After a number of very bug security incidents involving Microsoft’s software, the company promised it would take steps to put security at the top of its list of priorities. Today we got another glimpse of the step it’s taking, since the company is going to take security into account during performance reviews.
Kathleen Hogan, Microsoft’s chief people officer, has outlined what the company expects of employees in an internal memo obtained by The Verge. “Everyone at Microsoft will have security as a Core Priority,” says Hogan. “When faced with a tradeoff, the answer is clear and simple: security above all else.”
A lack of security focus for Microsoft employees could impact promotions, merit-based salary increases, and bonuses. “Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards,” Microsoft is telling employees in an internal Microsoft FAQ on its new policy.
↫ Tom Warren at The Verge
Now, I’ve never worked in a corporate environment or something even remotely close to it, but something about this feels off to me. Often, it seems that individual, lower-level employees know all too well they’re cutting corners, but they’re effectively forced to because management expects almost inhuman results from its workers. So, in the case of a technology company like Microsoft, this means workers are pushed to write as much code as possible, or to implement as many features as possible, and the only way to achieve the goals set by management is to take shortcuts – like not caring as much about code quality or security.
In other words, I don’t see how Microsoft employees are supposed to make security their top priority, while also still having to achieve any unrealistic goals set by management and other higher-ups. What I’m missing from this memo and associated reporting is Microsoft telling its employees that if unrealistic targets, crunch, low pay, and other factors that contribute to cutting corners get in the way of putting security first, they have the freedom to choose security. If employees are not given such freedom, demanding even more from them without anything in return seems like a recipe for disaster to me, making this whole memo quite moot.
We’ll have to see what this will amount to in practice, but with how horrible employees are treated in most industries these days, especially in countries with terrible union coverage and laughable labour protection laws like the US, I don’t have high hopes for this.
Yep, definitely setting their empoyees up as scapegoats for the next big security failure.
> Yep, definitely setting their empoyees up as scapegoats for the next big security failure.
Why wait for a security failure when such a vague term as “lack of security focus” could be used as an excuse to restrict “promotions, merit-based salary increases, and bonuses” now?
Looks more like a cost-saving measure to me. If this really were a measure to promote security consciousness, they would have reserved an *additional* pot of money and *added* incentives, not taken them away.
Like trucking companies paying by the miles and asking their drivers to slowdown, it should be criminal to subject populations to cognitive dissonance on purpose…
For similar reasons, Bill Gates tried the same thing 20 years ago (https://en.wikipedia.org/wiki/Trustworthy_computing#:~:text=required%20for%20improvement.-,Microsoft%20and%20Trustworthy%20Computing,-%5Bedit%5D), yet some of the same security deficiencies are being discussed about Windows today. Why will this be any different??
I tried OpenBSD in VirtualBox, and it is sooooo slooow, because it has no guest additions etc for VirtualBox.
Is FreeBSD faster in VirtualBox?
I think you asked on the wrong post.
A management driven effort to focus on security – ouch! Those poor engineers.
To be crystal clear, this isn’t an engineering problem. The sub-systems in Windows CAN be quite secure. It’s just that for backward compatibility – not an engineering concern, to be sure – they have not changed the default setting to something sensible. This has nothing to do with code quality. This is a defaults problems, which is a problem driven by chosen business objectives. The engineers could make Windows not suck probably in a few weeks, if they were let out of their tightly managed boxes. But that’s not going to happen because Microsoft.
Microsoft is stuck for a reason. If people just need a browser session to use Office, and Windows no longer offers backwards compatibility, then companies can just push people to Macs, or Chromebooks, or even Linux/BSD for multiuser “terminal server” environments. That’s the real core of their revenue, business infrastructure, going poof.
True, but I believe that definitely is Microsoft’s direction. It’s not Windows OS anymore. It’s definitely Cloud and SaaS, ie: MSO365, Azure, Azure Active Directory, and OneDrive as the default place to save files in Microsoft products, etc. That’s apparently so since the Windows 10 and 11 installers force you into having a Microsoft Account instead of a local account to accommodate their default cloud offerings.
No Windows RT machines were affected by Crowdstrike. 2024 will be the year of Windows RT on the desktop 😛
I’ve been in the corporate world in DevOPs from startup to large enterprise. In that, I see this as nothing more than a PR ploy. As for the minions, or low level employee, the focus will be on physical security, such as employee badge access control, desktop screenlock, etc. FOr the SW Development end, code can be churned out at the same pace and quality, but they need to beef up QA and the ensuing teams including security analysts, developers, QA, and systems programmers. I’m no expert , I’m retired, please correct me where you see where I’m amiss.
Like this is ever going to work. Management likely still getting a bonus, for coming up with such ideas?