Every Microsoft Employee Is Now Being Judged on Their Security Work

Reeling from security and optics issues, Microsoft appears to be trying to correct its story. An anonymous reader shares a report: Microsoft made it clear earlier this year that it was planning to make security its top priority, following years of security issues and mounting criticisms. Starting today, the software giant is now tying its security efforts to employee performance reviews. Kathleen Hogan, Microsoft's chief people officer, has outlined what the company expects of employees in an internal memo obtained by The Verge. "Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."

A lack of security focus for Microsoft employees could impact promotions, merit-based salary increases, and bonuses. "Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards," Microsoft is telling employees in an internal Microsoft FAQ on its new policy. Microsoft has now placed security as one of its key priorities alongside diversity and inclusion. Both are now required to be part of performance conversations -- internally called a "Connect" -- for every employee, alongside priorities that are agreed upon between employees and their managers.

Wow, talk about a no win position!

[oldgraybeard]

You are forced to use Microsoft products and services. And your judged you on your security!

Re:

[oldgraybeard]

And your judged on your security!

How does this apply to the following employees...

[Anonymous Coward]

...at Microsoft?

Janitor
Receptionist
Lawyer
Accountant
HVAC tech
Cafeteria Cook
Night watchman
Parking lot attendant
Maintenance tech

list of outsorced / 3rd party wokers

[Joe_Dragon]

list of outsorced / 3rd party wokers

Re:

[93 Escort Wagon]

I am finding this thread hilarious because I'm really not sure if any of the typos are intentional!

Re:

[Known Nutter]

I'm reasonably confident Joe Dragon sniffs glue when posting here.

Re:

[Compaq Disk Rereader]

May Allah Ta’ala have mercy on him

Re:

[pierreact]

I remember when working at a large corp, we had colleagues holding the door for us all the time. Anyone pretending to be of the company could enter without a need for the badge. Security is not stopping at your workstation.

Re:

[ls671]

Here you go:
And you're judged on your security!

Re:

[VeryFluffyBunny]

Well, at least they've promised to stop completely ignoring it!

Re:

[StormReaver]

Well, at least they've promised to stop completely ignoring it!

They do that every few years, then wait until the fake outrage subsides before it's back to business as usual.

Re:

[xeoron]

They should make Windows 12 a offshoot of ChromeOS with WINE sandboxing "classic windows apps" and MS like UX baked in. ChromeOS supports deb packages, so maybe release a tool to convert windows apps to deb. Office already runs on ChromeOs via the web and play store apps, or PWA. SEcure Linux and sand-boxing all baked in with instant updates.

Re: Thanks HR

[drinkypoo]

That's a false dichotomy, since it's very inconvenient when your security is bypassed.

Re: Thanks HR

[LazarusQLong]

I once set up my mom's computer such that it was as secure as I could make it, it slowed down, noticably. She immediately had a tech come in and disable all the stuff I had put in to it... Things like automated virus and malware checks of any removeable media... encryption, Tor, everydamn thing I could think of at the time. So, after the tech she hired 'fixed' it for her, she'd call me several times a week (I live over 500 miles away) and ask me where this or that popup or popunder came from, one of her bank accounts got compromised, and of course she got bunches of emails telling her she needed to spend $XXX on this or that security system. She actually lost over $1000 to one scammer. Her files got encrypted by ransomware, it was lucky he hadn't disabled the automated backup I had put in place to backup once a week... When she told me about the ransomware, well, I told her to unplug the backup, and we would restore files from the last 'good' backup.

Convenience, is indeed and enemy of security sometimes.

Re:

[Mal-2]

In the past this might have manifested as "Checks are such a pain in the ass, it's so much more convenient to just carry a few thousand dollars on me at all times" and then wondering why she keeps getting her purse snatched after she flashes all that cash.

Re:

[LazarusQLong]

Well, no. My mom doesn't like to carry cash, she feels like that is too high a risk. She uses her debit/credit cards everywhere, back before you could do that she used checks, but she never carried large sums of cash on her.

Re:

[Anonymous Coward]

TOR does not improve security! It improves anonymity, but anything sent to the regular Internet goes through an exit node, which could be run by anyone. At that point the connection is as readable as if you were on public WiFi. It's also likely the cause of most slowness she experienced.

Re:

[Tough Love]

I once set up my mom's computer such that it was as secure as I could make it...

No you didn't, you failed to removed Windows from it.

Re:

[LazarusQLong]

It was a Mac (Apple), she hates windows.

Re:

[Anonymous Coward]

Security is our number one priority.

Unless it affects profits.

Then you'll get a bad performance review and be denied raises/promotions because profits went down.

Re:

[easyTree]

Ahh, a slice of the good old days on slashdot.

Please unleash yourself on the wider internet!

Re:Thanks HR

[rudy_wayne]

It is all bullshit. It is all theater.

Microsoft is not a charity, they are not a non-profit. They exist for one reason and one reason only -- to make as much money as possible. But security, done PROPERLY, is expensive, and as a publicly traded company there is constant pressure to keep producing higher and higher profits. If you don't deliver higher profits you WILL be replaced.

And so every person, from the CEO down to the lowest level managers, is constantly looking for ways to cut corners, because that is the fastest and easiest way to boost profits. And so, you cut corners and don't take security seriously and hope that you get away with it. And most of the time you DO get away with it.

And then something blows up. And there is lots hand-wringing and investigating, and everyone swears that we're really going to take security seriously now, and we really mean it this time. And a few months later everyone is back to business as usual cutting corners and taking every shortcut possible.

Re:

[LazarusQLong]

and remember, they aren't going to go back and fix all their current problems, no, at best the newer products coming out in a year or so may have some level of fixes applied... MAY.

Re:

[alexgieg]

you cut corners and don't take security seriously and hope that you get away with it.

Fixing this is easy: just convert Software Engineering into an actual Engineering. As in, demand from all software engineers they follow the same standards of safety in whatever they produce as, say, Electrical Engineers, Chemical Engineers, Mechanical Engineers, Civil Engineers etc. must follow, complete with a requirement to personally sign on with their own name and board number on anything and everything they work in at a professional capacity, with full accountability and the risk of losing the right t

Re:

[volcan0]

What is interesting with this solution is that it would swing the pendulum around. A lot of stuff that is now done with software will, all of a sudden, be cheaper if it is done by someone instead of software. On the plus side, this creates jobs. On the downside, everything just got more expensive.

Re:

[buck-yar]

What about the guy with the striped hat that controls and fuels trains engines?

Re:

[alexgieg]

Having 'real engineers' around seems to be working well at Boeing.

If things there are bad as is, imagine if management could get away with having no engineers at all?

Management being accountable is the second part of my answer. But the first part is also extremely important. This won't work as well without the first part.

A third aspect would be full legal and financial protection for whistleblowers, complete with legally protected anonymity. If engineers are held responsible, and are free to report ethical violations, there's a strong incentive for the later to be careful

Re:

[mrfaithful]

That would only be half the battle. The sysadmin side would also have to stop assembling piles of jank to satisfy the staff doing the work. Many compromises are actually less to do with the engineering of the software and more to do with the person who set up the service. Deliberately using an old build with a known flaw because they don't have the authority to force an update of the running codebase to comply with more recent changes, or adding --enable-loose-mode or somesuch so that "ERROR: You can't do t

Re:

[alexgieg]

The sysadmin side would also have to stop assembling piles of jank to satisfy the staff doing the work.

True. There'd be the need to do something similar on the infrastructure side of the aisle.

all software development and possibly even the running thereof will move to countries that don't do that.

A massive change like this would require international agreements at the WTO / ILO / etc level. If that happened, moving development to countries without such requirements would be a non-starter.

I'm under no illusion something like this will happen. But that thoroughly forcing software engineering to become a full engineering discipline would solve the issues at the root, it would, which is the point of this exercise.

W

Re:

[strikethree]

And so every person, from the CEO down to the lowest level managers, is constantly looking for ways to cut corners, because that is the fastest and easiest way to boost profits.

Those are short term profits. The actual product is garbage, so the only reason it sells is because it is a monopoly. If we enforced antitrust on Microsoft, they might need to start looking at behaving in a way that actually ensures their survival... but this is America and apparently, we want only one person to have everything. It is what 'winning' looks like.

Microsoft Connect priorities are meh

[HBI]

Connects are the Microsoft performance review system. Connects are mostly composed of boilerplate text that satisfies management. Distinction without difference. If you feel the warm and fuzzy, then it achieved its goal.

Insecure Software: "diversity and inclusion" LOL

[eadon-com]

"One of its key priorities alongside diversity and inclusion" Coincidence? These incompetent, wokist corporations wonder why their systems are FOOBAR insecure!

Re: Insecure Software: "diversity and inclusion" L

[drinkypoo]

If you actually believe that they are prioritizing anything over profit, you are a dupe. And also, as autocorrect wants me tell you, a dope.

Re:

[drinkypoo]

Globalists have a globalist (not capitalist, note!) agenda that they deploy even though it hurts their bottom line.

Who are these globalists, and what are they doing that you think is not for the purposes of securing more profit?

Re:

[byronivs]

Are you making fun of yourself?

Re: Insecure Software: "diversity and inclusion" L

[toutankh]

Sure, Microsoft stopped being a super secure company shipping super secure software the second they adopted a CoC... How young are you?

That's a laugh

[TWX]

A major reason why I have an IT career going on 30 years now is because Microsoft's products that can't truly be fixed.

I don't directly support Microsoft products anymore, and haven't for around a decade as my specialization has taken me away from their offerings, but for the first 20 years my bread and butter was standing back up systems that had stopped working, including many due to security problems.

Watching the desktop and server ecosystem since around 2010 I don't see much actually new in what Microso

Seems like a press release...

[MpVpRb]

...to satisfy investors
It may or may not improve their security

Re:

[easyTree]

But only on a surface level

More dialogs

[Tailhook]

The cynic in me expects a large increase in "Are you sure you want to ... Ok/Cancel" prompts.

Sure...

[Junta]

"When faced with a tradeoff, the answer is clear and simple: security above all else."

As everyone knows, if systems are "air gapped" that's a pretty good security measure, so I fully expect all Microsoft products to remove all networking support, because security above all else no matter what right?

Re:

[timeOday]

Yeah. It sounds simple to not compromise security for ship dates or features, but the fact is you have to draw the line somewhere. You can always wait and do yet another review and maybe increase security just that little bit more...

Re:

[fahrbot-bot]

"When faced with a tradeoff, the answer is clear and simple: security above all else."

As everyone knows, if systems are "air gapped" that's a pretty good security measure, so I fully expect all Microsoft products to remove all networking support, because security above all else no matter what right?

My experience dealing with government STIGs left me with the feeling that security people are only really happy while the computer is still in the box, and even that bugs some of them.

Re:

[Talon0ne]

I hate STIGs... The guys at TIC and JTIC are great to work with though.

Re:

[volcan0]

it's because you left the box out of your sight for too long!

Re: Sure...

[Dark Coder]

Ummm, gotta take into consideration the security of advertisers .., as in financial security. #caring

necessary quote

[Virtucon]

You have been weighed, you have been measured, and you have been found wanting.

- A Knights Tale

Re:necessary quote

[packrat0x]

You have been weighed, you have been measured, and you have been found wanting.

- A Knights Tale

The origin of "Handwriting on the Wall":

Daniel 5:25-28. "And this is the writing that was inscribed: Mene, Mene, Tekel, and Parsin. This is the interpretation of the matter: Mene, God has numbered the days of your kingdom and brought it to an end; 27 Tekel, you have been weighed in the balances and found wanting; 28 Peres, your kingdom is divided and given to the Medes and Persians."

Guaranteed False

[nightflameauto]

"Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."

I absolutely 100% guarantee you this is a false statement. Don't believe me? How about we put security against profit and see how that lands? I promise you, if it's going to cost profits, security will go right out the window. As it has since the beginning of the company.

Re:

[Perfycat321]

You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.

Re:

[easyTree]

it creates an army of scapegoat

Uhh, they already have employees, right? *Confused*

Re:

[Anonymous Coward]

it creates an army of scapegoat

Uhh, they already have employees, right? *Confused*

Its the equivalent of having mandatory trainings every year. Everybody figures out how to finish the trainings as quickly as possible without paying any attention to the actual material. Similarly here, everybody will figure out how to meet the "security" requirement with no real changes being implemented.

i.e. Its a bullet point to the company for legal liability protection. Nothing more or less.

Re:

[nightflameauto]

You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.

Ah, there's the corporatist mental note I was missing!

Re:

[geekmux]

You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.

Firing more than the poor scapegoat that works as Microsoft CSO when the next major MS bug/hack/zero-day happens, isn’t going to make even a single CEO victim running Microsoft OS feel better, or not blame Microsoft.

Not a single fucking one.

Re:

[nightflameauto]

You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.

Firing more than the poor scapegoat that works as Microsoft CSO when the next major MS bug/hack/zero-day happens, isn’t going to make even a single CEO victim running Microsoft OS feel better, or not blame Microsoft.

Not a single fucking one.

It's not about making CEOs or, heaven forbid, normal workers feel better. It's about public perception, and keeping just enough good will among people that we don't call for their heads on pikes and get legal action going against them. "But, we made security top priority for everyone!" sounds a lot better than, "We never cared about security, so who cares if it bit you, dumbass?"

/o\ | \o/

[easyTree]

Is it worth the loss of material for the internet-comedian community:
  * https://turbo.paulstamatiou.co... [paulstamatiou.com]

?

A meaningless stunt

[gweihir]

Unless and until MS cleans up a decade of incompetence, this will do nothing.

The wrong message.

[kalieaire]

Security above all else is a good way to make sure nothing gets done.

The business, meaning the client's business, dictates the security measures that need to be taken. A careful calculation between risks that they expose themselves to vs how much revenue the business generates.

Nobody gains anything if the security measures cost more than the business generates. Another point is that the business owners should not shoulder 100% of this security burden, tbf, the gov't should be defending against a lot of it,

Re:

[HBI]

You make a great point about the government. Back in the 90s, EDI was a big thing, 'electronic data interchange'. The security was kind of meh by today's standards, but for the 90s it was better than the internet. EDI links were set up on a company to company basis over leased lines, usually, or at best X.25 or frame relay. A lot of the security issues we face today were nonexistent. But the internet was cheaper so EDI networks went by the wayside more or less.

So now you have this global system carryin

Is not security about design?

[CalgaryD]

I have thought that security comes from the general design. How secure the OS should not depend on what a junior programmer is doing. Right?

This is like Boeing suddenly prioritizing QA

[aoeusnth]

The change has to come from the top. There's a limit to what you can accomplish from below, as far as quality-related metrics go.

History Repeats Itself...

[sconeu]

Ballmer introduced a very similar security initiative in 2005. https://news.microsoft.com/200... [microsoft.com]

Coding and quality should be the goal

[angryargus]

The stated goals focus too much on design and not enough on the poor implementation (i.e., lazy coding and reviews). MSFT has too much of a culture where customer issue reports are not addressed because 1) they need a compelling business justification, or 2) they claim they canâ(TM)t fix because some app might rely on the broken behavior. Iâ(TM)ve had MSFT reply with #2 even when an API function is completely broken (eg you can disassemble it and see that all it does is return âoenot implemen

Can't wait for policy to be called racist, etc.

[drnb]

"Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."

I can't wait for some group to claim disproportionate outcomes and claim the policy is racists, sexists, bigoted, etc.

Bullshit

[jenningsthecat]

"When faced with a tradeoff, the answer is clear and simple: security above all else."

When the tradeoff is cost, or delays in updating the OS or rolling out new products or services, or short-term profit, or curtailing privacy-stealing activities because they're just natural security holes - then security will fall to the very bottom of the priorities list. If security dictates that customers switch to Microsoft's competitors' products because they're more secure, then the issue of security will be either downplayed or outright lied about. That's just the way Microsoft is.

This latest 'policy

Re:

[Opportunist]

Perfect security isn't one that keeps you from getting where you want to go by reminding you of its presence with every step you take.

Perfect security is so stealthy that you don't even know it is there until you try to do something that compromises it.

Security that gets into your way is something you WILL get rid of, and without a guilty conscience. You're doing it to improve your productivity. An example:

If you work in a warehouse where stuff gets stolen and security demands that the doors are closed and

Re:

[Mal-2]

I wish they wouldn't. Malicious compliance is the only tactic that will cause the policy to be changed.

Re:

[serviscope_minor]

I wish they wouldn't.

If wishes were horses, then beggars would ride.

Thing is most people aren't inveterate shitbags and do actually want to do the job they're paid for. You also have the additional pressure that unless everyone engages in malicious compliance, you'll be the one with poor productivity and unless there's actually a security incident before you're fired for not doing your job, you'll be the one fires.

Re:

[Mal-2]

Getting fired for following policy to the letter is an excellent justification for collecting Unemployment. I'd take the risk.

Re:

[Opportunist]

Too bad, you could actually have learned something.

Oh well, some people just prefer to pretend they already know everything.

But it was so handy, Satya

[Tablizer]

I guess it's time to get rid of this gem:

if (password="TablizersSecretBackDoor") { approve(); }

Re:

[Tablizer]

oops, forgot second "=". The double-equal convention is not Monday-friendly.

Between a rock and a hard place

[Opportunist]

You have to use our products.

You will be judged by your security work.

Double bind at its finest.

Clash of the Titans

[Dark Coder]

DEI and Security? Together?

This should end well.

Re:

[Required Snark]

Spoken like a true incel.

Do you go to bed at night cowering in fear that Harris might become President? I hope so.

Absolute* importance!

[torkus]

Security is of absolute importance, above any and every other metric ... *except it's equals: diversity and inclusion.

Maybe I'm being a bit crass, but I care a lot more about the security of a product than the color, race, gender, religion, or sexual orientation of the person who wrote it...or how welcome they feel at work. If a team of queer black midget Christian crossdressers could develop the best product, so be it. I just don't care about anything but the result and THAT is what we've gotten away fro

What year is this?

[cbass377]

It has happened before, it will happen again.

Remember the Microsoft Trustworthy Computing Initiative of 2002. 22 years ago in January, Bill Gates sends an email saying

"ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new

Bill Gates' Trustworthy computing email

[echo123]

Bill Gates sent this message to every full-time employee at Microsoft, describing the company's security strategy.

From: Bill Gates
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing

Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet trul

Just another way...

[eneville]

of telling people that what they're running now needs upgrading to the more secure future.

Won't work

[az-saguaro]

I see big flaw in this situation, not based on MS per se, but based general psychology and human behavior. Even if the corporate overlords at MS are feeling genuinely sincere about this ...
! ... stop and parse that for a moment. Is it genuine? Could be - but whether it is coming from their "heart", wanting to finally do good, versus a cover-up reaction to bad press, unknown. I know there are many MS cynics who will say it is all for public show, but either way, for the moment, it may indeed be genuine.

oh no

[awwshit]

We fired everyone. Now what?

Bye Bye Windows

[DeathSquid]

"When faced with a tradeoff, the answer is clear and simple: security above all else." I guess it is Linux only in Microsoft from now on. Unless they are lying. Again.

Won't work.

[jd]

Security is rarely isolated flaws but component interactions, where the flaw could exist in either or both. Security reviews of employees is a totally useless way forward.

A provable level of security can be achieved, but only if it is systemic and that requires an evaluation of the ecosystem, not individuals.

They are fixing the wrong problem in the wrong place and will thus achieve the wrong result.

How to measure this?

[sad_]

It probably will be some obligatory course they will have to complete each year to prove they are security aware and are using the proper tools, or something similarly worthless. How are they actually going to rate how secure your work is, basically an impossible thing to do.