As the chief security officer for Microsoft, Mike Howard has more than a passing interest in the things he sees on the nightly news. Whether it's an uprising in the Middle East, the ongoing threat of terrorism or a natural disaster somewhere in the world, the former CIA officer is prepared for the impact various events could have on his company and its employees.
"Cybersecurity is a big issue on everyone's mind as we've become more globalized as a society and businesses have expanded their footprints and everything is digital," Howard said. "But, traditional security issues of theft, violence against employees, terrorism and natural disasters are all still paramount in terms of being the big security challenges for businesses."
This is especially true when your company is so large and so much in the public eye. Howard's security team is ultimately responsible for the safety and security of Microsoft's entire executive team, its 90,000 employees, roughly 90,000 contractors, 700 facilities in more than 100 countries worldwide and all of the visitors to those facilities. He's also responsible, of course, for all of their computers and hardware and the information it they contain.
The Microsoft security teams deals with threats of violence against executives and employees, employee violence, kidnapping threats, terrorism, natural disasters, property theft and, peripherally, intellectual property protection (which also falls under the purview of a separate, cybersecurity group at Microsoft).
It is always ready to respond to a new problem. It had evacuation plans in place, for example, in all of its locations affected by the Arab Spring uprising in the Middle East this year.
[Howard: Why Every Business Needs a Security Plan]
In Howard's time at the company, the security team has had to evacuate employees from Beirut and the Ivory Coast, has contracted forensic psychologists to examine threatening letters and regularly provides emailed safety information and warnings to all employees who travel overseas.
But it may be his role as an "evangelist" for the company's physical security business group that looms the largest in Howard's job description. Finding ways to communicate and demonstrate the importance of security — both physical and cyber — to the company's executives is the linchpin of developing a security program that manages to keep such a large and public company running smoothly, he said.
"A lot of [Microsoft's commitment to security] has to do with the evangelizing of security on several fronts within the last decade," Howard said. "My IT security counterpart and I have worked diligently to really get the movers and shakers, the decision makers here to understand security and to support those security efforts and the pushing down of that message throughout the enterprise."
Howard believes that his work driving home the importance of both physical and cybersecurity is part of the reason that Microsoft's company culture has come to reflect those values.
"We brief all new corporate vice presidents on security, we bring senior executives to the Global Security Operations Center in Redmond, [Wash.] and show them what technologies we employ to keep the company safe," Howard said. "We're not just guys checking doors and responding to emergencies."
Howard believes that Microsoft has come to understand what many companies never do: That cyber and physical security is integral to the company's overall business, and even its marketing plan .
"Security is important to the entire company," he said. "Intellectual property could be compromised and it can affect the company's brand reputation or lead to lawsuits," Howard said. "This realization led to cultural shift with company becoming more security conscious."
To facilitate the rollout of solid security plans throughout the company, Howard's team has had to essentially deputize every employee to be the eyes and the ears of the company. Microsoft does that with a formal training program.
"Having a training program in place is essential to any security program," Howard said. "Without it, you don’t have a well-rounded security program. We have a certain amount of full-time employees and vendors to cover Microsoft globally; we could never cover the world adequately without educating and creating awareness programs that teach people what to look for."
Today, regular Microsoft employees are instructed to stop a stranger entering a building and ask to see their badge.
"That never would have happened ten years ago," Howard said.
Howard said that good security also involves working with the company's human resources department, which offers employee assistance programs that can help workers in difficult times and potentially prevent an employee problem from becoming a security threat.
"A robust employee assistance program is very important to security issues," he said. A bad economy, problems at home, even dealing with a sick relative can be things that can trigger security issues at work and having a team in place to help solve those problems can prevent them from ever turning into an incident of violence or theft, he said.
- Why the PC (As We Know It) Is Dead