Microsoft’s Principal Security Engineer chats cyber with ISJ

ISJ speaks exclusively with Tannu Jiwnani, Principal Security Engineer, Microsoft.

Can you tell me about your journey and how your experiences led you to your current position?

My path into cybersecurity was not intentional at first. I began in data, business analysis and operations management, where I focused on uncovering patterns and guiding decisions.

Even then, I was fascinated by anomalies, those outliers that did not fit. Over time, I realised they often signalled bigger issues. That curiosity planted the seed for security.

When I moved into program management, I shifted from analysing numbers to orchestrating scale and strategy.

I learned that security is not just technology; it is about people, processes and systems working together. That mix of analytical skills and programmatic execution prepared me for cybersecurity.

Today, as a Principal Security Engineer at Microsoft, I lead initiatives that protect identity systems for millions of users.

Looking back, it feels like every step built toward this mission. I often say I did not choose cybersecurity, cybersecurity chose me.

In your early career, you transitioned from roles in data and business analysis to security and program management. What led you to follow the security pathway? 

At first, I thought I would always remain in the world of data, because I enjoyed how numbers could unlock decisions.

But what I came to realise was that while data insights were powerful in a business sense, in security, those same insights carried a very different kind of weight.

They could be the difference between a breach averted and a breach discovered too late. That sense of urgency and responsibility drew me in.

Another reason I leaned toward security was the constant change. Cybersecurity does not sit still. Every day, there is a new threat, a new tactic, a new vulnerability.

For someone who enjoys learning, adapting and staying sharp, it was irresistible. Program management also played a key role. I saw how successful security work required more than technical fixes.

It needed coordination, communication and the ability to bring multiple stakeholders into alignment around a common outcome.

It was less about coding the lock and more about ensuring everyone had the right key at the right time.

Can you tell me more about being an Incident Manager and what individuals can expect when starting their career?

Being an Incident Manager is one of the most challenging and rewarding roles in cybersecurity. I often describe it as being the conductor of a very high-stakes orchestra.

You are not the one playing every instrument, but you are responsible for making sure each one comes in at the right moment, on the right note and in harmony with the others. When things go wrong, it is your job to restore order and keep the music going.

In the middle of a live incident, the pressure is immense. You are balancing technical investigations, coordinating across dozens of engineering teams, communicating with executives and sometimes even handling external stakeholders or regulators.

There is no luxury of time to stop and deliberate endlessly. Decisions must be made quickly, but also with wisdom and foresight.

You learn very early that clarity is your greatest ally. The ability to translate a highly technical problem into a clear, actionable plan is what keeps everyone aligned.

In some cases, I was coordinating across fifty or more teams and my responsibility was to bring all those moving parts into one unified rhythm so that the company could contain and remediate the threat.

For individuals starting their careers in incident response, I tell them to expect adrenaline, rapid learning and to build resilience faster than in almost any other role. It is not always glamorous.

There will be late nights, moments of doubt and times when the stakes feel overwhelming. But it is also where you learn lessons that last a lifetime. You develop the ability to communicate under pressure, to prioritise when everything feels urgent and to stay calm when everyone else is anxious.

Those skills are not just for cybersecurity; they make you stronger in every aspect of your career and life.

And yes, for many in this field, coffee becomes their unofficial co-worker during incidents. For me, it has always been masala tea.

That small ritual of brewing a cup reminded me to pause, take a breath and bring calm to the chaos. Whether it is coffee or chai, every responder finds their anchor and that anchor is often what helps you stay steady when the stakes are at their highest.

The real reward, though, is not in the caffeine – it is in the impact. In incident management, you know that your work directly protects people, systems and sometimes even critical infrastructure.

That sense of purpose, that knowledge that your actions helped prevent harm or restore trust, is a reward very few careers can match.

It is demanding, it is humbling, but it is also one of the most meaningful paths you can take in this field.

Reflecting on your journey from your early roles to your current position, what experiences and lessons have stayed with you that you still reflect on now?

One lesson is that clarity always beats complexity. Early in my career, I thought demonstrating expertise meant sharing every detail.

In security, I learned that what people need is clarity; simple and actionable direction. It builds trust and drives results.

Humility is another. Security is the ultimate team sport. Some of my most impactful learnings came from quiet contributors whose insights changed outcomes.

True leadership is about creating space for the best ideas to emerge, not proving you are the smartest in the room.

Adaptability is the third. My career moved from data to program management to incident response and identity security.

Each pivot felt uncertain but expanded my resilience. Cybersecurity never stands still and evolving with it is essential.

These lessons of clarity, humility and adaptability shape how I lead today. Tools and threats change, but these qualities keep us effective as protectors and leaders.

Throughout your career, you have spent a lot of time mentoring and giving back to the security community. How do you aim to help the next generation of leaders grow in this space? 

Mentorship, for me, is not about polished stories but real ones, including the doubts, missteps and lessons learned. Authenticity matters more than perfection.

Representation matters too. For women and underrepresented groups, seeing someone who has navigated this path shows it is possible.

That is why I support initiatives like Global Give Back Circle, Women in Security, WISP and advisory boards at colleges.

I also focus on confidence. The biggest breach is often in our own self-belief. Helping people patch that gap can be as powerful as teaching a technical skill.

I see mentorship as not just opening doors but holding them open long enough for others to feel ready to walk through.

The next generation of leaders will be defined not only by technical expertise but by empathy, clarity and courage.

If I can contribute to that growth by sharing my journey, advocating for visibility and encouraging belief in their own potential, then I have done my part to help shape a stronger and more inclusive security community.