Back in August 2013 I asked "Will Steve Ballmer's Departure Change Microsoft's Approach to Security, For Better or Worse?" Now that Microsoft has announced Ballmer will be replaced by Satya Nadella, and that Bill Gates will resign as the Chairman of Microsoft's Board to become Nadella's "Technology Advisor" it is probably a good time to revisit that question.
Nadella has been at Microsoft since 1992 and in 2011 moved from Microsoft's Online business to take over their Server and Tools Business, which includes:
- Windows Server
- System Center
- SQL Server
- Visual Studio
- Desktop access business
- Enterprise services business (consulting and support)
Those are all over $1B in revenue each and I think STB's recent revenues were something like $19B. So, Nadella certainly has experience running large software businesses. Microsoft has a huge number of challenges facing them, and security is not likely to be perceived by Microsoft as one of its major business problems. It really can't trace loss of market share on the desktop or in email to Google or Apple having higher levels of security. But, I'm in the security union and all I care about is the security aspect. Will this management changed at Microsoft have any meaningful impact on security?
I spent a lot of time at Gartner covering Microsoft security before and after the famous Bill Gates "Security is Job 1" memo of 2002. My August post included a brief history of security at Microsoft after that - Microsoft made advances but then seemed to lose its security focus after Gates stepped down as Chief Software Architect in 2006. I blamed a lot the bad decisions they made on Microsoft management looking more at the business of security rather than the security of its customers' businesses.
Nothing major from a security perspective happened after Nadella took over the Microsoft Server and Tools Business, so I think his appointment is less meaningful from a security perspective than the two other changes noted in the Microsoft's announcement:
1. Bill Gates' new role as Technology Advisor to Nadella - While Bill Gates was behind some of the bad moves Microsoft made in security after his 2002 memo (like acquiring a small Romanian anti-viral company, GeCAD) in general he had the moral suasion necessary to change the Microsoft software development and product management organizations to focus on the most important phrase in his famous memo:
"Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services."
This was exactly what Microsoft needed - an inward focus on improving the security of its own products and thinking about security as the top rated feature. After Gates stepped down from the Chief Software Architect role, the security focus got muddled, with a lot more external focus on security marketing, more marginal security acquisitions of security products.
2. John Thompson, former CEO of Symantec, replacing Gates as Chairman of Microsoft's Board Thompson was CEO of Symantec from 1999 to 2009. An IBM veteran, he went on an acquisition spree at Symantec early in his tenure that was effective in increasing Symantec's market value but diversified Symantec into so many areas that it neglected its cash cow, the desktop.
When Microsoft got into the AV market in 2002 and threatened Symantec's position, Thompson led Symantec on an ill-fated diversification effort into storage and systems management, claiming that security was just part of all that. That proved to be completely off the mark and Symantec began a long, accelerating slide downhill.
Both Gates and Thompson should have learned a lot of lessons about focusing on security - and hopefully a lot about how security product acquisitions often detract from that focus. I'm hoping they both have a lot of "what not to do" ideas about security, at least.
Bottom line: Nadella, Gates and Thompson will have to focus on forcing change at Microsoft to regain competitiveness in the core technology markets around consumer and enterprise use of technology. Security is not likely to be at the top of that list, but I think there is one key area where security and competitiveness intersect -the App Store.
I'd like to see Microsoft focus on attacking Apple's leadership in the App Store, and Google Play's second place position, by focusing on having the most secure, most "trustable" apps - in addition to catching up on the "coolness" aspect and sheer quantity of apps. That's the area I'm going to watch to see if the "new" Microsoft will really do anything groundbreaking in security as it tries to change its course.