Microsoft's CSO Mike Howard Is Full Of It

GSOC does sound sexier than "monitoring center"

John, I know you are fond of the "controversial headline", but this is just a good example of a case where security is involved in part of what the company offers, and so the CSO or Security Director can easily be involved in promotional or business development efforts. There’s nothing wrong with that. And although it is harder to do at some companies than others, it can almost always be done in big or small but worthwhile ways. In my comments I’m not addressing the PSIM or any other product aspect. I’m addressing the example factor in what you wrote.

Security Business Value is Real

One of these examples involves a direct role in sales; the others contribute value a little differently.

• I know a Director of Security for an information systems services company, who was required by 48 potential clients in just a one-year period, to participate in final sales meetings. They wanted her to explain how their own company applied security to the systems that they were selling, based upon their own use of such systems. They wanted to make sure that the company had a practical understanding of information security, and that they were actually “walking the walk”, not just talking about it. No security director meeting—no deal. She was the key factor in closing many big deals.
  
• I know a Security Manager (now Director of EHS and Security) at a pharmaceutical company, which had started making products to be marketed under the brands of others. Because it is a highly regulated environment, and because security is a very critical aspect of such facilities, his mission was to “Very visibly reduce security risks to acceptable levels at an acceptable cost.” The visibility factor meant that prospective customers would walk the facility and decide that they were much better off contracting out the manufacturing to this Security Manager’s company, than to try to establish the same caliber of Quality and Safety programs in their own facilities. At the closings of many deals, the customer explained that the impressive Security program was one of the key decision factors. Additionally, the use of video cameras in manufacturing lines saves the company over $1 million annually (I have seen the numbers).
• For another company, personnel safety and security for the afternoon and night shifts is critical. The security program was upgraded in many ways to enable the company to hire and retain a higher caliber of individual for these shifts, and it was successful in creating a highly awarded (“Top 50 Best Places to Work”) business climate with a number of business metrics proving it.

I have many other examples, but I think these are sufficient for this discussion. “Security adding business value” doesn’t always mean a direct impact on sales, but it does mean improving the value of the company in one measurable way or another.

Of course the visibility and status that comes with a high position in Microsoft is not going to be available to the majority of security practitioners, and often the most valuable aspects of security programs are highly confidential. But that doesn’t mean they don’t add measurable value to the business.

And I am very familiar with some organizations where executive management still considers security nothing but a cost center, and I have met security managers and directors who have low on the job self-esteem relating to that situation. But if you don’t hold up some examples of security adding value to the business, how can you inspire anyone to look in that direction?

It is very true, as Mike Howard said, "Security must be integrated into the core mission of the enterprise and receive a seat at the table." What that means is different for each organization, but that doesn’t at all mean that Mike’s detailed explanation of it is worthless to other security directors. It does let them understand how they are in a similar or different position, and keeps them from getting false expectations that would result from purely generalist assertions.

In the past Microsoft has established bad reputation on security for itself in several ways. Apart from the sales aspect, the CSO’s visible efforts help correct a part of that situation, and visibly so.

And so I take issue with your very last statement. I don’t think any one CSO could provide an example that all other security directors could copy in rote fashion. Companies are too different one from another, even in the same industries. The underlying implications of your statements about the worth of Mike’s stories are flawed.

Disservice to Security Practitioners

However, in the mix here is another factor, which has plagued security practitioners—most of whom are not aware of it. It’s a disservice that the security industry has unwittingly perpetrated for so many decades that even security practitioners who know better still make statements like, “I’ve been in the security industry for 25 years.” WRONG! There is a huge difference between the Security Profession and the Security Industry, as I have written about before. A Director of Marketing is not in the “Marketing Industry”, but is a “Marketing Professional” in the automotive industry, or hospitality industry, or some other industry. Failure to make such a distinction is an oddity of security practitioners.

One of the reasons for the low status of security practitioners is that they consider themselves part of a product and service industry (i.e. a commodity position), rather than a critical middle or top management part of the organization in which they hold their position. There are historical reasons for it, including contracted security services, but that’s another story.

So don’t be so quick to write the value of Mike’s work off for other practitioners, who certainly don’t need to become sales people to provide measureable business value to their companies. Yes, the bottom line is important, and there are many ways to contribute to it. None of them are worthless.

The postives and negatives of the article content aside, I agree the title is pretty sensationlist. I think a professional publication could sound a little more professional and less emotional charged.

Yes it is good sales technique. Take whats been built with the resources that are easily available and use the big machine to advertise. Can't go wrong when your own company is the biggest software house in the world.

It's simply sound business practice to integrate the corporate risk management or asset protection programs, leaders and services deeply into the larger mission and business of the corporation. At Microsoft the core business is selling the corporations products and services. Security directors who believe they're in the protection business (called white soxers, as white sox & blue suits were the dress du jour for the recently retired who moved from gov't into security director positions in the '60's) have for the most part been shoved aside by those who become students of the business, understand key mission integration and forge deep partnerships by delivering real value in expense reduction, sales maximization and facilitation across the board. Microsoft's GSOC is a bit of flash that impresses clients and also adds to Security's partnerships with the active selling departments whose clients it impresses.

As for being predominantly masochistic and plagued with low self esteem, my experience is exactly the opposite. I guarantee no one ever thought that of me nor of 95% of my brethern in the profession. If they had that mistaken impression on the front end, the loss of a few fingers or toes corrected that mistake early on. :-)

I'm not sure he's "full of SHIT". He is not just a CSO for any average corp. His company actually makes products in the security field.

This is far from the best material on this site.

Well from where i stand, i appreciate the article. I think this whole sceanrio has been called for exactly what it is. Its refreshing to get a the non populist, non rewarded view of things.

This is a no BS site - things are what they are and they get called out for what they are. Its often not popular to be the whistle blower - yet this is a highly needed service. A lot of people just dont have the spine to stand and be counted and call things for what they are. On this site you can COUNT on getting the critical review - if there are a few lose threads to a story, John will pick it apart. I dont know of any other site doing this in a professional and non emotional way. We need this - really.

I think what we may be looking at here is a Chief Security Officer here who has looked for the right avenues and paths to earn himself a seat at the big boy table. As a higher level security manager myself, I identify with a lot of the steroetypes and the frustration with being a 'non-profit center' manager. Often times Securoity can segway into LP, create value and become more of a profit center, but pure security and liability won't show that as easily. As a CSO or higher level security officer in this continually more numbers driven economy, you have to find innovative ways to capture the attention of the C-Suite and stakeholders. How this guy chose to do that was wise given his company's market, but the real lesson here is that to build credibility and power as a CSO, you have to play the game. Mike Howard's played this games well. I think if we looked under the hood though, we would very liekly find that the increased budget and visibility he's brought to Microsoft's Security program has led to better security and funding for core security competencies. Perhaps you could consider his methods marketing, advertising, but in the end I'd wager he's leveraged his successes to invest back into the core elements of security programs and make them better for it. Bravo Mike, well done.

Update: Howard is retiring this month.

It took me awhile to see the original article was so 2013!