A Q&A with Microsoft’s Rudy Mitra: AI Security’s Two Sides: Use AI to Defend—Secure AI by Design

On a recent visit to Microsoft’s campus in Redmond, Washington, I interviewed Corporate Vice President of security engineering Rudra Mitra.

Rudy joined Microsoft in 1999 expecting to stay only a few years, but 26 years later he’s still there, having grown from an engineer working on Outlook and Exchange into a security leader.

Over the past decade, he’s made a successful pivot into the fast‑moving world of cybersecurity, calling it one of the most dynamic and rewarding chapters of his career.

We spoke about security education, his own experiences in the workforce, and the two sides of AI security. Here’s the full interview below! 🎉 

Q: How do you think you made your career decisions from pivoting to different teams, to different areas that you've worked in? What went into those decisions?

A: I would say early on, it wasn't very planned out. It was much more organic. I wouldn't say I was very intentional to begin with. But over time, I started to think a lot more about observing the tech trends, and what's going on. And one good question for me, someone taught me to ask along the way is, “What value am I adding? How many people benefit from that work?” And that started to guide my career decisions from there on. And it's felt good since then you have a North Star for what you're doing.

Q: How did you get into the cybersecurity area? What made you pivot? Because I don't know if it was as hot of a topic as it is now then.

A: You know funny enough; I would say it may be super in focus right now, but it's been an important topic for a long time. For me, the time I made the switch and really, really got into it was during the earlier wave of moving to the cloud and cloud services when that came out. At that time, security was a big thing. No one wanted to move to the cloud. They were super worried about things like, “who's going to have access to my data”, and “what if the cloud gets breached”, and “will I lose”, and “will more attacks show up against the cloud”? 

In hindsight, I think we can now empirically say, some of these cloud services—certainly for Microsoft—are much more secure. You have the benefit of so much more infrastructure, and people think about it every day in each individual organization. 

So that's what really got me into cybersecurity. I was also fascinated with how security was the bedrock for companies deciding to choose to move to the cloud. And funnily enough, it feels like we're going through a similar moment now with AI.

Q: What do you think about this trend of AI security right now, and where do you think the industry is headed right now?

A: It's a fast-evolving space. There's a lot going on, which is why it’s a very exciting time to be in security. I often think about it as two sides of a coin: there is securing AI, and then there is AI for security. 

Starting with AI for security, I'll refer to a great philosopher called Spider Man, who said, 'With great power comes great responsibility.' If you think about what's going on with AI, you have AI in the hands of security professionals, the defenders. And then, of course, you also have it in the hands of those who don't want to do good or who want to use it for not good outcomes. With the quality of phishing attacks or the way those are constructed with AI on the offense side, it's very hard to now see emails and phishing attacks that are just blatantly broken. You used to get these phishing emails, and they would be such poorly written emails, so obvious, you would just kind of delete it, right? And now they're really good.

Now it's got AI behind it. So, if you think about the way the security threats are working, then of course, the defenders, the security professionals, need AI. You've got to have the same tools, better even, to do the work to secure against that. AI for security, with the defenders needs to keep up with the bad personas. You also need it to keep up with these incredible trends that are going on.  

So that’s one side of the coin. The other side of the coin is Securing AI: that with every new technological shift, whether it’s the cloud, or mobile devices, or bring your own devices, there's new risks that naturally come about. Securing AI is the side that I think has an incredible growth opportunity. It's a risk vector. It has compliance implications. It has fast moving regulations around it across the world. So, we often talk about it as AI for security and Security for AI, two important trends to think about.

As an addition to this, I wanted to highlight this interview I recently hosted with the Microsoft AI Red Team that I believe perfectly pairs with everything Rudy mentioned:

Q: When it comes to the new generation of cybersecurity talent, whether it be for AI for cloud, etc., how do you think we need to foster that next generation? Because I feel like traditional education isn't enough nowadays to keep up with how fast AI is evolving. 

A: I think you're exactly right; it certainly is a domain that there isn't as much structured curriculum around that needs to be. But there is some that's coming about, and I think that's incredibly good to see, because getting new folks coming into the workforce, thinking about where they go in their careers. I would argue that security is an incredible opportunity because it fosters so much of these niches that are becoming mainstream, like AI becoming a big thing now or cloud. So, there is more curriculum now. 

I think there is also good investment; industry and tech are putting into it, whether you call it cloud skilling or AI skilling that's being put out there. So, I would say sometimes it's important to also think about nontraditional skilling sources. And I think one of the things that at least Microsoft, because I'm here, I'm close to it, I get to see, is the investment the company's making in not just AI, but security for AI and  these domains being places where we have to invest ourselves, because the curriculums are not so far along. Early career folks should look at some of those skilling opportunities outside of traditional education, and traditional education will catch up.

Tech moves so fast. AI is moving incredibly fast. Security is moving incredibly fast. It's going to be a combination of things to stay up to date.

And with that, I hope this interview was an insightful look into how AI is being used to defend against cyber threats! Don’t forget to check out the interview with the Microsoft AI Red Team here.

Stay secure out there!

Best,

Sandra

Microsoft’s Rudy Mitra: AI Security’s Two Sides: Use AI to Defend
—Secure AI by Design