The White House-hosted cybersecurity summit on August 25, 2021 was an opportunity for representatives from the private and public sectors to discuss how they can collaborate to address pressing information and computer security issues. Many of the leading technology companies, such as Amazon, Google, IBM and Microsoft, made commitments to expand cybersecurity funding and to help address the shortage of skilled cybersecurity professionals.
Microsoft pledged to “invest $20 billion over the next five (5) years to accelerate efforts to integrate ‘cybersecurity by design’ and deliver advanced security solutions. This was, by far, the largest commitment from any of the leading cloud and information technology companies in attendance.
$20 Billion, in Context
Microsoft’s commitment to invest $20 billion over five years to improve cybersecurity software resilience is a significant dollar amount. However, when put into context, the amount represents only a tiny share of the total amount companies are presently spending on (and earning from) cybersecurity. According to IDC and Gartner, the overall market for cybersecurity products and services was between $125 billion and $134 billion in 2020.
On average, then, Microsoft’s promise breaks down to $4 billion a year; substantially more than the $1 billion in security investment Microsoft committed to in 2017. It is also only a fraction of the $10 billion in revenue Microsoft earned over a 12-month period from “advanced security and compliance” products and services sold to hundreds of thousands of enterprise customers. In fiscal year 2021, for instance, Microsoft had total revenue of $168 billion with net income of $61 billion.
Reinvigorate Trustworthy Computing
One of the seminal moments in cybersecurity history was the “Trustworthy Computing” memo Bill Gates sent to all Microsoft employees on January 15, 2002. In that email, Gates (then chairman and chief software architect at the company) stated that Microsoft needed to focus on building more reliable products. Security requirements needed to be the priority.
That focus led to the development of Microsoft’s security development life cycle (SDL) process, on which all Microsoft developers and software engineers were trained. Microsoft promoted the process as being designed to catch security vulnerabilities during the development cycle. Many companies adopted or modified the methodology to improve their own software development activities.
Over the years, the Microsoft SDL has aged. The last iteration was published in 2012. Since that time, software development has changed considerably with the advent of cloud technology, among other things. Microsoft should initiate a similar program today to work with the software industry and incorporate the best practices of the SDL into the DevSecOps and policy-as-code processes.
Additionally, Microsoft should focus some of their future investments directly on the application security markets. Most attacks are possible because of exploitable software vulnerabilities, but overall spending on the area of AppSec is tiny. According to Gartner, only $3.3 billion of the total $134 billion spent on security is directed to application security.
Additional Leadership Opportunities
Investing billions of dollars in security is a worthy goal, but it needs to be spent wisely to have the greatest impact on all technology users. In addition to increasing investment in application security and leading the way with a modern trustworthy computing initiative addressing DevSecOps, Microsoft has the clout to be a leading advocate in a number of presently underserved areas. Focusing their investment dollars on these areas could significantly influence the direction organizations take as they strive for cybersecurity resilience.
- Security as a Safety Issue: Most enterprises focus on securing assets and are less invested in why those assets need to be kept safe. Organizations need to treat cybersecurity as a safety issue, and Microsoft could take the lead in promoting this concept. In a January 2021 blog, Vasu Jakkal, Microsoft’s corporate VP for security, compliance and identity, stated that cyberattacks ultimately are about safety and that it’s Microsoft’s mission to reassure users that they can be safe in a dangerous world.
- Promote Security to Small and Medium Businesses (SMBs): SMBs are the hardest hit by security attacks and breaches. They are specifically targeted in nearly half of all attacks, and the sad reality is that when they suffer a loss due to a security incident, they often do not have the resources to recover. According to insurance carrier Hiscox, 60% of small businesses go out of business within six months of a successful security incident. As a provider of technology solutions to the vast majority of SMBs, Microsoft is in a perfect position to provide education, support and affordable solutions to help arm smaller companies with the same level of defenses as their larger brethren.
- Invest in Innovation: Cybersecurity improvements are generally first developed by startups. Microsoft should work to invest in and foster additional innovation. Given their high-profile position, vast security knowledge, advanced infrastructure and experience they can accelerate the development of advanced solutions that can defend against attacks.
- Data Security: Overall investment in data security is as anemic as that in application security. Gartner’s figures reveal only $3 billion spent toward shoring up data security. Microsoft is behind numerous initiatives to improve data security; Bitlocker and Office 365 encryption features are two examples. However, encryption scares many people away because it’s complex and can be pricey. Microsoft should do more to educate organizations on the benefits, make it easier to accomplish and partner with companies who do nothing but provide data security capabilities.
Microsoft’s Relentless Focus on Cybersecurity
Microsoft has an opportunity to enhance its already strong leadership position in cybersecurity. They have proven over the years to be a positive influence on the way other organizations handle security. The issue before them now is increased interest in advancing their own security business rather than pushing the industry towards a shared goal as they did a decade ago.
There is considerable investment in cybersecurity. Billions of dollars are spent on solutions, but in many cases, that spending is not focused on areas where it can have the most impact—the lack of spending on application and data security bear that out. Microsoft has the resources and clout to help reset priorities industrywide.
Microsoft CEO Satya Nadella has been emphatic in his assertion that Microsoft must have a relentless focus on cybersecurity. Given the suggestions above, Microsoft has a real opportunity to help lead the industry toward a safer computing environment. Will they take it?