Every Microsoft Employee Is Now Being Judged on Their Security Work (theverge.com) 100
Reeling from security and optics issues, Microsoft appears to be trying to correct its story. An anonymous reader shares a report: Microsoft made it clear earlier this year that it was planning to make security its top priority, following years of security issues and mounting criticisms. Starting today, the software giant is now tying its security efforts to employee performance reviews. Kathleen Hogan, Microsoft's chief people officer, has outlined what the company expects of employees in an internal memo obtained by The Verge. "Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."
A lack of security focus for Microsoft employees could impact promotions, merit-based salary increases, and bonuses. "Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards," Microsoft is telling employees in an internal Microsoft FAQ on its new policy. Microsoft has now placed security as one of its key priorities alongside diversity and inclusion. Both are now required to be part of performance conversations -- internally called a "Connect" -- for every employee, alongside priorities that are agreed upon between employees and their managers.
A lack of security focus for Microsoft employees could impact promotions, merit-based salary increases, and bonuses. "Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards," Microsoft is telling employees in an internal Microsoft FAQ on its new policy. Microsoft has now placed security as one of its key priorities alongside diversity and inclusion. Both are now required to be part of performance conversations -- internally called a "Connect" -- for every employee, alongside priorities that are agreed upon between employees and their managers.
Wow, talk about a no win position! (Score:3, Insightful)
Re: (Score:2)
How does this apply to the following employees... (Score:1)
...at Microsoft?
Janitor
Receptionist
Lawyer
Accountant
HVAC tech
Cafeteria Cook
Night watchman
Parking lot attendant
Maintenance tech
list of outsorced / 3rd party wokers (Score:2)
list of outsorced / 3rd party wokers
Re: (Score:2)
I am finding this thread hilarious because I'm really not sure if any of the typos are intentional!
Re: (Score:2)
Re: (Score:2)
May Allah Ta’ala have mercy on him
Re: (Score:1)
Re: (Score:3)
Here you go:
And you're judged on your security!
Re: (Score:2)
Re: (Score:3)
Well, at least they've promised to stop completely ignoring it!
They do that every few years, then wait until the fake outrage subsides before it's back to business as usual.
Re: (Score:3)
Re: Thanks HR (Score:2)
That's a false dichotomy, since it's very inconvenient when your security is bypassed.
Re: Thanks HR (Score:5, Interesting)
Convenience, is indeed and enemy of security sometimes.
Re: (Score:2)
In the past this might have manifested as "Checks are such a pain in the ass, it's so much more convenient to just carry a few thousand dollars on me at all times" and then wondering why she keeps getting her purse snatched after she flashes all that cash.
Re: (Score:2)
Re: (Score:1)
TOR does not improve security! It improves anonymity, but anything sent to the regular Internet goes through an exit node, which could be run by anyone. At that point the connection is as readable as if you were on public WiFi. It's also likely the cause of most slowness she experienced.
Re: (Score:2, Informative)
I once set up my mom's computer such that it was as secure as I could make it...
No you didn't, you failed to removed Windows from it.
Re: (Score:3)
Re: (Score:1)
Unless it affects profits.
Then you'll get a bad performance review and be denied raises/promotions because profits went down.
Re: (Score:2)
Ahh, a slice of the good old days on slashdot.
Please unleash yourself on the wider internet!
Re:Thanks HR (Score:4, Insightful)
Microsoft is not a charity, they are not a non-profit. They exist for one reason and one reason only -- to make as much money as possible. But security, done PROPERLY, is expensive, and as a publicly traded company there is constant pressure to keep producing higher and higher profits. If you don't deliver higher profits you WILL be replaced.
And so every person, from the CEO down to the lowest level managers, is constantly looking for ways to cut corners, because that is the fastest and easiest way to boost profits. And so, you cut corners and don't take security seriously and hope that you get away with it. And most of the time you DO get away with it.
And then something blows up. And there is lots hand-wringing and investigating, and everyone swears that we're really going to take security seriously now, and we really mean it this time. And a few months later everyone is back to business as usual cutting corners and taking every shortcut possible.
Re: (Score:2)
Re: (Score:3)
you cut corners and don't take security seriously and hope that you get away with it.
Fixing this is easy: just convert Software Engineering into an actual Engineering. As in, demand from all software engineers they follow the same standards of safety in whatever they produce as, say, Electrical Engineers, Chemical Engineers, Mechanical Engineers, Civil Engineers etc. must follow, complete with a requirement to personally sign on with their own name and board number on anything and everything they work in at a professional capacity, with full accountability and the risk of losing the right t
Re: (Score:2)
What is interesting with this solution is that it would swing the pendulum around. A lot of stuff that is now done with software will, all of a sudden, be cheaper if it is done by someone instead of software. On the plus side, this creates jobs. On the downside, everything just got more expensive.
Re: (Score:2)
Re: (Score:2)
Having 'real engineers' around seems to be working well at Boeing.
If things there are bad as is, imagine if management could get away with having no engineers at all?
Management being accountable is the second part of my answer. But the first part is also extremely important. This won't work as well without the first part.
A third aspect would be full legal and financial protection for whistleblowers, complete with legally protected anonymity. If engineers are held responsible, and are free to report ethical violations, there's a strong incentive for the later to be careful
Re: (Score:2)
That would only be half the battle. The sysadmin side would also have to stop assembling piles of jank to satisfy the staff doing the work. Many compromises are actually less to do with the engineering of the software and more to do with the person who set up the service. Deliberately using an old build with a known flaw because they don't have the authority to force an update of the running codebase to comply with more recent changes, or adding --enable-loose-mode or somesuch so that "ERROR: You can't do t
Re: (Score:2)
The sysadmin side would also have to stop assembling piles of jank to satisfy the staff doing the work.
True. There'd be the need to do something similar on the infrastructure side of the aisle.
all software development and possibly even the running thereof will move to countries that don't do that.
A massive change like this would require international agreements at the WTO / ILO / etc level. If that happened, moving development to countries without such requirements would be a non-starter.
I'm under no illusion something like this will happen. But that thoroughly forcing software engineering to become a full engineering discipline would solve the issues at the root, it would, which is the point of this exercise.
W
Re: (Score:2)
And so every person, from the CEO down to the lowest level managers, is constantly looking for ways to cut corners, because that is the fastest and easiest way to boost profits.
Those are short term profits. The actual product is garbage, so the only reason it sells is because it is a monopoly. If we enforced antitrust on Microsoft, they might need to start looking at behaving in a way that actually ensures their survival... but this is America and apparently, we want only one person to have everything. It is what 'winning' looks like.
Microsoft Connect priorities are meh (Score:3)
Connects are the Microsoft performance review system. Connects are mostly composed of boilerplate text that satisfies management. Distinction without difference. If you feel the warm and fuzzy, then it achieved its goal.
Insecure Software: "diversity and inclusion" LOL (Score:1, Insightful)
Re: Insecure Software: "diversity and inclusion" L (Score:5, Insightful)
If you actually believe that they are prioritizing anything over profit, you are a dupe. And also, as autocorrect wants me tell you, a dope.
Re: (Score:2)
Globalists have a globalist (not capitalist, note!) agenda that they deploy even though it hurts their bottom line.
Who are these globalists, and what are they doing that you think is not for the purposes of securing more profit?
Re: (Score:2)
Are you making fun of yourself?
Re: Insecure Software: "diversity and inclusion" L (Score:2)
Sure, Microsoft stopped being a super secure company shipping super secure software the second they adopted a CoC... How young are you?
That's a laugh (Score:2)
A major reason why I have an IT career going on 30 years now is because Microsoft's products that can't truly be fixed.
I don't directly support Microsoft products anymore, and haven't for around a decade as my specialization has taken me away from their offerings, but for the first 20 years my bread and butter was standing back up systems that had stopped working, including many due to security problems.
Watching the desktop and server ecosystem since around 2010 I don't see much actually new in what Microso
Seems like a press release... (Score:2)
...to satisfy investors
It may or may not improve their security
Re: (Score:1)
But only on a surface level
More dialogs (Score:2)
The cynic in me expects a large increase in "Are you sure you want to ... Ok/Cancel" prompts.
Sure... (Score:2, Funny)
"When faced with a tradeoff, the answer is clear and simple: security above all else."
As everyone knows, if systems are "air gapped" that's a pretty good security measure, so I fully expect all Microsoft products to remove all networking support, because security above all else no matter what right?
Re: (Score:2)
Re: (Score:2)
"When faced with a tradeoff, the answer is clear and simple: security above all else."
As everyone knows, if systems are "air gapped" that's a pretty good security measure, so I fully expect all Microsoft products to remove all networking support, because security above all else no matter what right?
My experience dealing with government STIGs left me with the feeling that security people are only really happy while the computer is still in the box, and even that bugs some of them.
Re: (Score:2)
I hate STIGs... The guys at TIC and JTIC are great to work with though.
Re: (Score:2)
it's because you left the box out of your sight for too long!
Re: Sure... (Score:2)
Ummm, gotta take into consideration the security of advertisers .., as in financial security. #caring
necessary quote (Score:2)
You have been weighed, you have been measured, and you have been found wanting.
- A Knights Tale
Re:necessary quote (Score:5, Informative)
You have been weighed, you have been measured, and you have been found wanting.
- A Knights Tale
The origin of "Handwriting on the Wall":
Daniel 5:25-28. "And this is the writing that was inscribed: Mene, Mene, Tekel, and Parsin. This is the interpretation of the matter: Mene, God has numbered the days of your kingdom and brought it to an end; 27 Tekel, you have been weighed in the balances and found wanting; 28 Peres, your kingdom is divided and given to the Medes and Persians."
Guaranteed False (Score:5, Insightful)
"Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."
I absolutely 100% guarantee you this is a false statement. Don't believe me? How about we put security against profit and see how that lands? I promise you, if it's going to cost profits, security will go right out the window. As it has since the beginning of the company.
Re: (Score:3, Funny)
Re: (Score:1)
Uhh, they already have employees, right? *Confused*
Re: (Score:1)
Uhh, they already have employees, right? *Confused*
Its the equivalent of having mandatory trainings every year. Everybody figures out how to finish the trainings as quickly as possible without paying any attention to the actual material. Similarly here, everybody will figure out how to meet the "security" requirement with no real changes being implemented.
i.e. Its a bullet point to the company for legal liability protection. Nothing more or less.
Re: (Score:3)
You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.
Ah, there's the corporatist mental note I was missing!
Re: (Score:2)
You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.
Firing more than the poor scapegoat that works as Microsoft CSO when the next major MS bug/hack/zero-day happens, isn’t going to make even a single CEO victim running Microsoft OS feel better, or not blame Microsoft.
Not a single fucking one.
Re: (Score:2)
You are not looking at this the right way. By having this be a core responsibility of each employee, it creates an army of scapegoats the next time there is a security issue.
Firing more than the poor scapegoat that works as Microsoft CSO when the next major MS bug/hack/zero-day happens, isn’t going to make even a single CEO victim running Microsoft OS feel better, or not blame Microsoft.
Not a single fucking one.
It's not about making CEOs or, heaven forbid, normal workers feel better. It's about public perception, and keeping just enough good will among people that we don't call for their heads on pikes and get legal action going against them. "But, we made security top priority for everyone!" sounds a lot better than, "We never cared about security, so who cares if it bit you, dumbass?"
/o\ | \o/ (Score:1)
Is it worth the loss of material for the internet-comedian community:
* https://turbo.paulstamatiou.co... [paulstamatiou.com]
?
A meaningless stunt (Score:2)
Unless and until MS cleans up a decade of incompetence, this will do nothing.
The wrong message. (Score:2)
Security above all else is a good way to make sure nothing gets done.
The business, meaning the client's business, dictates the security measures that need to be taken. A careful calculation between risks that they expose themselves to vs how much revenue the business generates.
Nobody gains anything if the security measures cost more than the business generates. Another point is that the business owners should not shoulder 100% of this security burden, tbf, the gov't should be defending against a lot of it,
Re: (Score:2)
You make a great point about the government. Back in the 90s, EDI was a big thing, 'electronic data interchange'. The security was kind of meh by today's standards, but for the 90s it was better than the internet. EDI links were set up on a company to company basis over leased lines, usually, or at best X.25 or frame relay. A lot of the security issues we face today were nonexistent. But the internet was cheaper so EDI networks went by the wayside more or less.
So now you have this global system carryin
Is not security about design? (Score:1)
This is like Boeing suddenly prioritizing QA (Score:2)
The change has to come from the top. There's a limit to what you can accomplish from below, as far as quality-related metrics go.
History Repeats Itself... (Score:2)
Ballmer introduced a very similar security initiative in 2005. https://news.microsoft.com/200... [microsoft.com]
Coding and quality should be the goal (Score:2)
The stated goals focus too much on design and not enough on the poor implementation (i.e., lazy coding and reviews). MSFT has too much of a culture where customer issue reports are not addressed because 1) they need a compelling business justification, or 2) they claim they canâ(TM)t fix because some app might rely on the broken behavior. Iâ(TM)ve had MSFT reply with #2 even when an API function is completely broken (eg you can disassemble it and see that all it does is return âoenot implemen
Can't wait for policy to be called racist, etc. (Score:2)
"Everyone at Microsoft will have security as a Core Priority," says Hogan. "When faced with a tradeoff, the answer is clear and simple: security above all else."
I can't wait for some group to claim disproportionate outcomes and claim the policy is racists, sexists, bigoted, etc.
Bullshit (Score:2)
"When faced with a tradeoff, the answer is clear and simple: security above all else."
When the tradeoff is cost, or delays in updating the OS or rolling out new products or services, or short-term profit, or curtailing privacy-stealing activities because they're just natural security holes - then security will fall to the very bottom of the priorities list. If security dictates that customers switch to Microsoft's competitors' products because they're more secure, then the issue of security will be either downplayed or outright lied about. That's just the way Microsoft is.
This latest 'policy
Re: (Score:2)
Perfect security isn't one that keeps you from getting where you want to go by reminding you of its presence with every step you take.
Perfect security is so stealthy that you don't even know it is there until you try to do something that compromises it.
Security that gets into your way is something you WILL get rid of, and without a guilty conscience. You're doing it to improve your productivity. An example:
If you work in a warehouse where stuff gets stolen and security demands that the doors are closed and
Re: (Score:2)
I wish they wouldn't. Malicious compliance is the only tactic that will cause the policy to be changed.
Re: (Score:2)
I wish they wouldn't.
If wishes were horses, then beggars would ride.
Thing is most people aren't inveterate shitbags and do actually want to do the job they're paid for. You also have the additional pressure that unless everyone engages in malicious compliance, you'll be the one with poor productivity and unless there's actually a security incident before you're fired for not doing your job, you'll be the one fires.
Re: (Score:2)
Getting fired for following policy to the letter is an excellent justification for collecting Unemployment. I'd take the risk.
Re: (Score:2)
Too bad, you could actually have learned something.
Oh well, some people just prefer to pretend they already know everything.
But it was so handy, Satya (Score:1)
I guess it's time to get rid of this gem:
Re: (Score:1)
oops, forgot second "=". The double-equal convention is not Monday-friendly.
Between a rock and a hard place (Score:2)
You have to use our products.
You will be judged by your security work.
Double bind at its finest.
Clash of the Titans (Score:3, Funny)
DEI and Security? Together?
This should end well.
Re: (Score:1)
Do you go to bed at night cowering in fear that Harris might become President? I hope so.
Absolute* importance! (Score:1)
Security is of absolute importance, above any and every other metric ... *except it's equals: diversity and inclusion.
Maybe I'm being a bit crass, but I care a lot more about the security of a product than the color, race, gender, religion, or sexual orientation of the person who wrote it...or how welcome they feel at work. If a team of queer black midget Christian crossdressers could develop the best product, so be it. I just don't care about anything but the result and THAT is what we've gotten away fro
What year is this? (Score:1)
It has happened before, it will happen again.
Remember the Microsoft Trustworthy Computing Initiative of 2002. 22 years ago in January, Bill Gates sends an email saying
"ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new
Bill Gates' Trustworthy computing email (Score:2)
Bill Gates sent this message to every full-time employee at Microsoft, describing the company's security strategy.
From: Bill Gates
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet trul
Just another way... (Score:2)
of telling people that what they're running now needs upgrading to the more secure future.
Won't work (Score:2)
I see big flaw in this situation, not based on MS per se, but based general psychology and human behavior. Even if the corporate overlords at MS are feeling genuinely sincere about this ... ... stop and parse that for a moment. Is it genuine? Could be - but whether it is coming from their "heart", wanting to finally do good, versus a cover-up reaction to bad press, unknown. I know there are many MS cynics who will say it is all for public show, but either way, for the moment, it may indeed be genuine.
!
oh no (Score:2)
We fired everyone. Now what?
Bye Bye Windows (Score:2)
"When faced with a tradeoff, the answer is clear and simple: security above all else." I guess it is Linux only in Microsoft from now on. Unless they are lying. Again.
Won't work. (Score:2)
Security is rarely isolated flaws but component interactions, where the flaw could exist in either or both. Security reviews of employees is a totally useless way forward.
A provable level of security can be achieved, but only if it is systemic and that requires an evaluation of the ecosystem, not individuals.
They are fixing the wrong problem in the wrong place and will thus achieve the wrong result.
How to measure this? (Score:2)
It probably will be some obligatory course they will have to complete each year to prove they are security aware and are using the proper tools, or something similarly worthless. How are they actually going to rate how secure your work is, basically an impossible thing to do.