One of the most frustrating things to watch during the early years of Microsoft (Disclosure: Microsoft is a client of the author) was their lack of in
One of the most frustrating things to watch during the early years of Microsoft (Disclosure: Microsoft is a client of the author) was their lack of interest in security. It was almost as if, when anyone there heard the term, they’d cover up their ears and say “la, la, la, la, la” until you went away. And, as the century turned, Microsoft security meant anything but security, it was mostly bad joke that hit products like Windows and Internet Explorer particularly hard. But this week’s announcement (ranked as the 3rd most important acquisition this year) they are buying Hexadite showcases that over the last ten years Microsoft made a huge pivot. It finally understood that being unsecure could not only result in massive liability for the firm, but was creating a massive drag on the brand because it reflected poorly on quality. It particularly hurt sales of their products in the enterprise.
One thing recently that showcased just how much Microsoft had changed was that when the Wanna Cry virus was released it largely left the U.S., which generally uses legal patched versions of Windows alone, and pounded on Russia who uses unpatched pirated copies of Windows XP. (By the way, I expect Bill Gates chuckles every time he thinks of this because he was famously not fond of folks pirating his stuff.)
Ironically these days they are more often yelled at for providing too much security rather than not enough and their recently-announced acquisition of Hexadite, a high-speed security remediation solution provider, showcases they remain on a path to now excel where they once sucked.
The security problem
The decision to initially allow third party companies to do security for Microsoft likely originated with the firm which initially was mostly a tools supplier that later evolved to pick up operating systems. When you supply tools you typically pick a segment to supply and Microsoft didn’t pick security, which was a clear specialization, and instead focused on tools tied to productivity. For a programmer, this tends to be far more fun because it results in building tools you use with a focus on making them more capable.
Security, then and now, is focused on protecting assets not on making it easier to do stuff so it is far less fun area to work in and folks that create often find security tools an excessive burden they turn off. So, who wants to develop something that you know irritates folks like you and that you want to turn off?
But, security firms must sell products and they found that by aggressively looking for and surfacing exploits and implying that Microsoft’s platforms were massively unsecure they could sell more products. Like selling fire insurance, the best practice is to make folks think the related problem is imminent (which it kind of was) and scare people into signing up.
So, by not doing security, the security industry was doing Microsoft more damage than they were helping which led to a fundamental change in how the firm approached the problem.
Hexadite is a rather interesting enterprise class solution. It kind of takes the problem with SIEM offerings, Security Information & Event Management, that haven’t been doing well of late and flips it. The issue with SIEM offerings is generally too many alerts tied to underfunded security departments that can’t mitigate the related exposures timely. As a result, these products tend to generate reports that, subsequent to a breach, make it look like the IT department knew they had a problem but negligently decided not to fix it.
It reminds me of big problem with backup products when I had partial responsibility for one. Backup performance was great but restores sucked and it was the restore that had the critical path for getting the firm back in business after a failure.
Hexadite uses AI to automate remediation, so if the system identifies a massive number of potential exposures, Hexadite can automatically fix many if not most of them massively reducing the IT departments exposure to charges of negligence. And, also, massively reducing the chance of a breach in the first place. AI-based security solutions are believed to be the near-term future in most markets because AIs are also expected to be heavily used as tools to breach security. It is likely only an AI will be fast and capable enough to stop a hostile AI.
Wrapping up: The lasting lesson
The way I think Microsoft’s problem with security emerged is that they didn’t initially have a practice of stepping back and thinking through what a complete solution must be as they brought increasingly broad and complex products to market. As a result, they didn’t realize until years later that security is a critical feature in an operating system, or any complex product, that can’t be left to others. We see similar problems with the development of autonomous vehicles where it also seems like security is more an afterthought that folks don’t want to think about.
Unless that changes, I expect a lot of the efforts for autonomous robots, cars, planes and ships to eventually end rather badly.
This article is published as part of the IDG Contributor Network. Want to Join?