Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Microsoft

Every Microsoft Employee Is Now Being Judged on Their Security Work (theverge.com) 100

Reeling from security and optics issues, Microsoft appears to be trying to correct its story. An anonymous reader shares a report: Microsoft made it clear earlier this year that it was planning to make security its top priority, following years of security issues and mounting criticisms. Starting today, the software giant is now tying its security efforts to employee performance reviews. Kathleen Hogan, Microsoft's chief people officer, has outlined what the company expects of employees in an internal memo obtained by The Verge. "Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."

A lack of security focus for Microsoft employees could impact promotions, merit-based salary increases, and bonuses. "Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards," Microsoft is telling employees in an internal Microsoft FAQ on its new policy. Microsoft has now placed security as one of its key priorities alongside diversity and inclusion. Both are now required to be part of performance conversations -- internally called a "Connect" -- for every employee, alongside priorities that are agreed upon between employees and their managers.

This discussion has been archived. No new comments can be posted.

Every Microsoft Employee Is Now Being Judged on Their Security Work

Comments Filter:
  • by oldgraybeard ( 2939809 ) on Monday August 05, 2024 @12:29PM (#64682606)
    You are forced to use Microsoft products and services. And your judged you on your security!
  • by HBI ( 10338492 ) on Monday August 05, 2024 @12:34PM (#64682626)

    Connects are the Microsoft performance review system. Connects are mostly composed of boilerplate text that satisfies management. Distinction without difference. If you feel the warm and fuzzy, then it achieved its goal.

  • "One of its key priorities alongside diversity and inclusion" Coincidence? These incompetent, wokist corporations wonder why their systems are FOOBAR insecure!
  • A major reason why I have an IT career going on 30 years now is because Microsoft's products that can't truly be fixed.

    I don't directly support Microsoft products anymore, and haven't for around a decade as my specialization has taken me away from their offerings, but for the first 20 years my bread and butter was standing back up systems that had stopped working, including many due to security problems.

    Watching the desktop and server ecosystem since around 2010 I don't see much actually new in what Microso

  • ...to satisfy investors
    It may or may not improve their security

  • The cynic in me expects a large increase in "Are you sure you want to ... Ok/Cancel" prompts.

  • Sure... (Score:2, Funny)

    by Junta ( 36770 )

    "When faced with a tradeoff, the answer is clear and simple: security above all else."

    As everyone knows, if systems are "air gapped" that's a pretty good security measure, so I fully expect all Microsoft products to remove all networking support, because security above all else no matter what right?

    • Yeah. It sounds simple to not compromise security for ship dates or features, but the fact is you have to draw the line somewhere. You can always wait and do yet another review and maybe increase security just that little bit more...
    • "When faced with a tradeoff, the answer is clear and simple: security above all else."

      As everyone knows, if systems are "air gapped" that's a pretty good security measure, so I fully expect all Microsoft products to remove all networking support, because security above all else no matter what right?

      My experience dealing with government STIGs left me with the feeling that security people are only really happy while the computer is still in the box, and even that bugs some of them.

    • Ummm, gotta take into consideration the security of advertisers .., as in financial security. #caring

  • You have been weighed, you have been measured, and you have been found wanting.

    - A Knights Tale

    • Re:necessary quote (Score:5, Informative)

      by packrat0x ( 798359 ) on Monday August 05, 2024 @02:02PM (#64682978)

      You have been weighed, you have been measured, and you have been found wanting.

      - A Knights Tale

      The origin of "Handwriting on the Wall":

      Daniel 5:25-28. "And this is the writing that was inscribed: Mene, Mene, Tekel, and Parsin. This is the interpretation of the matter: Mene, God has numbered the days of your kingdom and brought it to an end; 27 Tekel, you have been weighed in the balances and found wanting; 28 Peres, your kingdom is divided and given to the Medes and Persians."

  • Guaranteed False (Score:5, Insightful)

    by nightflameauto ( 6607976 ) on Monday August 05, 2024 @12:46PM (#64682668)

    "Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."

    I absolutely 100% guarantee you this is a false statement. Don't believe me? How about we put security against profit and see how that lands? I promise you, if it's going to cost profits, security will go right out the window. As it has since the beginning of the company.

    • Re: (Score:3, Funny)

      You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.
      • it creates an army of scapegoat

        Uhh, they already have employees, right? *Confused*

        • by Anonymous Coward

          it creates an army of scapegoat

          Uhh, they already have employees, right? *Confused*

          Its the equivalent of having mandatory trainings every year. Everybody figures out how to finish the trainings as quickly as possible without paying any attention to the actual material. Similarly here, everybody will figure out how to meet the "security" requirement with no real changes being implemented.

          i.e. Its a bullet point to the company for legal liability protection. Nothing more or less.

      • You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.

        Ah, there's the corporatist mental note I was missing!

      • You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.

        Firing more than the poor scapegoat that works as Microsoft CSO when the next major MS bug/hack/zero-day happens, isn’t going to make even a single CEO victim running Microsoft OS feel better, or not blame Microsoft.

        Not a single fucking one.

        • You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.

          Firing more than the poor scapegoat that works as Microsoft CSO when the next major MS bug/hack/zero-day happens, isn’t going to make even a single CEO victim running Microsoft OS feel better, or not blame Microsoft.

          Not a single fucking one.

          It's not about making CEOs or, heaven forbid, normal workers feel better. It's about public perception, and keeping just enough good will among people that we don't call for their heads on pikes and get legal action going against them. "But, we made security top priority for everyone!" sounds a lot better than, "We never cared about security, so who cares if it bit you, dumbass?"

  • Is it worth the loss of material for the internet-comedian community:
      * https://turbo.paulstamatiou.co... [paulstamatiou.com]

    ?

  • Unless and until MS cleans up a decade of incompetence, this will do nothing.

  • Security above all else is a good way to make sure nothing gets done.

    The business, meaning the client's business, dictates the security measures that need to be taken. A careful calculation between risks that they expose themselves to vs how much revenue the business generates.

    Nobody gains anything if the security measures cost more than the business generates. Another point is that the business owners should not shoulder 100% of this security burden, tbf, the gov't should be defending against a lot of it,

    • by HBI ( 10338492 )

      You make a great point about the government. Back in the 90s, EDI was a big thing, 'electronic data interchange'. The security was kind of meh by today's standards, but for the 90s it was better than the internet. EDI links were set up on a company to company basis over leased lines, usually, or at best X.25 or frame relay. A lot of the security issues we face today were nonexistent. But the internet was cheaper so EDI networks went by the wayside more or less.

      So now you have this global system carryin

  • I have thought that security comes from the general design. How secure the OS should not depend on what a junior programmer is doing. Right?
  • The change has to come from the top. There's a limit to what you can accomplish from below, as far as quality-related metrics go.

  • Ballmer introduced a very similar security initiative in 2005. https://news.microsoft.com/200... [microsoft.com]

  • The stated goals focus too much on design and not enough on the poor implementation (i.e., lazy coding and reviews). MSFT has too much of a culture where customer issue reports are not addressed because 1) they need a compelling business justification, or 2) they claim they canâ(TM)t fix because some app might rely on the broken behavior. Iâ(TM)ve had MSFT reply with #2 even when an API function is completely broken (eg you can disassemble it and see that all it does is return âoenot implemen

  • "Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."

    I can't wait for some group to claim disproportionate outcomes and claim the policy is racists, sexists, bigoted, etc.

  • "When faced with a tradeoff, the answer is clear and simple: security above all else."

    When the tradeoff is cost, or delays in updating the OS or rolling out new products or services, or short-term profit, or curtailing privacy-stealing activities because they're just natural security holes - then security will fall to the very bottom of the priorities list. If security dictates that customers switch to Microsoft's competitors' products because they're more secure, then the issue of security will be either downplayed or outright lied about. That's just the way Microsoft is.

    This latest 'policy

  • I guess it's time to get rid of this gem:

    if (password="TablizersSecretBackDoor") { approve(); }

  • You have to use our products.

    You will be judged by your security work.

    Double bind at its finest.

  • by Dark Coder ( 66759 ) on Monday August 05, 2024 @04:37PM (#64683448)

    DEI and Security? Together?

    This should end well.

  • Security is of absolute importance, above any and every other metric ... *except it's equals: diversity and inclusion.

    Maybe I'm being a bit crass, but I care a lot more about the security of a product than the color, race, gender, religion, or sexual orientation of the person who wrote it...or how welcome they feel at work. If a team of queer black midget Christian crossdressers could develop the best product, so be it. I just don't care about anything but the result and THAT is what we've gotten away fro

  • It has happened before, it will happen again.

    Remember the Microsoft Trustworthy Computing Initiative of 2002. 22 years ago in January, Bill Gates sends an email saying

    "ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new

    • Bill Gates sent this message to every full-time employee at Microsoft, describing the company's security strategy.

      From: Bill Gates
      Sent: Tuesday, January 15, 2002 5:22 PM
      To: Microsoft and Subsidiaries: All FTE
      Subject: Trustworthy computing

      Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet trul

  • of telling people that what they're running now needs upgrading to the more secure future.

  • I see big flaw in this situation, not based on MS per se, but based general psychology and human behavior. Even if the corporate overlords at MS are feeling genuinely sincere about this ...
    ! ... stop and parse that for a moment. Is it genuine? Could be - but whether it is coming from their "heart", wanting to finally do good, versus a cover-up reaction to bad press, unknown. I know there are many MS cynics who will say it is all for public show, but either way, for the moment, it may indeed be genuine.

  • We fired everyone. Now what?

  • "When faced with a tradeoff, the answer is clear and simple: security above all else." I guess it is Linux only in Microsoft from now on. Unless they are lying. Again.

  • Security is rarely isolated flaws but component interactions, where the flaw could exist in either or both. Security reviews of employees is a totally useless way forward.

    A provable level of security can be achieved, but only if it is systemic and that requires an evaluation of the ecosystem, not individuals.

    They are fixing the wrong problem in the wrong place and will thus achieve the wrong result.

  • It probably will be some obligatory course they will have to complete each year to prove they are security aware and are using the proper tools, or something similarly worthless. How are they actually going to rate how secure your work is, basically an impossible thing to do.

There must be more to life than having everything. -- Maurice Sendak

Working...