Security isn’t fun. There is no better way to say this. I don’t care if you are working as a security guard, bodyguard, or defending against cyberattacks, the job is mostly dreadfully dull and when it gets exciting it is likely because you’ve screwed up or are in the wrong place at the wrong time. Just like in sports, you want to be on offense, not defense. This likely explains why Microsoft and Google, with their operating systems, seemed to leave security as an afterthought that bit both companies in the butt later.
Well, Microsoft just significantly increased the security around Windows 10. It is clearly working furiously to make up for a number of problematic decisions in the 1990s, which could have cost it the market now. While I could say, “better late than never,” I think the lesson here is that security needs to be built in from the start and that forgetting that should now come with the tag line “never again.” Given that Google seemed to have to go through this process all by itself, I figure this is a hard lesson to learn, so will cover it again here.
Security Is Job One
I’ve worn a lot of security hats over the years, and I’m glad to say I have no real security responsibility anymore. The most fun was as a security auditor, figuring out how to breach security, because being on the protect side decidedly sucks. If you are a bodyguard, the person you are guarding is likely your biggest problem. A security guard has to worry most about fellow employees and often other guards, and this doesn’t change with cybersecurity, where your biggest threat is likely from inside the company or through being phished yourself. So, it is easy to see why people don’t line up to do this job when building a new product.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
It isn’t just the potential for a breach, either.
Kaspersky Sues Microsoft
Because Microsoft didn’t take security seriously, a rather robust industry that fixed security problems on Windows grew up around the problem. This was particularly problematic because it not only resulted in third-party companies knowing more about Windows vulnerabilities than Microsoft did, but the method used to market the tools was to aggressively point out how unsecure Windows was. This aggressively promoted alternative platforms like Linux and the MacOS which, initially, were mostly more secure only because of low numbers and the related economic disincentive to putting much effort into them.
But this industry then became protective of the market it had largely leached off Microsoft. Once Microsoft started to step up and address Windows security problems, it got mad. The latest firm to get upset is Kaspersky, out of Russia, which has raised anti-trust competitive issues about Microsoft’s steady security improvements. If you read between the lines, the allegations are basically that Windows 10 is becoming so secure that Kaspersky’s products are becoming redundant.
This is particularly sad because this is the way it always should have been. Windows should have been secure enough so that no third party was needed to secure it.
Given the politics now, I’m kind of impressed with Kaspersky’s nerve. As a Russian company, arguing that Microsoft needs to back away from its security efforts seems way too controversial right now, which could end up damaging Kaspersky more than Microsoft. In short, if you don’t address security adequately up front, it may be incredibly difficult to go back and fix that bad decision later.
Wrapping Up: Security Comes First, Not Last
Treating security as an afterthought is a bad idea. It has taken Microsoft decades to undo this bad decision, and now we are finally seeing the benefits of that reversal, in what is becoming a very secure platform with Windows 10. Watching Microsoft’s pain in fixing this should become a constant reminder that security remains job one in this hostile world and, regardless of how boring it is, you can’t leave it to others. This is something you must ensure yourself.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+