“Don’t wait for a crisis to happen to use the kill switch,” warned Prakash Venkata to UC Today.
It is a stark imperative from a man who has spent two decades fortifying the digital perimeter of one of the world’s largest professional services networks. As a Partner in PwC’s cybersecurity practice and the firm’s Global Cyber Alliances lead, Venkata does not deal in hypotheticals. Rather, he operates in the visceral reality of supply chain vulnerabilities and nation-state actors.
For years, the philosophy governing enterprise IT and security was one of bespoke fortification. You build a unique castle, dig a custom moat, and assume your idiosyncratic architecture offers obscurity, if not security. That era is drawing to a close. PwC recently became the first professional services firm to pilot Microsoft’s Baseline Security Mode (BSM), a rigorous, standardized posture designed to eliminate the configuration drift that often plagues modern tenants.
The pilot was intended as a stress test of the tension between operational agility and existential security. “The challenge is that it’s not just one organization getting impacted when there is a vulnerability; the entire supply chain is affected,” Venkata explained. By opening the hood of PwC’s complex, federated network to Microsoft’s engineering teams, Venkata and his colleagues have provided a roadmap for how enterprises can navigate the transition to a “secure-by-default” world without disrupting business operations.
- Resilience Engineering Lessons from James Kretchmar: Learning from the AWS 2025 Outage
- What the AWS Outage Tells Leaders About Risk, Resilience and Reality: When the Cloud Collapsed
The Professional Services Stress Test
PwC embodies the ultimate edge case for any standardized security framework. Unlike, for example, a manufacturing entity with a static perimeter, PwC is a mobile army of auditors, consultants, and tax professionals connecting from thousands of different networks, often embedded within client environments. If a security baseline can withstand scrutiny here, it can withstand scrutiny anywhere.
However, the initial deployment of the pilot immediately illuminated the “load-bearing” skeletons in the corporate closet; specifically, legacy protocols that refused to die.
The first casualty of the audit was the assumption of modernization. IT leaders often believe their environments are cleaner than they are, but BSM’s observability tools revealed the stubborn persistence of deprecated technologies. “One was the Exchange Web Services, which we all thought were deprecated and gone. We still noticed that being in our environment,” Venkata admitted.
Technical debts are one thing, but these are fundamentally dormant vulnerabilities waiting for a threat actor to exploit them. The complexity of a global firm means that somewhere, in some territory, a legacy file-sharing protocol is still humming along because a specific client engagement ten years ago required it.
Venkata noted the difficulty of managing this shadow infrastructure: “We were using deprecated or non-compliant ones globally in some way or another, and we did not have visibility into it to observe, monitor, or take it out of the environment.” The pilot forced Venkata and PwC to confront a complex reality. You cannot secure what you cannot see, and you cannot modernize what you mistakenly believe is already gone.
The Friction of Standardization With Microsoft Enterprise Security
Perhaps the most treacherous aspect of standardizing security postures is not technical, but cultural. In a federated organization, standardization often feels like an imposition; a loss of local control ceded to a central bureaucracy. When Venkata’s team moved to enforce these new baselines, they encountered significant friction from territories that viewed their custom configurations as essential to client delivery.
The pushback was rooted in the dangerous logical fallacy of survivorship bias. Local admins argued that their bespoke setups were safe simply because they had not yet suffered a catastrophe. “That communication was difficult because they said, ‘We’ve been using it, we haven’t been breached, so what does it mean if we turn it off completely?'” Venkata recalled. This is the classic CISO’s dilemma of trying to enforce hygiene without disrupting revenue.
The solution required a diplomatic pivot. Rather than wielding security as a blunt instrument, Venkata’s team had to frame the transition as a modernization of client service. The argument was about protecting the client’s sensitive data from emerging threats that local teams might not even be aware of.
“We can transition in such a way that the clients do not feel the impact while we monitor for security challenges,” Venkata noted. By segregating sensitive data and empowering local admins to manage the transition within the new guardrails, PwC managed to enforce the baseline without severing the business relationship.
Automating the Remediation
Visibility is a double-edged sword. A common failure mode for modern security operations centres (SOCs) is “alert fatigue,” having the visibility to see thousands of misconfigurations but lacking the manpower to fix them. The BSM pilot at PwC distinguished itself by moving beyond observation into automated remediation. The goal was to fix the finding, not just flag it.
Venkata cited a specific, high-impact example regarding legacy file-sharing protocols. The audit revealed instances where connections were kept permanently open for annual file transfers, a massive security hole for a minimal business requirement. The manual fix would be to close the port and wait for the client to report an issue. The automated, intelligent fix was to change the architecture entirely. “We open it just-in-time. If somebody wants to load or unload it, we do it while we figure out an alternate approach,” Venkata suggested.
This “Just-in-Time” access model arguably represents the future of remediation. It acknowledges that business needs (such as sharing files) are valid, but the traditional method (permanent open access) is not. It required coordination not just internally, but with client infrastructure teams, forcing a handshake on new, secure protocols.
“We are building those things in to accelerate remediation so it is faster than expected,” Venkata said. This shift from static defense to dynamic, automated response is crucial for keeping pace with AI-enabled adversaries that operate at machine speed.
The End of the “Custom Tenant” in Microsoft
The broader implication of PwC’s journey is the impending death of the “custom tenant.” For decades, IT departments have taken pride in customizing every setting, believing that a bespoke configuration offers superior performance or security. Venkata argued that in the cloud era, this customization has become a liability. The sheer velocity of change in the threat landscape makes it impossible for a human team to manually curate a better security posture than the hyperscalers can engineer by default.
Microsoft’s approach with BSM, providing a “secure by default” baseline, challenges the ego of the traditional engineer. Venkata contrasted this with other vendors who leave the burden on the client: “Microsoft has been very clear: ‘If there is a known vulnerability, I want to share it right away and give you the tools to disable them or lower the risk.'”
This single pane of glass allows the CISO to elevate the conversation from technical minutiae to business risk. When a configuration drifts from the baseline, it becomes a quantifiable risk. “A security engineer cannot always decide the impact—the risk might be high, but the business might say they are okay to accept it,” Venkata explained.
However, with clear data, the executive can override complacency. “Misconfiguration should not happen, especially in the cloud environment where it can be exploited so fast. I would rather fix it right away.”
Conclusions for Enterprise Security Leaders
The lesson from PwC’s pilot is that the future of enterprise security is not about building higher walls, but about aligning with global standards and automating the enforcement of those standards. The era of the “hero CISO” holding together a custom environment with duct tape and willpower is over.
For IT leaders seeking to replicate PwC’s success, Venkata offered a tripartite framework: accept the tool to gain visibility, build processes to manage the “kill switch” through tabletop exercises, and communicate relentlessly. “Accept it. Don’t push back. This is a good tool,” he advised.
In a digital ecosystem where supply chains are inextricably linked, the security of one is the security of all. By embracing the baseline, PwC has secured its own perimeter and also helped validate a model that could inoculate the wider enterprise market against the next generation of threats.
