A little over a decade ago, folks were pushing Microsoft hard because its platforms and products weren’t as secure as they needed to be. Kids coming out of school, like the ones who founded Google, were the most strident. Now, Microsoft is showcasing security as a competitive advantage against companies like Google. I think that is both ironic and sad. It also showcases that if we don’t understand why something exists, we can’t avoid the same mistakes ourselves. I’m kind of fascinated by how a firm that came to market led by people who badmouthed Microsoft for security could be on the wrong side of a wiretapping complaint and be losing. The polar opposite of good security isn’t bad security, it is actually being a thief. When your chairman gets laughed at when he talks about the security of your platform, you have a problem.
Let’s take a moment to look back and talk about why security was a problem at Microsoft and why it is a huge problem for the current generation of social networking companies.
Microsoft and Security
At the beginning, security was simply someone else’s job. Microsoft was focused like a laser on ease of use, which is generally in conflict with security. You could see that conflict play out with the various anti-virus and access management firms. Microsoft would make it easy and the security firms would implement programs that increased security, but made it harder to log in or slowed the system down significantly.
If this were a symbiotic relationship, it likely could have remained healthy, but the security firms, in order to sell security software, needed Microsoft’s platforms to look dangerous so they aggressively promoted how unsecure the platforms were. Some of the less honest ones also allegedly created the exploits that showcased the exposures so they could sell their products.
This activity accomplished more than pissing off Microsoft. Basically, its security partners were spending tons of money badmouthing Microsoft's products, but it seemed to significantly increase the number of people trying to break through the then limited security.
Security Isn’t Fun
Security requires a specialized skill set. This tends to place those focused on security in their own groups, which are subordinated and annoying to the product groups. I should point out that QC often finds itself in this same kind of annoying role, separate and seen as an impediment to getting the product out the door. I worked in a large software unit (storage software) that disbanded the QC organization because they found it annoying and redundant, only to find that they actually had been doing a valuable job when products coming out after that decision failed in customer shops.
As a company matures, particularly in the enterprise space, it typically learns that security is just as important as quality (in fact they are often intertwined in the mind of the customer) and that if you don’t make both an integral part of the effort, you run a high risk of catastrophic market failure.
Google’s Unique Problem
The reason Google missed security is likely the same reason Microsoft did: It got in the way of the product. But the reason it is taking so long for Google to wrap its arms around the problem is that it gives its stuff away for free. That means it doesn’t feel the revenue/profit drag that Microsoft experienced when it had the same problem. Google sees numbers, but Android revenues are still tied to ads and not clearly coupled with product sales. Amazon and Nokia have their own more secure versions of the product, which typically count in Android numbers and much of Asia also runs on an Android fork not connected to Google, but still potentially shifting ad revenue to it (since it owns much of the ad revenue back end).
Google simply doesn’t have the financial motivation to fix the problem that a typical product revenue model would supply. Eventually a security problem will result in litigation, sanctions from a government, or possibly even a death or injury (likely tied to automotive efforts), but it will take an extreme event to push the company to fully accept security as core to its efforts because it simply won’t get the same early revenue warning that Microsoft or Apple would get.
Wrapping Up: Google Didn’t Get It
When the folks who went on to found Google were exiting school and likely complaining viciously about Microsoft’s security issues, for good reason, they simply never understood why those issues existed. They not only couldn’t avoid the problems but, by most measures, created a platform that was even more vulnerable. Young companies typically are tactical but to launch with a known problem in your face like this and then repeat it should be unprecedented. However, I should point out that it isn’t that uncommon, largely because people don’t ask “why” often enough. I can easily point out problems that Microsoft has repeated that it gleefully watched IBM make, for instance.
To avoid a problem, it is both critical to understand why it existed and to know when and if it will ever be corrected. Those tied to programs like Net Promoter Scores (NPS) should be quicker to address problems than those tied to revenue, who in turn will be quicker than those who react only to litigation or wait for catastrophic results.
I think the other takeaway from this is that security and quality are intertwined. Just as you shouldn’t toss out a focus on quality, you should always have tight focus on security. Microsoft learned the hard way that security can’t be something you leave for others to do. Let’s hope more learn from that lesson and not from experience.