Being the Chief Security Officer of a Fortune 500 corporation presents enough hurdles when that company does business in a defined niche. With the nearly complete acquisition of Nokia, Microsoft has sped up its transformation into a "devices and services” company.
For Microsoft CSO Mike Howard, the buyout of Nokia is presenting challenges his staff and organization haven’t previously faced, however, it’s not like Howard isn’t up to the task. During his tenure as Microsoft CSO, he has guided the company’s corporate security strategies to new heights. From an operations perspective, he led the development of Microsoft’s three interconnected Global Security Operations Centers (GSOCs), which perform global security monitoring and response. The GSOCs based in the Redmond, Wash., corporate campus in the United Kingdom and in India have become showcases for how risk-critical intelligence centers should operate.
Howard is also a leading security industry evangelist for the alignment of security operations with the risk model of the companies they serve, in addition to espousing the importance of the partnership between information technology and physical security.
But Howard admits his biggest challenges are ahead as Microsoft morphs its business model from an exclusive software provider to a global manufacturing entity. “Day to day, we deal with the regular things most CSOs deal with -- terrorism, natural disasters, kidnapping, plus everything that is done in the natural physical security world’s bread and butter. A big chunk on what I do is making sure our higher ups are constantly updated on what we are doing and keeping them informed” says Howard, who acknowledges that now that Microsoft has entered the devices and services space, life will change. “We will be expanding into the hardware space after the pending acquisition of Nokia, so we know we are going to add global facilities and personnel as part of that expansion. When you look at the normal course of business and the fact that it is expanding, how do you keep up with the scale of that growth and make sure that you have the right people in place globally and do they have the right skill sets?”
The Nokia acquisition would thrust more than 32,000 new employees into the global Microsoft family. Howard was quick to assess that his department’s entire security and risk paradigm is changing. “If you just look in the area of supply chain, this is a completely new sector for us,” he says. “We’ve always protected facilities, people, and to some extent, assets. Now you are talking about a situation where you have manufacturing facilities that are vulnerable to attack. We now have to integrate our current technology with our GSOCs and add these new assets into our portfolio.
“But the other issue is we now have to potentially deal with things we have never had to before like armed gangs stealing supplies,” Howard confides. “We’ve talked with our counterparts from other companies that have a lot of experience in devices and services and in the supply chain environment, and they have shared with us incidents with organized armed gangs around the world that actually highjack shipments. That’s an area we haven’t dealt with before, so getting smart in dealing with that and just the everyday manufacturing process is something we are currently involved with from a security perspective.”
Howard’s background -- which includes more than two decades with the Central Intelligence Agency, where he served in the agency’s Office of Security and eventually worked in the Counterterrorism Center handling myriad global programs -- has certainly prepared him for Microsoft’s global expansion. But he is adamant that lessons he learned in the business sector have molded his approach to security and creating successful internal partnerships.
“Those people who come into an executive security position straight from a military or law enforcement background – or even from an agency – sometimes have a tough adjustment since they have that top-down mindset,” Howard says. “Typically, I’m the new sheriff in town and what I say goes, doesn’t work in an enterprise. In most instances, you have to influence without using authority,” says Howard.
He challenges other CSOs to align their thinking and strategic roadmaps with the organizations they serve. He maintains that job-one is taking time to understand the business. “A company like Microsoft is pretty diverse in terms of the portfolio we serve and it is getting even more diverse every day, so taking the time to learn the strategic imperative of each business line and talking to the individual business leaders to gain an understanding of those particular segments is extremely important,” Howard says.
“One of things we started doing several years ago was to review the 10-K every year. Inside that 10-K is an area called “Board risk”, which is what the CEO and the Board delineate as their top organizational risks. Obviously, that document is a really good to study from a strategic point of view, since it gives the security practitioner a holistic picture of where the company is going and what their goals and perceived risks are,” says Howard, referring to the Form 10-K, which is an annual report required by the U.S. Securities and Exchange Commission (SEC), providing a comprehensive summary of a company's financial performance and risk. “What you do with that information from a security perspective is simple -- you use it as mile-marker to align your operations with the stated risks of the company so that you are now tied into the business imperatives.”
The development and enhancements to the Microsoft GSOCs have provided the security staff leverage in many ways. For one, they serve as a tangible asset the entire corporation appreciates. “Because we use our GSOCs as a showcase, we constantly bring our executives in and show them what we do and get their buy-in for what we are doing,” says Howard. “You not only develop this ecosystem of organizational support, but more importantly, we learn. When we bring heavy hitters from Windows or Microsoft Office and we have a dialogue as to what their strategies and needs are, we as a security organization get smarter and better aligned with the business.”
As Microsoft’s business model evolves, so does its security and risk portfolio. No one is more aware of the urgency of staying ahead of the business curve than Howard and his staff. “I’m always trying to make sure that our leadership team has the necessary resources,” Howard concludes. “As the CSO, I expect my team in the field to do their jobs, so back at headquarters we need to provide with funding and technology. I also need to make sure that I am communicating with field and subsidiary business leadership so they can properly support my folks.”
