- Mike Howard was Microsoft’s chief security officer (CSO) for 16 years.
- He was in charge of security for a global team of almost 200,000 people, including the company’s executive team, its 90,000 employees, and approximately 90,000 contractors in the company’s 700 facilities spread across 100 countries.
- He set industry standards like incorporating security into all employee training programs and making security an integral part of company culture.
- This article is for business owners and security professionals who want to learn from a top CSO who managed Microsoft’s security protocols for more than a decade.
Mike Howard is a former CIA operations officer with 22 years of experience who led Microsoft’s global security operations as the chief security officer (CSO) from 2002 to his retirement on August 31, 2018. During his time at Microsoft, Mike ensured that the company instated protocols tailored to work for any type of physical or cybersecurity threat. These protocols are intended to support the company not only before and during an attack, but also after it has impacted employees.
Protocols rooted in tradition
Although Microsoft is considered one of the pioneers in the technology industry, Howard once said that much, if not all of the security protocols imposed by Microsoft, are still rooted in the traditional ways of ensuring security in many corporations.
“Cybersecurity is a big issue on everyone’s mind as we’ve become more globalized as a society, and businesses have expanded their footprints and everything is digital,” Howard told us in a previous interview. “But, traditional security issues of theft, violence against employees, terrorism and natural disasters are all still paramount in terms of being the big security challenges for businesses.”
Howard believes that while technology advances faster every day, large companies like Microsoft should still base their security protocols on blueprints created decades ago. The fundamentals of security are the key to managing a company as big as Microsoft, but they also apply to smaller organizations.
Whether you have over 700 offices scattered in a hundred countries globally, like Microsoft, or are a small business looking to improve your cybersecurity, you need to focus on the common security problems encountered across all levels of management.
How Microsoft handles security
It’s worth noting that Microsoft invests a total of $1 billion annually in making sure that their own data, as well as their clients’, is well protected. However, this is not the only aspect of security the company invests in. It also makes sure that maximum security is upheld in every corner of the workspace. Microsoft’s security incident management relies on the fundamental processes of mitigating security risks: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.
Even though Microsoft spends huge amounts of money on security, the savings it gets from preventing and mitigating the effects of attacks as a result of having exceptional security protocols in place, are more than what they spent.
For example, without proper security protocols, “intellectual property could be compromised and it can affect the company’s brand reputation or lead to lawsuits,” Howard said. Both can result in heavy losses for the company. Security isn’t so much an additional expense for the company as it is an investment.
This is especially important with the rise of data privacy laws, a trend that began just before Howard left Microsoft, when the European Union (EU) adopted the General Data Protection Regulation (GDPR). GDPR opens companies to financial liability should a data breach compromise the personal identifiable information of any users in the EU. Similar laws, like the California Consumer Privacy Act (CCPA), have also emerged in the wake of GDPR and require companies to plan their security protocols meticulously.
Examples of Microsoft’s security practices
As part of the company’s security protocol, Microsoft has released the Microsoft Security Intelligence Report every six months since 2006. This report summarizes all the threats that have entered Microsoft’s system, and each of these threats is assessed to help mitigate the risk of data breach and other possible problems.
Another security feature employed by Microsoft is their Microsoft Defender Threat Intelligence platform, which a security analyst can use to analyze and prioritize signals or threats that need the highest level of attention.
It functions much like an AI designed for cybersecurity, enabling Microsoft to send personalized emails to users whenever a threat arises. These communications advise users about certain links that should not be clicked, emails that seem suspicious, and other cyberspace actions that might be flagged as threatening.
Mike Howard’s role as a security evangelist
Beyond the developments he enacted at Microsoft to protect its users’ and clients’ data, much of Howard’s distinction as the man behind the company’s stellar security measures is attributed to his role as an evangelist for others. Howard ensured that everyone in the company, from those who reside in the lowest level of management up to the executives and shareholders, understood the significance of security both in the physical and cyberspace worlds.
“A lot of [Microsoft’s commitment to security] has to do with the evangelizing of security on several fronts within the last decade,” Howard said. “My IT security counterpart and I have worked diligently to really get the movers and shakers, the decision makers here to understand security and to support those security efforts and the pushing down of that message throughout the enterprise.”
Imbuing the importance of these protocols onto the minds of every single worker in Microsoft is a continuous process. These workers are the ones who perform the everyday activities at the company. As such, they must keep business security in mind as they carry out their job functions.
Even when making plans with regard to Microsoft’s marketing efforts, Howard made sure to deliver information that would help the employees go about their responsibilities without compromising their integrity or that of the company’s valuable information. That culture of security evangelism is Howard’s legacy now that he has departed the company.
Employee assistance as a way to ensure security
Howard believes that aside from technology’s role in maximizing security at Microsoft, employees are key to ensuring that work is done with utmost vigilance and observance of adequate security guidelines.
“Having a training program in place is essential to any security program”, Howard said. “Without it, you don’t have a well-rounded security program. We have a certain amount of full-time employees and vendors to cover Microsoft globally; we could never cover the world adequately without educating and creating awareness programs that teach people what to look for.”
There are certain security benefits to educating employees about security risks:
- Employees become their own security personnel; they feel responsible for the welfare of their teams and look out for any possible threats.
- They’ll bring their own experiences to consider factors that are not usually in the equation when optimizing security, making security protocols more inclusive and effective.
- Employees are trained to be vigilant both in front of their computers and in their immediate surroundings, ensuring holistic security.
Why the HR department is paramount to security
Despite being an integral part of a business, HR is often overlooked when discussing how to optimize security. More often than not, the loopholes in a company’s security system are found in areas that were otherwise treated as irrelevant, which makes them a breeding ground for different types of threats.
“A bad economy, problems at home, even dealing with a sick relative can be things that can trigger [reasons for increased] security at work, and having a team in place to help solve those problems can prevent them from an incident of violence or theft,” Mike said.
This shows that technology is not enough to handle security issues alone. The people who carry out even the simplest tasks at Microsoft should be considered when preparing for mitigating solutions if a threat arises. A team of professionals that is capable of assessing these types of risks from the HR department is what sets Microsoft apart from others. It’s a lesson other companies should take note of.
How SMBs can learn from Microsoft’s practice
The biggest misconception SMBs have about Microsoft’s cybersecurity practices is that it’s a matter of how much money you are willing to spend to safeguard your company’s information. However, the truth behind Microsoft’s success is not just the delegation of financial resources.
The reality behind Microsoft’s successful security practices is the proper orientation of the people who build the company from the ground up. It’s about making sure they understand the importance of security protocols, no matter which department they work for, and training them to mitigate possible risks they might encounter in the course of their work. Paying attention to employees and proactively updating the information necessary to mitigate security risks is an effective way to preside over a company’s cybersecurity.
Don’t leave security up to chance
Mike Howard’s history as a former CIA security officer was a stepping stone to his role as Microsoft’s chief security officer, and his philosophy when it comes to security is rooted in the fact that all threats can be mitigated as long as proper protocols are in place.
Howard’s time at Microsoft emphasizes the importance of both technological and protocol protections for security, whether that means implementing a cybersecurity system and response plan, training individual team members, or offering them the resources they need to remain vigilant. Company security is everyone’s job, and it takes 24/7/365 dedication to get that job done.