Microsoft wants to be judged on security

Today: how Microsoft plans to rebuild trust in its security culture, Big Tech engineers are burning out on the AI hype cycle, and the quote of the week.

Microsoft wants to be judged on security
(Credit: Wikimedia Commons user Jiaqian AirplaneFan/cc 3.0)

Welcome to Runtime! Today: how Microsoft plans to rebuild trust in its security culture, Big Tech engineers are burning out on the AI hype cycle, and the quote of the week.

(Was this email forwarded to you? Sign up here to get Runtime each week.)


Trust the process?

May is a busy time of the year at Microsoft, which operates on a fiscal year that closes at the end of June. Employees are scrambling to finish projects, managers are preparing reviews, and preparations for its Build developer conference are in full swing.

But Satya Nadella added one more action item to the list on Friday, emailing employees about "something critical to our company’s future: prioritizing security above all else." After years of security incidents and an attempt last November to shake up its approach to security, Microsoft outlined a series of steps it feels it must take to address the issue once and for all.

  • Last November's Secure Future Initiative will be expanded around three principles — secure by design, secure by default, and secure operations — and focus on six areas, said Charlie Bell, executive vice president for Microsoft Security, in a blog post.
  • The first area is "protect identities and secrets," a promise to harden identity systems and protect encryption keys as a direct response to the attack that allowed Chinese hackers to steal U.S. government emails managed by Microsoft.
  • It also promised to remove "all unused, aged, or legacy systems," which were another factor in that devastating attack and have been linked to other cloud security problems in recent years.
  • And Microsoft said it would "improve the accuracy, effectiveness, transparency, and velocity of public messaging and customer engagement," which all by itself could be the most impactful change it makes.

Following a legendary career at AWS, Bell was hired in 2021 to improve Microsoft's approach to security, and at this point it seems obvious that he's had trouble breaking through Microsoft's insular culture. Nadella telegraphed Friday's announcement on last week's earnings call, and from now on, it's his problem.

  • Every cloud provider takes security very seriously, but so far in the 20s Microsoft's biggest enterprise-tech priorities have been growth: growing Azure, Microsoft Teams, and these days, its generative AI business.
  • Nadella made it clear to Microsoft employees on Friday that they have a new north star.
  • "If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security," Nadella wrote (emphasis his) in a memo to employees.
  • And corporate is watching: Microsoft will install "deputy CISOs" across the company to report its security progress weekly to the senior management team, which will now be compensated in part on how Microsoft performs against its security initiative.

If there's anyone who can get Microsoft turned around and focused on a big goal, it's Nadella, who transformed Microsoft from the Windows company to the cloud company in less than a decade.

  • But the new emphasis on security will probably require slowing down, as Microsoft learned the hard way the first time it vowed to improve its security culture in the early 2000s, which led to numerous delays of the Windows Vista operating system release.
  • Tech employees get promoted by shipping new features or making deadlines, and managers will need to be empowered to reward employees for a security mindset if these changes are to stick.

As Bell put it, "culture can only be reinforced through our daily behaviors," and the clock just started on Microsoft's bid to shed its security problems.

  • There's not going to be another security memo: either Microsoft gets this right and lives up to its responsibilities as one of the most valuable enterprise tech companies on the planet, or it squanders the advantage it earned in the AI boom.

What are we doing here

Speaking of the accelerated development cycles spurred by the AI boom, the workers tasked with making it happen are becoming disillusioned with the whole idea, according to CNBC. "Engineers and those with other roles in the field said an increasingly large part of their job was focused on satisfying investors and not falling behind the competition rather than solving actual problems for users," Hayden Field reported Friday.

Meanwhile, Business Insider reported this week that the AWS marketing department now requires 80% of all conference material to focus on generative AI, regardless of customer obsession. And just last month at Google Cloud Next, it was very clear that employees had been forced to crank out new AI features and content after Google moved its annual cloud conference up by several months.

There's clearly a lot of customer interest in generative AI, as the latest crop of cloud provider earning reports detail. But if employees are starting to wonder how much their efforts really matter, customers will eventually reach the same conclusion.


Quote of the week

"Microsoft runs on trust, and our success depends on earning and maintaining it." — Microsoft's Charlie Bell, signaling a turning point in its recent history.


The Runtime roundup

Wiz is no longer interested in acquiring Lacework for the fire-sale price of $200 million, according to Calcalist, which is pretty bad news for Lacework and its investors.

AWS appears to be re-evaluating its relationship with VMware now that Broadcom is in charge, offering VMware Cloud on AWS customers incentives to move those workloads entirely on to AWS, according to The Register.


Thanks for reading — see you Tuesday!

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Runtime.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.