Microsoft appoints Deputy CISO for Europe to reassure European IT leaders

Microsoft on Wednesday announced that it will be creating a new position: a Deputy CISO for Europe.

Who that Deputy CISO will ultimately be is unclear. Wednesday’s statement simply said that Microsoft CISO Igor Tsyganskiy is “appointing a new Deputy CISO for Europe as part of the Microsoft Cybersecurity Governance Council,” but the phrasing made it unclear when that would happen.

However, Tsyganskiy made a separate announcement on LinkedIn that he has given the role to current Deputy CISO Ann Johnson. But he then said that Johnson, who is based at Microsoft’s head office in Redmond, Washington, will hold that post “temporarily.” 

Contacted directly, Johnson, who has served in a variety of senior cybersecurity roles at Microsoft since she joined the software giant in December 2015, did not answer any questions about whether she will relocate to Europe while she holds the role, or how temporary she expects it to be. She referred the queries to Microsoft PR, who declined to comment.

In his LinkedIn post, Tsyganskiy explained that the Cybersecurity Governance Council, which was created in 2024, consists of “our Global CISO and Deputy Chief Information Security Officers (Deputy CISOs) representing each of our technology services. This Council oversees the company’s cyber risks, defenses, and compliance across regions and domains.”

“The Deputy CISO for Europe will be accountable for compliance with current and emerging cybersecurity regulations in Europe, including the Digital Operational Resilience Act (DORA), the NIS 2 Directive, and the Cyber Resilience Act (CRA),” Tsyganskiy wrote. “These laws will prove transformative not only in EU markets, but worldwide, and Microsoft is actively engaged in preparing for what lies ahead.”

In Wednesday’s statement, Microsoft said, “the appointment of a Deputy CISO for Europe reflects the importance and global influence of EU cybersecurity regulations and the company’s commitment to meeting and exceeding those expectations to prioritize cybersecurity across the region. This new position will report directly to Microsoft’s CISO.”

The move also highlights strong fears from European IT execs and government officials that the Trump administration may exert significant influence on cybersecurity companies. Those concerns were intensified by Trump’s order to yank security clearances from SentinelOne and former Trump official Chris Krebs because of comments that Krebs made about election results. 

An even bigger factor is the economic uncertainty around tariffs and retaliatory tariffs. 

‘Playing catch up’

Michela Menting, France-based digital security research director at ABI Research, said when she heard on Wednesday that Microsoft was creating such a role, “I was mostly surprised that they don’t already have one.”

“GDPR has been in place for quite some time now and the fact they are only now putting in a European deputy CISO is concerning,” Menting said. “They are playing catch up.”

Menting said this is consistent with Microsoft’s minimal efforts in Europe over the years, adding, “they really now have to show that they are doing the utmost.”

Part of Microsoft’s challenge, and therefore the challenge for the person who eventually holds this new role, is to convince European leaders that Microsoft is changing.

The creation of the Deputy CISO for Europe role “is not because they really believe in it. It’s because they don’t want to lose that business. It’s that simple,” Menting said. “They have been doing the bare minimum and that’s why they are always in court here.”

Forrester VP/research director Pascal Matzke, who is based in Germany, was somewhat unimpressed by the new role. 

The creation of a Deputy CISO for Europe “is great, but how does that translate into how new innovation stays within Europe?” Matzke asked. “They could have pointed to some specific funding co-development,” but they didn’t.

Phil Brunkard, an executive counselor at Info-Tech Research Group UK, said he saw the new Microsoft position as “telling Brussels [the European Union’s de facto capital] ‘OK. We’ll play by your rules now.’”