Journals of the Information Entrepreneur - Jacqueline stockwell
Welcome to "The Journals of the Information Entrepreneur"! Hosted by Jacqueline Stockwell, CEO and Founder of Leadership Through Data, this podcast is dedicated to empowering and inspiring information leaders across the globe. Jacqueline shares her expertise in revolutionizing information management training and delivering it in a way that captures the audience's attention and ensures their time is well spent. In each episode, Jacqueline engages with industry experts and thought leaders to discuss the latest trends, challenges, and best practices in information management.
Journals of the Information Entrepreneur - Jacqueline stockwell
038 Keeping Your Information Safe with Microsoft Purview
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode, Jacqueline Stockwell is joined by Ewelina Paczkowska, a Microsoft Security MVP, to explore the evolving world of data protection. From Ewelina’s unique journey into the field to the technical nuances of Microsoft Purview, this episode is a deep dive into securing the modern digital workspace.
Why Listen?
Understand why Identity is the new perimeter.
Learn how to effectively plan and test Data Loss Prevention (DLP) strategies.
Get insights into how AI will change security and compliance forever.
Discover the importance of community and proactive learning in tech.
"Never trust, always verify."
Microsoft Purview, cybersecurity, data protection, Microsoft 365, security compliance, zero trust, passwordless authentication, AI in security, data governance, identity access management.
Connect with: Jacqueline Stockwell ARIM, BA Hons, MSC | LinkedInEwelina Paczkowska | LinkedIn Community group: https://www.meetup.com/m365sandcug
LinkedIn for Ru Campbell: https://www.linkedin.com/in/rlcam
LinkedIn for William Francillette: https://www.linkedin.com/in/william-francillette-51496426
Hello and welcome to today's show. I'm Jacqueline Stockwell, CEO and founder Leadership Through Data. I inspire and motivate information leaders across the world.
SPEAKER_02Hello and welcome to the show. I am thrilled to have Evelina with me today. And we're going to be talking about Microsoft Purview and keeping information safe. So Evelina, do you want to introduce yourself for the listeners?
SPEAKER_00Sure. So hi everyone. Thanks very much for first of all for having me on here. My name is Evelina Pochkowska. I'm a solution architect at a company called ThreadScape, where I usually just specialize around anything to do with purview. So data compliance, data security, data governance, but obviously I do a little bit of everything within that Microsoft 365 security and compliance stack. And then as of the 1st of December 2025, I'm also Microsoft Security MVP in Microsoft Purview. So really proud of that. There's about six or seven of us females within the Purview MVP space. So definitely very glad to be part of that community.
SPEAKER_02Yeah, and sensational work for that. So I just think you know, massive fan of applause. I was cheering as you were saying that. Um, because that's a real sort of like career highlight to get that acknowledgement from Microsoft, isn't it, about all the work that you're doing with them and customers. So let's take you from present to past. So what made you move from customer services to cybersecurity?
SPEAKER_00So it's an actually really interesting story, and I think everyone within the cybersecurity space has a different start with um getting to where they are now. So my path definitely wasn't typical. So I went through years and years of working in different customer service jobs from being in the betting shop industry, then ended up in accounts, and then finally making that move just before the pandemic into the world of IT. So I've always had that passion for IT, but it wasn't until COVID that I actually realized, you know what, I'm actually going to pursue something that I really, really enjoy. So I think the the thing about cybersecurity is that I've always had that interest into why incidents were happening, what was the root cause of them, how we could actually avoid them in the future. So that what made it very interesting for me to get into cybersecurity to actually be able to prevent incidents from happening. So I'm more about being proactive than reactive now with my approach, and this is what I really, really enjoy.
SPEAKER_02Yeah, beautiful. It's all about being proactive. I love that. And I think like just listening to you can hear the experience that you would have had and how that correlates into your current role. Can you just explain what has helped you from your past role to your present role?
SPEAKER_00Sure. So, well, I've always worked in very busy environments, very fast-paced. So that just allowed me to learn how to prioritize things. So, in the world of cybersecurity, and I'm sure it's the thing about other jobs as well, is that there's definitely more to do than we have the time for, right? So you do need to be really good at time management and trying to prioritize your task and stay calm under pressure. And in cybersecurity specifically, all the communication skills that I've had from previous jobs definitely help me because when I work with customers around the purview project, or maybe it's conditional access or whatever it might be, it's all about communicating things clearly, right? So it's not just about the technical aspect of something. You need to have those interpersonal skills to be able to have those sometimes difficult conversations with the clients as well. So that definitely um helped me kind of shape with how I deal with different types of projects and how I how I deal with my clients.
SPEAKER_02Yeah, brilliant. It's definitely those interpersonal skills, isn't it? That um is one of the key drivers to get things through. So um you run the Microsoft 365 Security and Compliance User Group, is that correct? I do, yeah, that's correct. Amazing. And what does that involve and how can people connect with that group?
SPEAKER_00Sure. So first of all, it's all really about providing a free platform for anyone to join us during our monthly sessions where we usually have two speakers, two sessions on. So it's usually the last Wednesday of every month, so we're bringing in amazing MVPs or other people within the community that are willing to share their knowledge and the practical insights from real-world implementations rather than showing you something around theory. So I am one of the co-organizers, so I co-organized that group with two of my Threadscape colleagues, so Rue Campbell and William Francelette. So shout out to them if they're watching. But I think the real value obviously comes from the community members just joining us every month, sharing their insights, and then also networking and connecting together as well. So we also have a lot of people joining us and then even chatting, you know, on Microsoft Teams in the chat, and then we see them on LinkedIn, and we see them kind of contributing to the community in their own ways, which is always so amazing.
SPEAKER_02So amazing. Certainly in a virtual space, I just think it's fantastic. So let's talk about Microsoft 365 security. So, what do most businesses or organizations get wrong with um Microsoft 365 security?
SPEAKER_00Wow, I think the biggest misconception about Microsoft 365 ecosystems in general is that people and organizations often presume that everything would be configured properly for them, that every everything would be secure by default. So we are all aware at this stage that Microsoft has got this very big initiative secure by default and secure by design, but unfortunately we're nowhere near the point where we want to be at because some of the configurations do require making sure that everything is secure in your environment. So just because you purchase a license and you have all the functionalities now does not mean that it does not require photo configuration to make sure that your environment is actually fully secure and compliant.
SPEAKER_02How would you explain zero trust in simple terms?
SPEAKER_00Well, uh, simply said, it's always trust. Sorry, never trust, always verify. See, I even got it wrong. So it's just about making sure that the access is being evaluated continuously rather than trusting because someone has signed in before, right? So when I talk about a zero trust, I usually just do it in conjunction with the fence in depth approach because you have to layer all different protections all the layers, you have to secure all different layers of your environment, right? So from identity down to the data level as well.
SPEAKER_02Fantastic. Can you share an example where conditional access stopped a security problem?
SPEAKER_00I mean, I can share so many. Conditional access, I think, is an amazing, amazing tool that everyone should be able to use. I think a couple of ones that I can definitely talk about would probably in the recent months would be preventing the authentication downgrade. So you can do it by utilizing the authentication strengths and, for example, passwordless authentication, or require re-authentication every time that someone is trying to carry out some kind of a protected action. So we see a lot of people, even though they might have uh multi-factor authentication setup, they might go for a weaker form of authentication, like an SMS or a voice call, which are very easy to get compromised. So we hear about all those uh types of scenarios all the time. But we did have a couple of clients where an account was actually compromised, so someone did a password spur attack, but then that standard user was going to carry out a specific action, and for that we required to step up authentication with a very specific authentication method in place, which was a physical FIDO2 key. So obviously the attacker didn't have access to that, so they got locked out of the system in the end, and we were able to spot it, and uh conditional access came into play and prevented further damage from happening. Thank you.
SPEAKER_02So let's talk a bit about data protection. So why is organizing and managing data so important today in Microsoft 365 space?
SPEAKER_00I mean, all the industries, all different organizations are producing way more data than we used to produce in the last 5, 10, 15 years. With the introduction of AI, it obviously imposes a new risk now. So organizations need to be able to protect their data and know exactly where that data is being stored. Because if you don't know what type of uh data you have within your environment and how you're supposed to be protecting that, well, there's no way that you're going to be successful at that data protection element of it. So, how does Microsoft Purview help companies follow uh so Master Purview for anyone not actually familiar with that product? This is a very comprehensive, very complex suite of tools that help you know your data, so help you discover where that data resides, define those data types and what is actually important for you and your organization, and then put in prevention um measures in place and help you govern that data as well. With AI risks and with risks of any data exfiltration, unauthorized access, um, data loss, you can put in policies in place across your Microsoft 365 workloads and beyond because you can extend them now to third party services as well. And make sure that there's nothing happening that you do not wish to happen. So it's there to protect your data and help you govern that in the best way possible.
SPEAKER_02I love it. What mistakes do businesses make with data loss prevention?
SPEAKER_00I mean, so many, and I've read enough about common mistakes that I see people make uh with data loss prevention, so people can can find it on my blog at wellcastworld.com. But I think the biggest, biggest uh mistake would be the lack of planning and testing, right? So you need to make sure that it's not going to be obstructive to the users, that it's not going to frustrate them because some of the policies might be too restrictive. And no the same set of conditions or policies should be applied across all the different departments. So having that experience for me, for example, working in the account space, I know that we cannot, for example, deploy the same set of rules to them when we compare them to, for example, the types of data that the IT departments would be sharing, right? So the lack of planning and the lack of strategy. And also I think the lack of communications and transparity uh between the IT teams or the management team and the end users who are going to be affected by those policies. So you need to make sure that the end users know exactly why you're putting those policies in place, what they're uh hoping to achieve. And I think that makes the uh conversations then easier because if you don't do it, people will just try and find a work around how they can bypass some of those security parameters, and that will then, as a result of that, generate um shadow AI or shadow IT as well.
SPEAKER_02And that really draws back what you said about the proactiveness rather than reactive, and also those you know conversations that you need to have with end users and the organizations about those. I call them essential skills. Nice, nice, amazing. So let's talk about identity and access. So, why is identity now the new parameter for security?
SPEAKER_00I think some people in the community are very upset with us calling it that still because that's been going on for years, but let's stick with that because it is the new uh perimeter. I think when people work from everywhere now, it's very hard to get that one security boundary like a network that we used to have many years ago, right? So, identity is the constant now, and it's essentially your first line of defense, right? So, this is something that an attacker is going to compromise first before they possibly might get to your crown jewels being your data. So I always say to my clients and I always say to the community that you might have the best mixed up purview solution in place with the best types of policies, with really strict encryption, but what good is that if your user gets compromised? So that's why it's so important and you need to make sure that you're fully protected because if someone can get in through that first layer, well, they can then move a lottery, they can then go and access more data within your environment. So that's very, very risky, and we definitely don't want that to happen.
SPEAKER_02And you talked a lot about security, you talked about trying to make it user-friendly for end users. How do you keep things secure without making life difficult and harder for those users?
SPEAKER_00That's always the tricky part because it sounds easier than it actually is. But I'm a big fan of, for example, passwordless authentication. I think it's very simple for the end users and it's actually secure. So that's just one of the tools that people can use to make sure that they can make their end users' lives a little bit easier by using Windows Hello for business or pass keys, whether these are on the phone, or a physical 502 keys and so on. So people don't need to be worrying about passwords and stuff like that. But apart from that, I think, and I'm going to give you a very generic answer here, but I think again it kind of goes back to that transparency piece, right? So as long as the users know, as long as there's a data policy maybe in place, some kind of a data sharing policy. Now, with AI, this is something that organizations need to think about. So as long as you tell your users whether you're allowed and not allowed to do, how things actually work, and you're very transparent about the need for those security measures, I think they will have that a little bit of understanding and they will actually help you and cooperate rather than go against those different controls.
SPEAKER_02Um, so I'm gonna take you to the future now. So, what new trends in security are you most excited about?
SPEAKER_00Definitely uh the adoption of passwordless authentication um to a little bit of an uh wider audience. So if we can uh do a wide adoption of it, that would be great. I think it would be help a lot of organizations stay secure, but also it will reduce the MFA fatigue that some of the end users might be uh might be experiencing. And I mean, uh I'm kind of hopeful and very excited about the possibility of maybe having a privacy aware AI tools. I don't think we're anywhere near that point just yet, but I'm very hopeful and excited about the possibilities that that will bring, that it will actually help us trying and stay secure and have that privacy in mind rather than us struggling to keep up with all the changes all the time and putting in those guardrails in place when those AI agents pop up. How will AI change security and compliance in the next few years? I wish I would know because I don't think anyone knows what is going to happen. If we look at the last couple of years, like who would have known that this is where we're going to be um ending up at, you know, so I don't know. I wish I would know. One thing I do know for sure is that attackers use AI because they have access to those tools as well and they will continue using them. So we will just need to constantly try and stay on top of the AI defense uh side of a thing, right? So it's going to become very essential for us to keep up with the with the trends and what a new attack is is happening in the world. So I think we are going to struggle with that because I don't know about you, but even now it's pretty overwhelming with the the speed and the amount of new tools being released every single day. So hopefully we can be very successful in that and we can foresee some of the stuff that will be happening, but it will definitely be about defending the risks associated with AI. I don't think we can be very proactive here.
SPEAKER_02Yeah, and a lot of our customers at Leadership Through Data, they're overwhelmed of they've got their day job and they've still got to keep up with all the changes in Microsoft. So we have the uh catch-ups, so we call them catch-ups, so they just catch ups of all the uh conferences and the releases that happen every three months, just bundled together and chucked out in one sort of like you know, webinar. Um, and that's all part of a community as well. So it that's brilliant. That sounds amazing. Yeah, yeah. Yeah, thanks. Um, so what tips would you give someone starting in Microsoft 365 security?
SPEAKER_00Wow, I mean, community is a big thing, right? So now, more than ever, people have access to so many amazing resources out there that you can join user groups, you can join podcasts, you can watch other people's YouTube videos, you can read blogs. So there's so much content out there that not only breaks down what a Microsoft Learn documentation might not essentially give you, but also provide you with practical insights. And I'm I'm a big fan of learning by doing. So hands-on labs, set up your tenancy. There are some free tenants that you can still set up and play around with that, you know, and break stuff in a safe in a safe kind of manner because that's how you are going to learn. So that's what I would say to anyone thinking of Stretten within the Microsoft 36.
SPEAKER_02Nice. Um, because like I think that's great advice, but sometimes it's uh can be quite challenging and overwhelming to kind of look for all those things that you've just said, um, and think, oh, okay, I want to kind of execute that. And I would always strongly recommend listeners to follow you on LinkedIn, see the pathway. There's a big you know, Joanna Klein, I think she's excellent. And there's Andrew. Shout out to Joanne. Yeah, I love that woman. There's um Andrew Warland in Australasia, there's Sarah Fenner, there's Shrag Patel uh that we all work with as well. So they would be big, big, big big, big people to kind of um follow. One of the things that I kind of really, and you've touched on it, and we find that very much in leadership through data, customers that we're working for is this essential skills like these, you know, core skills that you know we've got very technical people, very technical-minded, but it's actually how do you break that into a language that people understand? What would your advice be for people to look at those sort of like more people-related skills? Where could they look to su get that support?
SPEAKER_00Wow, what a great question. And I definitely agree. And I do think that a lot of companies not necessarily hire for it just purely the technical skills, but it's in it's the intra personal skills that people would hire. Because you can just learn the technical skills anyways, right? But when it comes to communication skills, when it comes to being a quick learner or even having that willingness to do stuff, you know, that definitely kind of sometimes always takes um precedence over your technical skills when you're dealing with a specific client or dealing with a specific person, right? So, how could you learn that? I mean, again, the more that you do, I think the better you get at it, right? So if you're bad at communicating, just practice speaking. If you're planning to join any podcast uh to talk about stuff and break stuff down in a more digestible kind of items so people don't get overwhelmed, and if you if if you can explain those concepts easily, again, practice I think makes it perfect, right? So if you have to do it, practice in front of a mirror. If you've got an interview coming up, just practice, you know, write down what you need to say and try and stay natural because obviously, not no one is going to be expecting you to learn everything by heart and so on. But I think the more you practice, the better you get at it. And again, there are so many different tools out there that you can watch that you can follow. I know you were given a lot of great lessons around public speaking and so on. So people following you, watching your content, interacting with that content, or even reaching out to people within the community saying, Look, this is what I'm struggling with. Could you help me? Or how would you go about that? How did you do it? And there's no shame in reaching out to people within the community. I mean, you know, I've reached out to so many people before in my life as well, and I've never uh I've never had that experience where someone just said no to me. So if you don't ask, you don't receive. But yeah, I think it's practice that makes it perfect.
SPEAKER_02Yeah, a hundred percent. And when you talk about communication, I would recommend a really good book called Surrounded by Idiots. I don't know if you've read it, around the disprofile sensational, honestly. Um, it allows you to understand other people and it helps you to communicate how they want to be communicated too. Because um, you know, previously it used to be, oh I want to be communicated the way that I want to be communicated, you know. Um, but that's just not it's just not how it works. Like everybody is different, they've got different personality types, and this puts it into colour profiles. So I'm a massive I love rainbow colours, so it does uh red, green, yellow, and blue, and then it breaks it down to sort of like the authoritative people, the people pleasers, the entrepreneurs, the enthusiastics, the data mindset. So in four colours, and everybody can be every one of the colours, it's just where you are and which communication style. Once you start to to understand that, I think it's a really good methodology of getting buy in from end users, senior managers, kind of get things over the right because that's the softer skills. And I definitely think that there is a really Gap and I know leadership through data are working on in a power programme, but it blends all the soft skills with the technical skills, with the compliance skills, with the law, actually gives you a really rounded kind of skill set rather than training kind of it in silo as well. Yeah, it wasn't um Sal's point from my perspective. It was more interested if you knew about it because you were talking about it so much.
SPEAKER_00So another I didn't actually read the book, but uh I'm definitely going to purchase this as soon as we finish uh recording. Uh it's definitely on my uh top priority list now for for things to to lead, and by all means, big shout out to uh leadership true data because you guys are doing really amazing stuff. So further play to you all.
SPEAKER_02Thank you for it. It has been absolutely sensational. I know it's taken us a while to get here, but it's been worth the wait. Your knowledge and your um technical skills has just been sensational. I'm sure that listeners will absolutely love this. They can reach out to you via LinkedIn. We'll also get the community group um as part of the show notes. Um so people can kind of follow you on from there. And also the other two people that you shouted out to as well. Perhaps we could put them on the show notes for um to engage to the other community group. Amazing.
SPEAKER_00Again, thank you very much for having me.
SPEAKER_02You're absolutely Sejar. Thank you so much.
SPEAKER_01Thank you. Thank you for listening to the journals of the information entrepreneur with me, Jacqueline Stockwell. I hope you found this episode inspiring and helpful and have some takeaway tips that can be useful to you. If you liked this episode, please like, review, and share it with your friends. Your support helps us reach more information leaders to stay inspired and listen to great content. Want to test out your strengths and weaknesses and measure it against our empower framework? Please complete the scorecard. It's a great way to improve and evaluate your skills. You can find the scorecard at the end of the description of this podcast. Stay tuned for new podcasts every Thursday and remember to be bold, be brave, and be beautiful.