. Back in the day, you had one or two junior consultants taking all those notes. I know when I started as a grad, one of my core duties was attending these meetings and taking pages of what was in handwritten notes. So I love having co-piloting. So look, we're going to use this and then five minutes before the end. stop the meeting, hey copilot, can you summarize the meeting? Can you give us the action items? Can you give us the minutes? You put them up on screen, you live edit them, and then everyone says, yes, we're happy. And at the end of that one hour, two hour meeting, you hit send and everyone's got the meeting, they've got the minutes, they've got the action items, and maybe even the agenda for the next one. It saves that time of going back to reviewing, sending it back and forth, having those conversations, oh, no, I didn't say that, someone else said that, or I want that change. So we've seen that sort of one we can very directly draw. value from it and say, look, the value of having this license is we've saved 2 man hours of this consultant. That's X number of dollars. That's more than paid for the license. Great time. I think that's a great one. I use a lot to start content. So if I want to write a blog post, I'll often say, hey, copilot, here's what I want to write about. Give me some ideas or from things I've previously written, pull together what's worked. And I find that's good as an accelerator. Does that make sense?

00:15:57 Mark Smith
Yeah, yeah, totally. So kind of as an interesting use case, I heard recently was somebody using with Whiteboard and saying, you know, you go to start a workshop in Whiteboard and you say to the room, so give me some, you know, grab a post-it note and chuck it on the board and there's crickets, right? Nobody wants to be the first that takes that first move. And what they were using it, they were using a Copilot prompt in Whiteboard to populate three Post-it notes that were on topic, examples, and then they found that kind of launched people to go, and they would start thinking and be able to do the race.

00:16:38 Sam Brazier-Hollins 
Breaks away from that blank page effect. And I think so many people are challenged by that. I know a lot of the team use it for PowerPoint decks when they don't know where to start. So you say, get it to start it. might not look right, it might not have all the right data, but it gives you something and then you can edit. I do have one other final anecdote though, and this isn't a use case I have, but one that one of my former team members used. He'd spent most of his life in the Air Force and as an officer, and he liked to describe that as he used to shout at people for a living. That was fine, it's what they do. Came into the commercial world, became a manager there and was emailing people. The problem was his emails would end up being probably overly direct for the corporate world, shall we say. So that didn't always work. So he started using M365 Copilot to review the tone of his e-mail. So he'd write an e-mail and say, hey, Copilot, what am I tone? And if it came out dominating aggressive ordering, then he'd use it to help him rewrite it and say, look, can you make it more casual or can you tone it down? And that worked really well because a lot of the team were like, oh, He's being so much nicer now, we're getting on, it feels less direct. And it was a great way of helping balance those sort of soft skills or adapting to different ways of doing things. So I thought that was a really cool use case. And I think there's others I've suggested too, since Mike, look, where you're presenting this, think about it. My other favorite though, which is another one of just getting a different perspective on work, is often we'll write a large report, like an M365 security assessment, and it could be 50 pages. We know we're going to go and do a half an hour call and present those key findings to a client. So set it simple, let's write an executive summary. Then what I'll often do is say, cool, cut that out of the document. Hey, copilot, here's the report. Can you write an executive summary and see what it pulls out? Because it's effectively having an external view. If it matches what the consultants have said, cool, we've hit those points. But if it pulls out five points that are completely different, we need to look at that. Is it because we've put too much focus on those or have we not put enough focus on those that we see as really key and we need to adjust that? So it's a way of having an external review or look at it and just check what someone else with a different background may view the report as. We found that's been a really good tool, both from checking the work, but also then for training up a lot of the junior stuff on how to pick out those key parts or how someone else may interpret their work. So that's been quite useful too.

00:18:45 Mark Smith
That's very good, very good. What's on your AI backlog list? The list of things that you're going, You know what? I need to actually spend some time doing that 'cause I need to understand that area.

00:18:57 Sam Brazier-Hollins 
Look, I think a bit more is getting into and playing with Security Copilot more. I found we've had some great examples, but it's find it's really good at certain use cases. Some of the predefined ones that Microsoft have built are great. They work exactly as they say on the tin, really good. But then other ones, you try and vary them and it kind of falls off quite quickly. And it's trying to find that balance. We run a SOC. We have a number of very large clients on there as well. And there's always that pressure. How can you reduce costs? How can you build AI? And how can we increase the speed of response? And that's what I'd love to do. And kind of what we're talking about before, that example of using it to pull out examples where if people have downgraded a label and then check if it's legitimate or not. So I want to play that more. I think the rate of change in that space especially is so rapid as well that you have a conversation with someone one month and you say, oh, look, it can't do that. The next month, you can't just rely on what you said previously. You've got to check it because suddenly new integrations there, it's picked up more space. But I find it's also just challenging with some clients. They say, oh, you just turn it on. We'll just use it. And you say, well, look, there are cost implications. You still need to pick it. So I think it's very much defining the use case. I'm a little hesitant with AI and people say, oh, here's just a tool, go and use it and figure it out. I'm much better to say, well, let's come up with some use cases first. Let's work out what we want to do with it. And look, we'll probably find some extra ones as we go. But I think you need to have a bit of a starting point, a bit of a goal. And sort of the same approach we've always had with consulting. And look, I come from an engineering background, so I kind of always have that almost in a bad habit of falling back to your requirements. But I think in the AI space, it is really important to set up, look, what are you trying to get out of it? Is it you want higher speed? Is it you want more efficiency? Is it you have a specific problem or process that your team hates? No one ever pays attention because it's slow and boring and therefore it makes mistakes and finding that. And that's why I see the copilot space in the security world is finding those reviews that people hate doing, like those monthly audits that, no one really wants to do. It's a tick and flick activity. So they probably don't, they've probably got the TV on in the background or they're listening to music and they're kind of just ticking boxes and say, look, that's a perfect use case in my mind for AI. So it's not going to get bored. It doesn't mind doing the same task over and over again. But then it. doing that, summarizing it and calling out a couple of points. Then the human, instead of reviewing 100 items on the checklist, just pulls out the ones that have been flagged as maybe needing some extra view. And I think that's where the real value can be. And I say that's where we can improve a lot of us as well. I think when there's a serious incident, we're always going to want that really experienced analyst who's got that decade of experience that's in all who can really get in there. Look, if you've got to make that call, do you turn your website off? Do you turn off your e-commerce platform, something like that? You want the humans to be involved and make sure that's the right decision. But a lot of that basic stuff, I think there's so much value in having AI look over it, not to replace the human, but just to give the human analysts more time to go deep, to do more threat hunting or to actually have a bit more of a think about things rather than that always race to close the ticket and move on to the next one.

00:21:45 Mark Smith
Yeah.

00:21:46 Sam Brazier-Hollins 
But as you said, it needs time to have a bit more of a play and sort of challenge it a little bit more as well. And also see how well you can get around it. Because we know that attackers are doing the same thing. They're turning it on, they're seeing what they can trick with it. I know our pen test team loves it when M265s... Copilot's on an environment, they'll jump in and start asking it questions first. But you can't ask it if there's any passwords in the environment.It'll say, nope, ethical filter jump in. You can ask it if there's a storage account access keys, because for whatever reason, Copilot doesn't see that as a password. Or you can say, what are our emergency procedures? What do we do in a break glass event? And often it will then direct you to a stop and tell you who holds that credentialing at call. That's when I'm now going to go and fish. So it's very capable in some ways, but it can also be a tool for both good and evil.

00:22:27 Mark Smith
That's so true. That's so true. Things are changing to pass in the space and you're in a role that's obviously seeing that happen. What are you doing to future ready yourself or making sure that you don't become obsolete?

00:22:41 Sam Brazier-Hollins  
Well, that's a great one. I guess so much of it is that you can't just rely on what you knew last month or last year. And it's really bringing that continuous professional development in. Part of that is, There used to be this concept, and I know all consultants will do this to you, like, I'll take the last report, I'll update this, I'll make some changes and go. And we said, look, you can't do that anymore. There's too many things that are changing. So a lot of that is that continuing education. So saying, look, every time Microsoft's putting out their blog post or they're doing a presentation, Not everyone has to go to everything, but the voice could have a representative. Someone go listen in and report back to the team. So there's a big focus on sharing your information. So the best person in the team isn't the person who's got the most information. It's the person who's best at sharing the information and asking the right sorts of questions. That's a big focus for us. And it really is just that going through even things like our Microsoft 365 assessment. Everyone is different now. And if you do one last month to this month, some of the things will change. And a lot of that is that we have effectively this giant catalog of information or knowledge base we have. By then, every time we see a default configuration change, you update it. Especially now we see Microsoft's changing those things, they're now disabling basic authentication, great. But there's things that are on by default now that didn't used to be or vice versa. And it's great keeping that historic catalog as forward. So, well, look, if you turned on your tenant at this date, this is what your defaults would look like if you turn on at this date, this is what it will look like. So when you say, oh, we have the default configurations, it's asking that follow-up question, well, when did you start? What would that look like? And get a track that back. But really, I think it's so hard and it's really hard for a lot of my clients to say, look, we did this review 12 months ago. We haven't made that many changes. It should be the same. And so, well, even if you haven't been making changes, Microsoft have brought out dozens of new features. They've deprecated others, they've moved ones around in the console so you can't just rest on your laurel. So which I think is exciting and I know it's why a lot of the team love this space because it is constantly changing and there's a bit of that sort of almost gamification of it of like, oh that changes, I've got to keep up with that. And it's kind of like that old whack-a-mole game. It is challenging. So I think it's. We've found whenever people go and leave for a while, they take a couple of months off and the first thing coming back isn't that, no, you don't just jump back in, it's here you go, here, catch up on what's been happening, maybe redo a cert, have a bit of a play again, and then get back into it. It's also why we encourage everyone to have their own tenants and either do things like the MVP program or even just like demos.microsoft.com, just get in there, have a play and see what it looks like, especially the things that move consoles. And you say, oh, I know where that's sitting in, there's nothing worse than being on a live call with someone, clicking around to work out where it's moved to.

00:25:11 Mark Smith
Yeah, so true, so true. Yeah, in front of a client, nothing worse. Sam, it's been so good talking to you. We've ran over time, but man, you're an intriguing guy. So thank you so much for everything you've shared.

00:25:25 Sam Brazier-Hollins 
Well, look, thank you very much for having me, Mark. Always great to come and have a chat, and maybe next time we can do it face to face.

00:25:33 Mark Smith
Hey, thanks for listening. I'm your host, Business Application MVP, Mark Smith, otherwise known as the nz365guy. If you like the show and want to be a supporter, check out buymeacoffee.com forward slash nz365guy. Thanks again and see you next time.