Recently, Microsoft had a quite frankly a kicking from the US Department of Homeland Security over their security practices in a Cyber Safety Review Board report. I’ve tried to keep as quiet as possible about this one for various reasons (and I was not involved in the CSRB report, even anonymously) — although long time followers will know I’ve been often critical of Microsoft’s security posture. The CSRB report is well worth a read — they did a great job.
In particular, I aired some pretty critical (but vague) thoughts after leaving Microsoft — which although there was a period where I gather people were told it was because I had an axe to grind, it wasn’t — it was because I had been concerned about what I had seen. I couldn’t do anything about it at the time due to other issues going on there. Truthfully I’d always been critical of Microsoft over various things, e.g. prior to joining Microsoft I talked to BBC News about docs.com being the source of Microsoft’s customers accidentally leaking their documents, which ultimately led to the quiet mothballing of the product.
To give Microsoft its credit, it has a unique (from what I’ve seen) and good corporate culture that tolerates descent. The reason I aired concerns is.. well.. what happens at Microsoft impacts society. And, selfishly, also me, and the ability for me to defend the orgs I work for.
They’re uniquely placed as a software and services vendor. Microsoft’s security woes are, in my opinion, a safety issue for society because the dependency on them for civil society is so vast. Those woes are not the fault of one person, or team — in fact, I think they’re due to security debt building up over time.
Microsoft have now announced to customers their response — after a slightly weird few days where they announced what was happening via anonymous press briefings, to shareholders and then attached to pitching Security Copilot in news reports. Lesson for Microsoft here — tell staff and customers first, and keep AI sales separate.
After watching the dust settle, I thought it was important to dig into the announcements and what I think they mean in practice.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: