By Byron V. Acohido
SAN FRANCISCO — On the eve of what promises to be a news-packed RSA Conference 2024, opening here on Monday, Microsoft is putting its money where its mouth is.
More precisely the software titan is putting money within reach of its senior executives’ mouths.
In a huge development, Microsoft announced today that it is revising its security practices, organizational structure, and, most importantly, its executive compensation in an attempt to shore up major security issues with its flagship product, not to mention quell rising pressure from regulators and customers.
A shout out to my friend Todd Bishop, co-founder of GeekWire, for staying on top of this development. His breaking news coverage is as thorough as you’d expect as a Microsoft beat writer with institutional knowledge going back a couple of decades.
Org overhaul
As Todd reports, not only is Microsoft basing a portion of senior executive compensation on progress toward security goals, it also will install deputy chief information security officers (CISOs) in each product group,and bring together teams from its major platforms and product teams in “engineering waves” to overhaul security.
This instantly brought to mind something eerily similar that happened 22 years ago – something both Todd and I wrote about at the time. On January 15, 2002, Bill Gates issued his famous “Trustworthy Computing” (TC) company-wide memo, slamming the brakes on Windows Server 2003 development and temporarily redirecting his top engineers to emphasize security as a top priority.
This “security stand down” allowed Microsoft to conduct a comprehensive review and overhaul of their software design practices, as part of a broad effort to integrate security deeply into the software development process at Microsoft. Given its stature as an 800 lb gorilla, Microsoft certainly influenced cybersecurity as a whole, arguably setting a course for application security principles and practices that were to evolve in the wake of TC.
Pressure redux
But now, once again, Microsoft is feeling enough pressure from its enterprise customers to recalibrate its approach to security. Just as Gates’ memo became a charter to infuse security, privacy, and reliability across all Windows products, Satya Nadella’s Secure Future Initiative (SFI) is aimed at deepening this ethos in an environment now dominated by sophisticated cyber threats, cloud-based data and pervasive AI technologies.
The common denominator is trust—critical then and now. Initially, TC was about setting a security baseline within the fabric of software development during the internet’s formative years. SFI expands this vision, emphasizing intrinsic security in the design, deployment, and operation of Microsoft’s vast array of products and services, focusing notably on the challenges posed by AI and cloud vulnerabilities.
Under Gates, TC catalyzed a transformation within Microsoft that rippled out across the tech industry, prompting a heightened focus on developing software that was secure by design.
TC’s legacy
An argument certainly can be made that TC foreshadowed “shift left” software security development practices and, ultimately, DevSecOps. The core principle is that every phase of software development should be infused with some aspect of security.
I’d argue that TC laid the groundwork for continuous security integration, a core component of DevSecOps. This approach ensures that security considerations are not an afterthought but are embedded throughout the development lifecycle. Extending from this foundation, SFI seems well-positioned to push these boundaries further, integrating AI to proactively manage security threats and embedding robust security measures as default settings in new products.
While TC reshaped traditional software security, SFI has a chance to help not just Microsoft customers, but the tech sector as a whole. The massive task at hand is to reconcile privacy and security concerns when it comes to securing complex AI algorithms and sprawling cloud networks.
Funny how even as the pace of change accelerates, the core privacy and security concerns remain the same. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
May 3rd, 2024 | My Take | Top Stories
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
