I’m seeing a recurring theme from Satya Nadella’s Microsoft that showcases why it is generally better to use a well-skilled insider rather than an outsider to run a company. The well-positioned insider knows where a lot of the frustrating problems are and will make fixing them a priority. The outsider has to spend a great deal of time figuring out what is broken and often has to make changes before the analysis is even done, which initially does more harm than good. Given how much pressure is on an outsider to show results quickly, it’s a wonder he or she is ever successful in the long term.
So far, Nadella has turned Microsoft’s IT organization into a group that more closely mirrors other enterprise customers like Linux, Open Source, and Cloud Services. He has shifted Windows back into an OEM service, and, most recently, has doubled down on security, further correcting one of the oldest Microsoft mistakes.
Microsoft yesterday announced that it is expanding the preview program of Windows Defender Advanced Threat Protection to a broader group of customers interested in testing and providing feedback.
Microsoft is showing that it has begun reversing the security mistake it made a long time ago.
One of the earliest and biggest mistakes Microsoft ever made was effectively outsourcing security on its platforms to third parties. Security is kind of boring, except when it goes wrong, and I’m sure the thinking was that third parties could build a nice business doing what Microsoft really wasn’t interested in doing.
However, Microsoft forgot a couple of things. First, the way to sell security products is to point out the security flaws in the things you’re securing. This was particularly problematic because it not only created a bigger security problem -- in effect, the security firms were regularly reporting on how to breach Windows platform security -- but it created a brand trust problem. Increasingly, in order to sell their products, large companies were marketing the platforms’ flaws. It was like a safety belt vendor marketing just how unsafe the cars are that the safety belts are going into.
Folks typically don’t like buying products they think are unsafe, so this was having an adverse impact on sales. But since the market was growing very rapidly and there was no competing operating system that didn’t also have this problem, Microsoft didn’t really see this as something that needed fixing, at least up until the early part of the 1990s.
Linux started to cut through the server market like a hot knife through butter, based largely on a combination of issues with transparency (tied to a then-new concept called “open source”) and security. PC sales were slowing as well and suddenly this security problem that was seemingly invisible before started looking like a disaster, and Microsoft began to aggressively fund security acquisitions and development.
Microsoft even changed its product release cycle. Instead of releasing a brand-new version of Windows, it had to release Windows XP, which basically addressed the massive security exposures in Windows 2000 and Windows Millennium (effectively killing the massively popular Windows 9x code base).
Things started moving from concern to near panic and Windows Defender came into being as a new integral part of Windows’ efforts to bring security in-house and directly address the security exposure that the platform policy had created.
Yesterday’s announcement from Microsoft reflects a changing reality in which no one product can keep a firm from being breached. The announcement moves focus from just the platform to the internal network.
This is called “Post Breach” protection and reflects a change that has been happening for some time in the security market (that no perimeter protection tool is adequate). There are simply too many ways to bypass security, ranging from rogue network elements to users who have been tricked into loading malware to disgruntled employees who breach on purpose.
For the old Microsoft, this would have been a problem for marketing to deal with. For the new Microsoft, it is a problem to solve. In the end, we should all be safer as a result and it once again showcases the importance of having a CEO who both knows the company and knows the technology.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+.