From the Millennium Bug to the latest cyber threats

Sarah Armstrong-Smith has built a career on risk management, resilience, and staying ahead of evolving cyber threats. As a leading cybersecurity speaker and chief security adviser at Microsoft Europe, she has spent more than two decades helping businesses navigate digital transformation while strengthening their security posture. We spoke with Sarah to explore the biggest cybersecurity challenges facing businesses today, the role of resilience in a digital world, and how organisations can foster greater inclusivity in tech.

What first sparked your interest in cybersecurity, data protection and digital transformation? And how did your journey in the field begin?

I’ve been working in the technology environment for more than 20 years now, and I trace this back to 1999. I was actually working for a water utility company during the Millennium Bug in 2000. Many companies were on large transformation programs to recode a lot of their computers and servers because the theory was that, at the stroke of midnight, a number of computers and servers would go into meltdown due to the way the Year 2000 was coded into various systems.

From a young age I’ve always been driven to keep asking ‘why’ and abundant questions. What if the systems go down? What if we can’t get people to work? What if all of these things happen? At the time, I didn’t realise I was looking at business continuity. It just felt like common sense to keep asking these questions. That was the start of my career.

I always look at that moment as the point where my career began. From business continuity, I then pivoted over the next 20 years into disaster recovery, cybersecurity, fraud, crisis management, and all of that falls under the banner of resilience. That’s how my career has evolved, and it’s been fantastic.

Diversity in the workplace is crucial for innovation and progress. From your perspective, what more can be done to foster gender diversity and inclusion in business, particularly in tech and cybersecurity?

We need people who can think outside the box, and that’s why diversity is so important. It’s not just about gender; it’s about diversity of background, experience, and culture. Inclusion is about removing false barriers – like the idea that tech is only for men or that you need to be highly technical to work in cybersecurity. That’s not true.

We also need to rethink how we support young people. Expecting them to decide their career path so early is unrealistic. People should try different things, pivot through their careers, and that should be encouraged. Life expectancy is increasing, meaning careers will be longer.

People will take breaks, start families, and shift industries. It’s about enabling flexibility and options.

Reflecting on your experience with the Millennium Bug, what key lessons did you take away from managing such a significant potential threat?

I think having a background in business continuity has enabled me to think about the big picture. I was always thinking about worst-case scenarios – what is the worst thing that could happen? But we also need to think more broadly. We need to consider incidents that are not just relevant to our own company but those that impact cross-sector and even global changes.

I think back to 9/11 as a really good example of a major incident on a massive scale that we probably never saw before. The way it was televised and the shock that came with it really brought home the impact of terrorism and how important business continuity is at that kind of scale.

Bringing that forward to now, the global pandemic has really emphasised how interconnected and dependent we all are. That applies to small businesses as well as large enterprises. When we consider these threats, it’s not just about business continuity but also cybersecurity and attacks. We have to think holistically, much wider. This is where resilience to all of these types of threats comes to the forefront.

The media plays a powerful role in shaping public perception of threats. Do you think the Millennium Bug was exaggerated by the media, and how can we ensure accurate reporting on cybersecurity risks today?

Potentially. Sometimes the media can really help, but they can also hinder. The problem is scaremongering, blowing things out of proportion. People have a tendency to believe what they read on the internet without fact-checking, and that has become more difficult due to the number of information sources available.

Where do you go to get factual information? People read things on social media – Facebook, Twitter – and it’s really hard to decipher fact from fiction. The media can sometimes blow things out of proportion. It’s important to find the right sources of information and utilise intelligence to cut through the noise and get real, actionable insights.

Since stepping into your role as chief security adviser at Microsoft Europe in 2020, what has been your proudest achievement, especially given the challenges of a rapidly evolving digital landscape?

I actually joined Microsoft one week after the UK went into lockdown. So, my entire Microsoft career to date has been from this very office. It’s been interesting to be in the middle of a global pandemic, joining a new company, but also seeing the inner workings of Microsoft.

Microsoft is a massive organisation with more than 160,000 employees worldwide. Beyond keeping the company running, we also had to ensure our customers were operational. There was also the massive acceleration to the cloud, particularly collaboration tools like Teams.

It was incredible to see how Microsoft rose to the occasion, supporting customers and new users. In my role, I work with strategic and major customers across Europe, acting as an executive sponsor across different sectors. It allows me to understand their challenges, especially around cloud adoption and digital transformation.

No matter how bad things get – and we’ve had major crises over the years – I always focus on opportunities. What can we learn? What can we do better? That’s why I’m proud to work at Microsoft.

With cyber threats constantly evolving, what do you see as the biggest risk businesses face today, and what essential steps should they take to strengthen their security?

Cybercriminals are opportunistic and thrive in a crisis. Over the last 12–18 months, we’ve seen a massive increase in phishing attacks preying on people’s fears and emotions. Attackers pretend to be your bank, a charity, or an organisation offering support. They try to trick you into giving up credentials or clicking malicious links.

We’ve also seen a rise in ransomware attacks, particularly targeting healthcare and critical infrastructure. It was shocking to us that during a pandemic, attackers still targeted hospitals and emergency services because they believed those institutions would be more likely to pay.

Businesses need to adopt an ‘assume compromise’ mindset. No matter how strong your cybersecurity is, attackers will try to find a way in. The focus should be on preparedness: what happens if someone accesses your systems? If your data is leaked, what’s the impact? Where should you prioritise your security efforts?

Cybersecurity isn’t just about defences – it’s also about crisis response. If your network goes down, can your business revert to manual processes? How do you communicate with customers and partners? The response strategy is just as important as prevention.

Looking back on your career, what is one piece of advice you would give to your younger self, or to anyone aspiring to build a career in tech and cybersecurity?

Don’t be afraid to keep pushing yourself forward. When I was younger, I had a habit of volunteering for things I didn’t fully understand, but it always led to growth. People hesitate to apply for roles if they don’t meet 100% of the requirements – but you don’t have to know everything. You learn on the job.

I never planned to work in tech. I originally wanted to be a graphic designer because I loved art. Careers aren’t linear, and that’s okay. Just take opportunities, keep learning, and enjoy the journey.

Photo by Ed Hardie on Unsplash, and Champions UK.

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.