Bret Arsenault, CVP/CISO at Microsoft. PHOTO: Cybercrime Magazine.

Microsoft’s Pioneering CISO: “91 Percent Of Our Users Don’t Enter A Password”

Bret Arsenault protects Windows, and one of the top five largest Mac shops in the world

Steven T. Kroll

Northport, N.Y. – Jun. 7, 2019

Cloud technology is changing cybersecurity at a speed and scale not seen since the days when PCs took over the world.

Bret Arsenault, CVP and CISO at Microsoft, has worked in the field to see both of these paradigm shifts. Calm and soft-spoken, he’s the kind of person you can listen to for hours, or at least 27 minutes and 44 seconds (the duration of the interview he filmed with Cybercrime Magazine). Beneath that cool exterior is a dedicated cyberfighter in charge of cybersecurity for an F50 organization.

Coding since the day the earth cooled, as he says, Arsenault started at Microsoft in 1990, right in the middle of a transformative period for the company.

“We had a really simple mission then — put a desktop in every home,” says Arsenault. “We saw the world changing around us, and people were pretty excited about it.”

Time moves forward and changes come along. However, the general trend and characteristics remain very similar, especially when it comes to the elation of advancements in technology.

Arsenault sees many parallels between what’s going on today with the early days of his career. “In the last five years, we’ve seen a resurgence in how we think about things, simplifying, and really in some ways not doing much different.” It’s all about productivity and making every organization achieve on a large scale.

Microsoft, on the other hand, is a very different company from its founding. Arsenault leads a team of 500 employees and 200 vendors that protect 135,000 employees, 80,000 vendors, hundreds of offices in over 190 countries, 50 geographies with over 90 data centers for cloud services, and more than 10 million endpoints.

In addition, Microsoft segmented its business lines so that Office and Azure each have a dedicated security team that monitors everything. Those teams make up about 3,500 people that reason over six and a half trillion events a day.

And Arsenault is quick to point out that he’s not just running Windows.

“I run a lot of Linux. I’m one of the top five largest Mac shops in the world. I run iOS, Android,” says Arsenault. “We have pretty much everything you see just like any other large enterprise.”

Much like the way PCs changed the world in the ’90s, the cloud is revolutionizing business, communication, cybersecurity, data collection, and cybercrime. Many people mention the challenges that come along with securing the cloud. Not Arsenault. He sees the good that can be done through cloud security. 

“I see something that happens — as an example, a phish — in some part of the world,” says Arsenault. “Before someone in your company reports it, we can permeate through the entire system and all the data centers, and it’s just gone and removed and eradicated from the system, which used to take a lot of time.”

For the first time, the good guys have a slight advantage when it comes to cybersecurity and cloud technologies. This slight upper hand makes it a little more difficult for bad actors.

It’s his personal mission to drive passwords into abandoned tunnels and walk away. Using biometrics increases efficiency and makes users happier because they don’t have to remember long passwords and change them frequently.

“About 91 percent of our users don’t enter a password [at Microsoft], whether it’s on a Mac or a PC,” says Arsenault. “We get to use all the biometric sensors to actually enable something that is a better user experience and has more security, which is the panacea for any CISO.”

Though highly technical, Arsenault’s soft skills lean toward increasing diversity. This undertaking serves two purposes — creating equality within the workspace and solving the employment challenge.

“Half of the new hires I bring in are female, which is great,” says Arsenault. “It’s not just bringing in female talent. It’s any diverse talent. You want to build the product by an organization that looks like the people who are using it. You have to spend effort and time on it.”

Reflecting on the nature of his role over the course of his career and how it relates to his life, Arsenault says, “I think this job has taught me a lot. Every year I think I learned more about what I don’t know. And so I figure by the time I’m done, I’ll officially know nothing, which will confirm my teenage daughter’s views.”

Steven T. Kroll is a public relations specialist and staff writer at Cybercrime Magazine.

Ask The CISO Archives


From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control–while providing easier administration.

Our flagship enterprise firewall platform, FortiGate, is available in a wide range of sizes and form factors to fit any environment and provides a broad array of next-generation security and networking functions.

The Fortinet corporate brochure explains how we deliver comprehensive network, endpoint, application, and access security.

Learn more at