May 28, 2025 • 23 mins
Get featured on the show by leaving us a Voice Mail: https://bit.ly/MIPVM
FULL SHOW NOTES
https://www.microsoftinnovationpodcast.com/692
When organizations rush to adopt AI tools like Microsoft Copilot, they often overlook a critical prerequisite: a secure, well-structured data environment. In this episode, Åsne Holtklimpen—Cloud Solution Architect at Crayon and Microsoft MVP—shares how her journey from SharePoint veteran to Copilot expert revealed a hard truth: without strong information governance, AI can do more harm than good. Åsne walks us through real-world challenges, practical frameworks, and the mindset shift needed to make AI adoption safe, scalable, and truly transformative.
KEY TAKEAWAYS
Security Before AI: Successful Copilot implementation starts with robust information security—classification, labeling, and governance must come first.
Start Small, Scale Smart: Åsne recommends a phased approach using Microsoft Purview, beginning with basic data classification before layering on policies and automation.
Expose the Risks: Demonstrating real data exposure—like personal identity numbers or health info—helps organizations understand the urgency of securing their environments.
AI Readiness ≠ Cloud Presence: Many companies assume they’re ready for AI because they use Teams or SharePoint, but Åsne stresses the need for deeper structural alignment.
Public Sector Pressure: Norway’s public sector faces a mandate to adopt AI by 2030, but Åsne warns that without guidance and foundational readiness, this push could backfire.
RESOURCES MENTIONED
👉 Microsoft Purview – https://www.microsoft.com/en-us/security/business/information-protection/microsoft-purview
👉 Microsoft Copilot – https://www.microsoft.com/en-us/microsoft-365/copilot
👉 Microsoft Entra – https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra
👉 Microsoft Intune – https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/microsoft-intune
👉 Microsoft MVP YouTube Series - How to Become a Microsoft MVP - https://www.youtube.com/playlist?list=PLzf0yupPbVkqdRJDPVE4PtTlm6quDhiu7
This year we're adding a new show to our line up - The AI Advantage. We'll discuss the skills you need to thrive in an AI-enabled world.
Accelerate your Microsoft career with the 90 Day Mentoring Challenge
We’ve helped 1,300+ people across 70+ countries establish successful careers in the Microsoft Power Platform and Dynamics 365 ecosystem.
Benefit from expert guidance, a supportive community, and a clear career roadmap. A lot can change in 90 days, get started today!
If you want to get in touch with me, you can message me here on Linkedin.
Thanks for listening 🚀 - Mark Smith
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Mark Smith (00:06):
Welcome to the MVP show.
My intention is that you listento the stories of these MVP
guests and are inspired tobecome an MVP and bring value to
the world through your skills.
If you have not checked it outalready, I do a YouTube series
called how to Become an MVP.
The link is in the show notes.
With that, let's get on withthe show.
(00:31):
Today's guest is from Norway.
She works at Crayon as a cloudsolution architect.
She was first awarded MVP in2024.
She was named one of Norway's50 foremost women in technology.
She enjoys a good day out onthe boat during summer and a hot
cup of coffee with a good bookduring winter Perfect.
(00:53):
You can find links to her bioand socials in the show notes
for this episode.
Welcome to the show, Asne.
Åsne Holtklimpen (01:00):
Thank you.
Thank you so much for having meand, yeah, that was right.
Mark Smith (01:03):
Wow, that's cool.
That's cool.
I'll let you tell me how do youpronounce your full name Osne
Holtklimpen.
Åsne Holtklimpen (01:11):
Holtklimpen.
Mark Smith (01:13):
Excellent, excellent , holtklimpen.
Wow, yeah, I can see how peoplestruggle with it.
Like you were saying Incredible.
Åsne Holtklimpen (01:26):
Yeah, the.
Mark Smith (01:27):
Danish people are the ones who actually get it the
most.
Not the Norwegians, but theDanish, wow, wow.
So does it originate from?
Åsne Holtklimpen (01:31):
there.
No, it is Norwegian, it's justmy family who has it, so it's
from an old farm, so I'm a farmgirl originally.
Mark Smith (01:40):
Nice, nice, very cool.
I always start with food,family and fun.
What do they mean to you?
What are you into when you'renot doing work?
Åsne Holtklimpen (01:50):
Well, I was asked the same question the
other day because somebody askedme where I got the energy to do
all the webinars and all thethings I do.
And I'm like I don't have.
I live for what I do.
So I'm like, what do I actuallydo for fun?
Well, I try to exercise, um, Itry to.
I try to go out with friendssometimes, uh in, and if
(02:13):
somebody can feed me sushi whilegoing out with friends, I'm
happy.
But uh, but it's uh.
No, I love, I love what I do,uh, and I I think I use all my
energy towards doing what I do.
So when the workday and all thethings like when I've done my
blogs or whatever, when I'm donewith that, I'm just flat out.
(02:33):
So I try to recharge with alittle bit of exercise and a
little bit of sushi, and thenI'm happy to go.
I like it.
Mark Smith (02:41):
So what do you do?
Tell us about your job and whatyou do in the tech space with
Microsoft.
Åsne Holtklimpen (02:47):
Well, originally I'm from the old
SharePoint farms, so I've beenworking with SharePoint for
about 20 odd years and of courseTeams came along and that was a
sort of a natural adoption tostart with Teams.
And then we had a littlepandemic amidst all this after
(03:08):
Teams arrived.
So I've been sort of throwninto getting Teams up and
running for everyone and withTeams the focus on information
security came very clear to me.
So I started with that.
I started with trying to getpeople to sort out the
information security how teamswere set up, what to use when
(03:28):
and try to I wouldn't say dumbit down, but try to get people
to understand it, because IT wastalking over people's heads and
nobody was saying how we shoulduse it and how we should
facilitate setting up the teamsand orchestrate our information
structure and all that.
So basically I started justspeaking a lot about that and
(03:51):
try to get people to understand.
Doing webinars, doing videoswhen the pandemic hit too hard,
we couldn't go anywhere.
So obviously YouTube was agreat medium.
It didn't go anywhere.
So obviously YouTube was agreat medium.
And then Copilot arrived andthat was sort of put on top of
everything I was already talkingabout and then suddenly I was a
(04:13):
Copilot MVP basically.
So it's been a ride.
Mark Smith (04:20):
It's interesting that you're a Copilot MVP with
that security background,because I feel to implement
Copilot correctly with anorganization, you need to take a
security posture you know toreally one, not expose PII data
and risk data leakage.
Even if that risk is only aninternal risk.
(04:45):
It's still a risk all the sameand I like Microsoft's move to a
zero trust model with toolslike Purview and what you get
with Entry ID and the varioussecurity tools.
When you talk to organizationsabout implementing Copilot, what
are the type of discussionsyou're having?
Well?
Åsne Holtklimpen (05:04):
it's a start with the basics.
As you said, we've beenstruggling with this for a long
time.
We've been talking aboutinformation security for a long,
long time and nobody's beenlistening.
Everybody's like, no, we don'thave that much value, we don't
have that much data.
No, we're quite secure.
And everybody did the lift andshift from file service when the
(05:24):
pandemic hit because they hadto get access to data.
So everybody did either a liftand shift to SharePoint or a
team and no control whatsoever.
And I feel that when Copilotarrived and I keep telling
people that we need to go backto the foundation, we need to go
back and see what we need to doto get everything secure and
(05:50):
Some are listening and some arestill like, no, everything's
fine, we don't have anythingthat's that bad.
And if I'm lucky and I getaccess and can do an analysis
and see how things are, Iusually find a lot and they
start listening a little bit.
But it's like we've beenstanding yelling and yelling and
(06:11):
yelling get this ordered, getthis ordered and people are
still having a hard time tryingto listen to it.
And security has never beensexy, right?
So IT people have talked aboutsecurity both in network, in
entra in devices.
We've been talking aboutsecurity for such a long time
(06:33):
and we still have customers whocan't see the point of having
MFA.
And now we're like, yeah, youneed to secure information as
well.
So it's sort of, oh no, no,another thing.
So we still struggle to getthrough it.
But usually I say that if youstart with classification, if
(06:53):
you start, just start with thesmall things you can easily add
on later on, but just start witha classification and try to get
that going, and then at leastyou have started, and then you
can take your time and add moresecurity on top of that, as long
as you get something rolling.
(07:13):
But we still struggle.
It's weird.
Mark Smith (07:22):
The situation that you explained then, which was,
if I get access, when people aresaying, no, we're all secure,
we're fine, there's nothingreally important on our network.
This is something I've heardanother MVP talk about.
And as soon as they give himthat access and then he does a
range of queries and he showsthem what he can find with, you
(07:47):
know, using search and whatnotand I've used this talk track
for a while now security byobscurity, right?
Is that?
Because people can't see it.
They're like, well, nobody cansee it and they don't understand
that AI looks for patterns andcan uncover that, and somebody
(08:08):
that doesn't necessarily asstrong at search they don't need
to be because a prompt isenough to get them off to the
races.
When you do that with anorganization and you're wanting
to get those quick wins andthose oh my gosh, I didn't
realize moments from them and oh, okay, we do need to do
something.
What are you typicallysearching for?
Is it kind of like exposedcredit card numbers?
(08:29):
Is it passwords?
Is it perhaps dodgyconversations?
What are you looking for thatwill really light them up to go?
You know what.
We do need to do somethingserious.
Åsne Holtklimpen (08:42):
Usually I do like the Norwegian personal
identity numbers because that'spart of the sensitive
information that we are requiredby law to make sure that we
don't find credit card numbers.
We have a little bit of thatbut we're not.
I don't think that Norway is,we don't, we don't share that as
(09:03):
much like default.
So it's more.
It's more the personal identitynumbers.
And then I have health, likedifferent diseases and stuff
like that health you know.
So I go in and usually use akeyword search list with all the
different health criteria Ihave, and then, of course, the
(09:24):
90-day number.
And we've had a lot of cases inNorway where we had public
institutions going and oh, wefound this many numbers and this
information was open toeveryone within the organization
and things like that.
So I can sort of I usually takethose news reports and say that
this is what happened and thisis the find they got you know
(09:46):
and just show them this is gonnathis, this will be something
that I'll find with you as well.
Maybe not as many, maybe more,you never know, but this will be
found because I'll find withyou as well.
Maybe not as many, maybe more,you never know, but this will be
found because you don't haveanything to sort of remediate
things like that.
When you have emails, you knowyou've got a CV, you've got a
question for somebody that'sgoing to be hired, and then you
(10:09):
have identity numbers all overthe place.
So usually I find a lot of themwith no control.
Mark Smith (10:18):
So what's your next step?
So let's say, the company hassaid you know what, okay, we do
have a problem, we need to dosomething.
Is there a particular Microsofttooling configuration?
What is it that you start to doto take them on a journey of
you know, to security, to datasecurity?
Åsne Holtklimpen (10:37):
well, I use purview, um with just about
anything data security related,because that's obviously my, my
field, and I have greatco-workers and I know entra and
I know a little bit of Intuneand all those sort of devices as
well.
So I facilitate them as much asI can do, but then I drag them
(11:04):
with me into what we prefer todo is sort of a workshop with
our customers, and then we cansort of okay, we found this, we
found this, we found this and wefound this and this is how
that's going to affect you andyour environment if you don't do
anything about it.
What we suggest is that you dothis and that will affect the
end users like this, becausethey need to.
(11:25):
I, everyone, like all thecustomers we talked about, uh,
talk with not about, but talkwith.
Uh, they have like, well,that's going to take us so many
hours, it's going to take a lotof time, it's going to cost us
so many money and uh, you knowthey have the and obviously, the
end users.
They're very worried about theend users, uh, how we're going
(11:47):
to handle them.
So we try to.
We try to say that, well, thisis this little thing, here is
what you need to do.
It's not going to take thatmuch time.
We can help you.
And this is going to affect endusers like this, because they
need to let the end users knowas well.
So basically, I do the purviewthing, I do the classification.
(12:09):
Well, I tell them to do theclassification because obviously
they need to decide it before Istart anything, and then I sort
of add on the little featuresyou know and then you have the
policies and then you havesensitive info types to detect
and add labels on theinformation.
And then you do the data lossand you sort of add on the list
(12:31):
and I try to make it like insmall packages so it seems
easier to consume, because allIT people want to throw
everything at a customer or atan environment all at once and
then they sit there, themanagement sit there and just we
(12:51):
can't do this.
This is too much.
But if you sort of package itand we start with this little
bit and then we wait for twomonths and then we start with
this little bit, so I lovePurview.
I think it's an amazing tool andI wish more people could see it
and I wish more people couldstart using it and start to see
(13:13):
that it's not that hard to getstarted.
Um, you just need to access itand sort of you.
Well, obviously you get uh, youget the wizards as well.
They're there, they'll help you, and with co-pilot on top of
that, you know, just just do it,just start sorry.
Mark Smith (13:34):
So I'm gonna ask you a license question because you
work for Crown and obviouslyit's something that they do.
How, if someone was like oh mygosh, what is this Purview thing
and how do I get started withit?
Is it part of the E5 licenseSKU or is it a bolt-on SKU?
Is there levels to purview?
(13:59):
How do you talk about it from alicensing perspective?
Åsne Holtklimpen (14:02):
Well, I don't have a doctorate in licensing
and you need one now.
Nobody does.
But with the EC package you geta lot of the features, but what
you get with the E5 or the E5compliance, you get the
automation.
That's what I usually say, thatif you go up to E5, you get the
(14:25):
automation.
But you can do it, can dolabeling and you can do a policy
and you can do a lot with theE3 license.
But E5 will get you all theautomatics and the ability to
maybe, maybe, maybe, get 100%labeled files and data.
But with the E3, you need to doa lot manually.
Mark Smith (14:48):
Right, right, that's brilliant.
That's a nice clear-cutclarification.
So so do you kind of work on?
You know you have this phasedapproach, which I think is so
important because you know ifyou throw everything at it, all
of a sudden nothing works foranybody, and then you're dealing
with just complaints left,right and center.
(15:08):
Do you kind of have a maturityassessment model that you run
with an organization that youknow you might be starting the
most journey?
Åsne Holtklimpen (15:26):
You might not even tell them you're going to
get them to this point but overthe course of a period of time,
whatever is you're going to getthem from, let's say, uh to a
zero trust posture.
Do you kind of do you have thatkind of thought process in your
head?
Yeah, obviously, because whenyou, when you first get to know
a customer, you just suddenlysee that, oh, we're not in teams
, so there's, we can't, we can'tstart with labeling, because
they're actually not, they'renot sorted in teams, they don't.
They maybe have one team andthey use teams for meetings and
chats and that's it.
(15:47):
So then it's like, okay, I needto take a step back.
And okay, first of all, we needthe foundation, we need to see
how we can use teams and we needto see how we can use
sharepoint, and then I then Iusually add on after that, as
well as with purview.
You know we need to see how wecan use SharePoint, and then I
usually add on after that, aswell as with Purview.
You know we need this firstbecause nothing's going to work
unless we have the files in M365, right, because how can you use
(16:09):
Copilot on top of that?
How can you?
You can't do anything if youdon't have it there.
So I sort of, and usuallythey're they have some ability
to listen to that becausethey're like, oh, I thought we
used Teams.
I'm like, no, yeah, you use itfor meetings but nothing else.
And that's also something thatwe see from the pandemic.
(16:31):
I have a friend who always saythat assumption is the mother of
all fuck-ups.
That assumption is the motherof all fuck-ups and it's
basically this because themanagement after pandemic they
think that everybody used Teamsand everybody understood how
they used Teams.
And then we have new hires thatcame after the pandemic.
(16:54):
We have users who are justpanicking and just go
back-to-back meetings and neverdid anything else than meetings.
So there's a lot of assumptionsgoing on that everybody's full
on in Teams and everybody'sunderstood how we use the files.
So basically, there's usually alittle step back and get the
overview on how everythingsorted before I actually get to
(17:18):
the chance to say that we needto classify the data.
And I have companies who cometo me and say we're going to
start using CodePallet.
So I'm like, yeah, I can helpyou out.
And then we have a look ateverything and I'm like, well,
you don't have anything in Teams.
You're like where's your data?
Oh, it's on the file share.
Okay, so we need to's.
(17:40):
That's going to change, yeah,so so, uh, there's a lot of
cleaning, there's a lot of housecleaning, so yeah good, good,
very interesting.
Mark Smith (17:51):
Now let's look at co-pilot.
What?
What's your involvement beingin co-pilot?
You know what are we looking at?
A bit about 80.
Is it 18 months old now?
Year and a half old, roundabout, isn't it?
What type of work are you doingin the Copilot space?
Åsne Holtklimpen (18:08):
Well, we've done a lot of work with
Microsoft.
They've had a lot of fundingprograms for customers, so we've
done a lot of workshops withthem, with our customers.
So we've done a lot ofworkshops with them, with our
customers.
And I do a lot of back to thebasics because, like I said,
companies come to me that wantto start using Copilot.
Everybody's excited and thenyou have a look at the
(18:34):
environment, like, yeah, we gota lot of work to do here before
we used Copilot and it wasn't inNorwegian, I think May last
year, so almost a year it't inNorwegian, as I think May last
year, so almost a year, it wasin Norwegian.
So, obviously, a lot of waitingthere to get it up and running.
The public sector in Norwaythey really want to start using
(18:55):
technology quite early on, sothey're quite good at adapt
technology.
And I'm afraid of saying thisbasically because we have a
digitalization department inNorway, the public sector, who
said that everybody in thepublic sector should use some
sort of AI before 2025, by theend of 2025.
(19:19):
I'm like, okay, okay, yeah,that's great, but how, uh, why
what?
There's no guidance?
There's no.
There's no like how should weuse it?
There's no.
There's no teaching moment here, for for anyone, it's just we
need to use it before 2025.
It's like they're afraid ofbeing I can't.
(19:43):
I don't understand I don't knowthe word here but they're sort
of afraid that they're going tomiss the train, basically.
But it's like no, no, no, wecan't go out and say that the
public sector need to use AIbefore 2025 because they're not
ready.
They're not all in the cloud,they're not ready for it at all.
(20:04):
And so now they're moderatedand saying it's going to be
before 2030, but there's stillno guidance, there's still
nothing to help them get started.
There's nothing there.
So that's something I'm nowtrying to speak out a little bit
on, trying to see if I can finda way in there and say that we
(20:28):
need to give them something, weneed to have some sort of
guidance for them.
So this has been one of thethings we've been hearing a lot.
We get the public sector comingto us, we need to use Scope
Alert and we're like OK, we'llhave a look at your environment
and then we'll, like I said,take the step back, because it
(20:49):
feels like I'm pouring water oneveryone.
Just calm down, calm down,we're going to get there, but we
just need to do a little bitbefore, and we do a lot of
public web webinars out topeople.
I do a lot of talks ondifferent types of seminars and
all that Speaking aboutinformation security first and
(21:13):
foremost.
Then we can use CodePallet.
So it's been like I said I'msupposedly MVP on Copilot, but
I'm more of an informationsecurity foundation and yeah, so
important.
Yeah, it is, and you can't haveCopilot without it.
(21:35):
So that's what we see all thetime and that's what I've been
doing the last year and a half.
Mark Smith (21:42):
I like it.
I like it.
Asne, thank you so much forcoming on.
You have taught me a lot and Ihope the listeners find the
value here as well.
Åsne Holtklimpen (21:52):
It's been fun.
Thank you so much for having me.
Mark Smith (22:08):
Hey, thanks for listening.
I'm your host businessapplication mvp mark smith,
otherwise known as the nz365 guy.
If you like the show and wantto be a supporter, check out
buymeacoffeecom forward slash.
Nz365 guy.
Thanks and see you next time.
Thank you.
Welcome to the MVP show.
My intention is that you listento the stories of these MVP
guests and are inspired tobecome an MVP and bring value to
the world through your skills.
If you have not checked it outalready, I do a YouTube series
called how to Become an MVP.
The link is in the show notes.
With that, let's get on withthe show.
(00:31):
Today's guest is from Norway.
She works at Crayon as a cloudsolution architect.
She was first awarded MVP in2024.
She was named one of Norway's50 foremost women in technology.
She enjoys a good day out onthe boat during summer and a hot
cup of coffee with a good bookduring winter Perfect.
(00:53):
You can find links to her bioand socials in the show notes
for this episode.
Welcome to the show, Asne.
Åsne Holtklimpen (01:00):
Thank you.
Thank you so much for having meand, yeah, that was right.
Mark Smith (01:03):
Wow, that's cool.
That's cool.
I'll let you tell me how do youpronounce your full name Osne
Holtklimpen.
Åsne Holtklimpen (01:11):
Holtklimpen.
Mark Smith (01:13):
Excellent, excellent , holtklimpen.
Wow, yeah, I can see how peoplestruggle with it.
Like you were saying Incredible.
Åsne Holtklimpen (01:26):
Yeah, the.
Mark Smith (01:27):
Danish people are the ones who actually get it the
most.
Not the Norwegians, but theDanish, wow, wow.
So does it originate from?
Åsne Holtklimpen (01:31):
there.
No, it is Norwegian, it's justmy family who has it, so it's
from an old farm, so I'm a farmgirl originally.
Mark Smith (01:40):
Nice, nice, very cool.
I always start with food,family and fun.
What do they mean to you?
What are you into when you'renot doing work?
Åsne Holtklimpen (01:50):
Well, I was asked the same question the
other day because somebody askedme where I got the energy to do
all the webinars and all thethings I do.
And I'm like I don't have.
I live for what I do.
So I'm like, what do I actuallydo for fun?
Well, I try to exercise, um, Itry to.
I try to go out with friendssometimes, uh in, and if
(02:13):
somebody can feed me sushi whilegoing out with friends, I'm
happy.
But uh, but it's uh.
No, I love, I love what I do,uh, and I I think I use all my
energy towards doing what I do.
So when the workday and all thethings like when I've done my
blogs or whatever, when I'm donewith that, I'm just flat out.
(02:33):
So I try to recharge with alittle bit of exercise and a
little bit of sushi, and thenI'm happy to go.
I like it.
Mark Smith (02:41):
So what do you do?
Tell us about your job and whatyou do in the tech space with
Microsoft.
Åsne Holtklimpen (02:47):
Well, originally I'm from the old
SharePoint farms, so I've beenworking with SharePoint for
about 20 odd years and of courseTeams came along and that was a
sort of a natural adoption tostart with Teams.
And then we had a littlepandemic amidst all this after
(03:08):
Teams arrived.
So I've been sort of throwninto getting Teams up and
running for everyone and withTeams the focus on information
security came very clear to me.
So I started with that.
I started with trying to getpeople to sort out the
information security how teamswere set up, what to use when
(03:28):
and try to I wouldn't say dumbit down, but try to get people
to understand it, because IT wastalking over people's heads and
nobody was saying how we shoulduse it and how we should
facilitate setting up the teamsand orchestrate our information
structure and all that.
So basically I started justspeaking a lot about that and
(03:51):
try to get people to understand.
Doing webinars, doing videoswhen the pandemic hit too hard,
we couldn't go anywhere.
So obviously YouTube was agreat medium.
It didn't go anywhere.
So obviously YouTube was agreat medium.
And then Copilot arrived andthat was sort of put on top of
everything I was already talkingabout and then suddenly I was a
(04:13):
Copilot MVP basically.
So it's been a ride.
Mark Smith (04:20):
It's interesting that you're a Copilot MVP with
that security background,because I feel to implement
Copilot correctly with anorganization, you need to take a
security posture you know toreally one, not expose PII data
and risk data leakage.
Even if that risk is only aninternal risk.
(04:45):
It's still a risk all the sameand I like Microsoft's move to a
zero trust model with toolslike Purview and what you get
with Entry ID and the varioussecurity tools.
When you talk to organizationsabout implementing Copilot, what
are the type of discussionsyou're having?
Well?
Åsne Holtklimpen (05:04):
it's a start with the basics.
As you said, we've beenstruggling with this for a long
time.
We've been talking aboutinformation security for a long,
long time and nobody's beenlistening.
Everybody's like, no, we don'thave that much value, we don't
have that much data.
No, we're quite secure.
And everybody did the lift andshift from file service when the
(05:24):
pandemic hit because they hadto get access to data.
So everybody did either a liftand shift to SharePoint or a
team and no control whatsoever.
And I feel that when Copilotarrived and I keep telling
people that we need to go backto the foundation, we need to go
back and see what we need to doto get everything secure and
(05:50):
Some are listening and some arestill like, no, everything's
fine, we don't have anythingthat's that bad.
And if I'm lucky and I getaccess and can do an analysis
and see how things are, Iusually find a lot and they
start listening a little bit.
But it's like we've beenstanding yelling and yelling and
(06:11):
yelling get this ordered, getthis ordered and people are
still having a hard time tryingto listen to it.
And security has never beensexy, right?
So IT people have talked aboutsecurity both in network, in
entra in devices.
We've been talking aboutsecurity for such a long time
(06:33):
and we still have customers whocan't see the point of having
MFA.
And now we're like, yeah, youneed to secure information as
well.
So it's sort of, oh no, no,another thing.
So we still struggle to getthrough it.
But usually I say that if youstart with classification, if
(06:53):
you start, just start with thesmall things you can easily add
on later on, but just start witha classification and try to get
that going, and then at leastyou have started, and then you
can take your time and add moresecurity on top of that, as long
as you get something rolling.
(07:13):
But we still struggle.
It's weird.
Mark Smith (07:22):
The situation that you explained then, which was,
if I get access, when people aresaying, no, we're all secure,
we're fine, there's nothingreally important on our network.
This is something I've heardanother MVP talk about.
And as soon as they give himthat access and then he does a
range of queries and he showsthem what he can find with, you
(07:47):
know, using search and whatnotand I've used this talk track
for a while now security byobscurity, right?
Is that?
Because people can't see it.
They're like, well, nobody cansee it and they don't understand
that AI looks for patterns andcan uncover that, and somebody
(08:08):
that doesn't necessarily asstrong at search they don't need
to be because a prompt isenough to get them off to the
races.
When you do that with anorganization and you're wanting
to get those quick wins andthose oh my gosh, I didn't
realize moments from them and oh, okay, we do need to do
something.
What are you typicallysearching for?
Is it kind of like exposedcredit card numbers?
(08:29):
Is it passwords?
Is it perhaps dodgyconversations?
What are you looking for thatwill really light them up to go?
You know what.
We do need to do somethingserious.
Åsne Holtklimpen (08:42):
Usually I do like the Norwegian personal
identity numbers because that'spart of the sensitive
information that we are requiredby law to make sure that we
don't find credit card numbers.
We have a little bit of thatbut we're not.
I don't think that Norway is,we don't, we don't share that as
(09:03):
much like default.
So it's more.
It's more the personal identitynumbers.
And then I have health, likedifferent diseases and stuff
like that health you know.
So I go in and usually use akeyword search list with all the
different health criteria Ihave, and then, of course, the
(09:24):
90-day number.
And we've had a lot of cases inNorway where we had public
institutions going and oh, wefound this many numbers and this
information was open toeveryone within the organization
and things like that.
So I can sort of I usually takethose news reports and say that
this is what happened and thisis the find they got you know
(09:46):
and just show them this is gonnathis, this will be something
that I'll find with you as well.
Maybe not as many, maybe more,you never know, but this will be
found because I'll find withyou as well.
Maybe not as many, maybe more,you never know, but this will be
found because you don't haveanything to sort of remediate
things like that.
When you have emails, you knowyou've got a CV, you've got a
question for somebody that'sgoing to be hired, and then you
(10:09):
have identity numbers all overthe place.
So usually I find a lot of themwith no control.
Mark Smith (10:18):
So what's your next step?
So let's say, the company hassaid you know what, okay, we do
have a problem, we need to dosomething.
Is there a particular Microsofttooling configuration?
What is it that you start to doto take them on a journey of
you know, to security, to datasecurity?
Åsne Holtklimpen (10:37):
well, I use purview, um with just about
anything data security related,because that's obviously my, my
field, and I have greatco-workers and I know entra and
I know a little bit of Intuneand all those sort of devices as
well.
So I facilitate them as much asI can do, but then I drag them
(11:04):
with me into what we prefer todo is sort of a workshop with
our customers, and then we cansort of okay, we found this, we
found this, we found this and wefound this and this is how
that's going to affect you andyour environment if you don't do
anything about it.
What we suggest is that you dothis and that will affect the
end users like this, becausethey need to.
(11:25):
I, everyone, like all thecustomers we talked about, uh,
talk with not about, but talkwith.
Uh, they have like, well,that's going to take us so many
hours, it's going to take a lotof time, it's going to cost us
so many money and uh, you knowthey have the and obviously, the
end users.
They're very worried about theend users, uh, how we're going
(11:47):
to handle them.
So we try to.
We try to say that, well, thisis this little thing, here is
what you need to do.
It's not going to take thatmuch time.
We can help you.
And this is going to affect endusers like this, because they
need to let the end users knowas well.
So basically, I do the purviewthing, I do the classification.
(12:09):
Well, I tell them to do theclassification because obviously
they need to decide it before Istart anything, and then I sort
of add on the little featuresyou know and then you have the
policies and then you havesensitive info types to detect
and add labels on theinformation.
And then you do the data lossand you sort of add on the list
(12:31):
and I try to make it like insmall packages so it seems
easier to consume, because allIT people want to throw
everything at a customer or atan environment all at once and
then they sit there, themanagement sit there and just we
(12:51):
can't do this.
This is too much.
But if you sort of package itand we start with this little
bit and then we wait for twomonths and then we start with
this little bit, so I lovePurview.
I think it's an amazing tool andI wish more people could see it
and I wish more people couldstart using it and start to see
(13:13):
that it's not that hard to getstarted.
Um, you just need to access itand sort of you.
Well, obviously you get uh, youget the wizards as well.
They're there, they'll help you, and with co-pilot on top of
that, you know, just just do it,just start sorry.
Mark Smith (13:34):
So I'm gonna ask you a license question because you
work for Crown and obviouslyit's something that they do.
How, if someone was like oh mygosh, what is this Purview thing
and how do I get started withit?
Is it part of the E5 licenseSKU or is it a bolt-on SKU?
Is there levels to purview?
(13:59):
How do you talk about it from alicensing perspective?
Åsne Holtklimpen (14:02):
Well, I don't have a doctorate in licensing
and you need one now.
Nobody does.
But with the EC package you geta lot of the features, but what
you get with the E5 or the E5compliance, you get the
automation.
That's what I usually say, thatif you go up to E5, you get the
(14:25):
automation.
But you can do it, can dolabeling and you can do a policy
and you can do a lot with theE3 license.
But E5 will get you all theautomatics and the ability to
maybe, maybe, maybe, get 100%labeled files and data.
But with the E3, you need to doa lot manually.
Mark Smith (14:48):
Right, right, that's brilliant.
That's a nice clear-cutclarification.
So so do you kind of work on?
You know you have this phasedapproach, which I think is so
important because you know ifyou throw everything at it, all
of a sudden nothing works foranybody, and then you're dealing
with just complaints left,right and center.
(15:08):
Do you kind of have a maturityassessment model that you run
with an organization that youknow you might be starting the
most journey?
Åsne Holtklimpen (15:26):
You might not even tell them you're going to
get them to this point but overthe course of a period of time,
whatever is you're going to getthem from, let's say, uh to a
zero trust posture.
Do you kind of do you have thatkind of thought process in your
head?
Yeah, obviously, because whenyou, when you first get to know
a customer, you just suddenlysee that, oh, we're not in teams
, so there's, we can't, we can'tstart with labeling, because
they're actually not, they'renot sorted in teams, they don't.
They maybe have one team andthey use teams for meetings and
chats and that's it.
(15:47):
So then it's like, okay, I needto take a step back.
And okay, first of all, we needthe foundation, we need to see
how we can use teams and we needto see how we can use
sharepoint, and then I then Iusually add on after that, as
well as with purview.
You know we need to see how wecan use SharePoint, and then I
usually add on after that, aswell as with Purview.
You know we need this firstbecause nothing's going to work
unless we have the files in M365, right, because how can you use
(16:09):
Copilot on top of that?
How can you?
You can't do anything if youdon't have it there.
So I sort of, and usuallythey're they have some ability
to listen to that becausethey're like, oh, I thought we
used Teams.
I'm like, no, yeah, you use itfor meetings but nothing else.
And that's also something thatwe see from the pandemic.
(16:31):
I have a friend who always saythat assumption is the mother of
all fuck-ups.
That assumption is the motherof all fuck-ups and it's
basically this because themanagement after pandemic they
think that everybody used Teamsand everybody understood how
they used Teams.
And then we have new hires thatcame after the pandemic.
(16:54):
We have users who are justpanicking and just go
back-to-back meetings and neverdid anything else than meetings.
So there's a lot of assumptionsgoing on that everybody's full
on in Teams and everybody'sunderstood how we use the files.
So basically, there's usually alittle step back and get the
overview on how everythingsorted before I actually get to
(17:18):
the chance to say that we needto classify the data.
And I have companies who cometo me and say we're going to
start using CodePallet.
So I'm like, yeah, I can helpyou out.
And then we have a look ateverything and I'm like, well,
you don't have anything in Teams.
You're like where's your data?
Oh, it's on the file share.
Okay, so we need to's.
(17:40):
That's going to change, yeah,so so, uh, there's a lot of
cleaning, there's a lot of housecleaning, so yeah good, good,
very interesting.
Mark Smith (17:51):
Now let's look at co-pilot.
What?
What's your involvement beingin co-pilot?
You know what are we looking at?
A bit about 80.
Is it 18 months old now?
Year and a half old, roundabout, isn't it?
What type of work are you doingin the Copilot space?
Åsne Holtklimpen (18:08):
Well, we've done a lot of work with
Microsoft.
They've had a lot of fundingprograms for customers, so we've
done a lot of workshops withthem, with our customers.
So we've done a lot ofworkshops with them, with our
customers.
And I do a lot of back to thebasics because, like I said,
companies come to me that wantto start using Copilot.
Everybody's excited and thenyou have a look at the
(18:34):
environment, like, yeah, we gota lot of work to do here before
we used Copilot and it wasn't inNorwegian, I think May last
year, so almost a year it't inNorwegian, as I think May last
year, so almost a year, it wasin Norwegian.
So, obviously, a lot of waitingthere to get it up and running.
The public sector in Norwaythey really want to start using
(18:55):
technology quite early on, sothey're quite good at adapt
technology.
And I'm afraid of saying thisbasically because we have a
digitalization department inNorway, the public sector, who
said that everybody in thepublic sector should use some
sort of AI before 2025, by theend of 2025.
(19:19):
I'm like, okay, okay, yeah,that's great, but how, uh, why
what?
There's no guidance?
There's no.
There's no like how should weuse it?
There's no.
There's no teaching moment here, for for anyone, it's just we
need to use it before 2025.
It's like they're afraid ofbeing I can't.
(19:43):
I don't understand I don't knowthe word here but they're sort
of afraid that they're going tomiss the train, basically.
But it's like no, no, no, wecan't go out and say that the
public sector need to use AIbefore 2025 because they're not
ready.
They're not all in the cloud,they're not ready for it at all.
(20:04):
And so now they're moderatedand saying it's going to be
before 2030, but there's stillno guidance, there's still
nothing to help them get started.
There's nothing there.
So that's something I'm nowtrying to speak out a little bit
on, trying to see if I can finda way in there and say that we
(20:28):
need to give them something, weneed to have some sort of
guidance for them.
So this has been one of thethings we've been hearing a lot.
We get the public sector comingto us, we need to use Scope
Alert and we're like OK, we'llhave a look at your environment
and then we'll, like I said,take the step back, because it
(20:49):
feels like I'm pouring water oneveryone.
Just calm down, calm down,we're going to get there, but we
just need to do a little bitbefore, and we do a lot of
public web webinars out topeople.
I do a lot of talks ondifferent types of seminars and
all that Speaking aboutinformation security first and
(21:13):
foremost.
Then we can use CodePallet.
So it's been like I said I'msupposedly MVP on Copilot, but
I'm more of an informationsecurity foundation and yeah, so
important.
Yeah, it is, and you can't haveCopilot without it.
(21:35):
So that's what we see all thetime and that's what I've been
doing the last year and a half.
Mark Smith (21:42):
I like it.
I like it.
Asne, thank you so much forcoming on.
You have taught me a lot and Ihope the listeners find the
value here as well.
Åsne Holtklimpen (21:52):
It's been fun.
Thank you so much for having me.
Mark Smith (22:08):
Hey, thanks for listening.
I'm your host businessapplication mvp mark smith,
otherwise known as the nz365 guy.
If you like the show and wantto be a supporter, check out
buymeacoffeecom forward slash.
Nz365 guy.
Thanks and see you next time.
Thank you.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.