A brief history of Microsoft's CEOs, and the security of their software:
- 2000 - Steve Ballmer takes over as CEO at Microsoft, Bill Gates remains as Chief Software Architect.
- 2001 - After an accelerating stream of serious vulnerabilities in the Windows operating system, and in the IIS Web Server and IE Web Browser components in particular, malware such as Code Red and Nimda cause widespread damage to businesses.
- 2002 - Bill Gates decides security is important, sends an email to all Microsoft employees declaring security should be Microsoft's top priority.
- 2002 - Microsoft CTO Craig Mundie (and three others) publish a white paper on "Trustworthy Computing" aimed at four goals: Security, Privacy, Reliability, and Business Integrity. Over the years, this does spawn major focus on a Secure Development Lifecycle approach at Microsoft, and major improvements in the development and product management groups on more secure software. However, it also seems to spawn an "in order for businesses to trust us, we must sell security products" attitude at Microsoft which will go nowhere over the years.
- 2003 - Slammer and Blaster exploit the latest in the continuing stream of critical vulnerabilities being found in Windows, causing yet another round of enterprise downtime and patching.
- 2003 - Microsoft acquires a small Romanian anti-viral company, GeCAD, "so that Microsoft can provide antivirus solutions for Microsoft products and services." This was the first of many minor security company acquisitions Microsoft would make under Ballmer over the next 5 years.
- 2006 - Bill Gates steps down as Chief Software Architect
- 2007 - Microsoft ships the Vista operating system six years after declaring security to be top priority. While there are definite security improvements, many of them simply cause the user to have to click through many confusing dialog boxes. Overall, Vista is a major flop.
- 2009 - Windows 7 ships, 8 years after Microsoft gets security religion. In general, many major security advances but just in time for most the action to shift towards smartphones and tablets, where Microsoft is well behind Apple and others. Microsoft's mobile operating system does not include on-device encryption, or any sort of App Store construct, both serious lacks.
- 2013 - Ballmer announces he will retire within a year.
So, the reality is that Ballmer was actually Microsoft's CEO for several years before they declared "Security is Job #1" and for over a decade afterward. How'd he do?
Well, the areas where Microsoft made the most meaningful progress (Secure Development Lifecycle, higher security level in their own PC and server software) were probably the least under Ballmer's direct purview, as Bill Gates and Craig Mundie played larger roles there. The security areas that most likely got the most attention from Ballmer (acquisitions and the regular reorganizations and changes of the names at the top of the security business org chart) were largely complete failures. Getting into the antiviral market is the poster child for that.
Back in 2003, as a VP at Gartner, I lead the publication of a research notes titled "Microsoft Must Transform, Not Threaten, the Antivirus Market" basically saying the best thing Microsoft could do for security would be to make the AV market unnecessary, by building operating systems that would resist malware vs. joining in the $1B market for selling security software to make up for security deficiencies in Windows. To me, what Microsoft was doing was analogous to the water company delivering stinky, polluted water and then selling you a subscription service to filter the dirty water it just sold you.
Now, Microsoft now has 26% of the stinky water filtering PC antiviral market, but over the 10 years they wasted chasing that, first Apple, then Google, focused on building operating systems that include many mechanisms (sandboxing, app stores, etc) that raised the bar on malware, vs. trying to sell add on products to fight malware. Now, as the PC market sinks and the tablet and smartphone markets explode, Microsoft is once again way behind the security curve.
There were many, many other examples over the years. I think those security business decisions over Ballmer's reign diverted a lot of Microsoft's attention and focus away from security advances that could have changed the industry and instead focused Microsoft on ways they could compete with security vendors - the wrong approach, and badly executed at that.
Oddly enough, Microsoft has recently begun to try to compete with Google on privacy, since very little of Microsoft's revenue comes advertising sales from watching its users send emails and search the web. Imagine how much more successful Microsoft would be at that if they had been first to market with smartphone encryption or a version of Windows that spared consumers from wasting money on antiviral products.
As a business, security is definitely not Microsoft's number one problem these days - changing their approach to security alone isn't going to turn them around. But I think they do have an opportunity to make some game-changing moves in security as they bring in a new CEO and that CEO does the inevitable house cleaning and direction-setting. In security, that never really happened under Steve Ballmer.