Many years ago, an inspired memo by Bill Gates began the software giant's transition into the vendor security benchmark for the rest of the industry. Today, however, it seems the company wants security to just go away.
Let's briefly review: In 2002, upon realizing that poor security was dragging Microsoft down (at the time, customers were losing faith in its products, and Linux was briefly a legitimate threat to Windows' desktop dominance), Gates wrote a now-famous email launching the company's transformational security initiative called Trustworthy Computing.
After a rocky start, Microsoft doubled down by spending more than $100 million to train software engineers on secure software development, plucking insecure code out of existing products one line at a time, making security a fundamental tenet of every new software product, and in 2003, it launched Patch Tuesday to help enterprises better plan the inevitable need for ongoing security updates.
From there, the security of Microsoft's products improved. Microsoft's Software Development Lifecycle (SDLC) program was widely lauded as a model for secure software development and copied throughout the industry, and security for its then-upcoming products like Windows Vista and Office 2007 improved dramatically.
However, recent events suggest security is no longer one of the software giant's top priorities.
In June, Microsoft briefly pulled the plug on its security advisory mailing list, allegedly fearing new Canadian antispam laws; the company later restored it but made the signup page difficult to find.
Shortly after there was an odd study in which Microsoft researchers suggested it might be OK to use weak passwords for Web accounts that don't hold personal information so users have to remember fewer longer passwords for important sites.
Last summer it was caught by surprise when it realized its Windows Store app repository was littered with highly questionable "scam" apps. Around the same time it had to recall and rerelease the fix for MS14-045 when it resulted in blue screens of death for many customers; this in turn led to questions about the Microsoft Security Response Center's testing process and communication efforts.
In the fall, questions arose about privacy issues with its new Delve enterprise social media software for Office 365, with some suggesting that it could, for instance, inadvertently expose people that were considering whistleblower action against their employers. It's the sort of fundamental security issue that Microsoft products rarely encountered a few years ago.
Then in a shocking September move, Microsoft eliminated ts Trustworthy Computing Group (TCG) as part of a layoff involving 2,100 positions, with TCG employees split between broader enterprise and legal groups. My former colleague Dennis Fisher rightly called it "the end of an era at Microsoft."
Some say the reorganization was merely pushing security deeper into other areas of the company, and TCG chief Scott Charney even tried to publicly justify the move, but given how successful TCG had been, it's hard to see it as anything but a diminished role for Charney and a clear statement that CEO Satya Nadella doesn't value security in the way his predecessor, Steve Ballmer, once did under Gates.
Since then, other smaller decisions have suggested security no longer rules the roost, like "do not track" no longer on by default in Internet Explorer, renaming Patch Tuesday "Update Tuesday," and of course its move to discontinue its Advanced Notification Service that infuriated many customers.
All this is particularly strange because not only has security never been more important to business leaders, but also because Microsoft's primary competitors -- Apple, Google and Amazon Web Services Inc. -- have all gone the other way, investing heavily in security as a competitive differentiator.
To be fair, Microsoft has done some good things lately, like launch a bug bounty program, end support for older, insecure versions of Internet Explorer, block risky ActiveX controls, release new versions of EMET, and of course those monthly patches keep coming.
Yet all too often these days Microsoft's security strategy is about style instead of substance. Occasionally pulling the plug on a botnet -- and promptly issuing a press release -- isn't security industry leadership; it's digital self-aggrandizement.
Microsoft would vehemently argue to the contrary, that its security apparatus is as strong as ever, but talk is cheap. If security really mattered like it should, then we'd see substantive proof, like a product and strategy roadmap to foster continued leadership and innovation, high-profile talent being brought into the organization to contribute new ideas, a patch-development process with fewer errors, and Nadella on stage with Charney talking about all of this next week at RSA Conference 2015.
But, for now at least, none of that is happening. What irony that the vendor that led the industry in "building security in" from the ground up is backing away from its leadership position in information security, just when the industry needs it most.
Here's hoping Bill Gates has his pen -- or keyboard -- at the ready. It's time for another memo.
Eric Parizo is the Executive Editor of SearchSecurity. Feedback on this column is welcome via the comments section below or email: [email protected].
In this 2011 video, Microsoft's Scott Charney assesses the state of Microsoft's Trustworthy Computing initiative.
Learn about Microsoft's free security tools for secure software development.