What I find most amazing after more than 30 years in the security industry is that while advancing technology and heightened global threats have elevated the role of security and risk in many a corporate landscape, there remain myriad other organizations that still fail to understand its value. This is the world Microsoft’s newly retired CSO Mike Howard lived in for close to two decades where he has been recognized as a trailblazer for helping move security function from the basement to the boardroom.
I caught up with Mike late last month at the GC&E Systems Group’s Converged Security Summit (CSS) that took place at the Georgia Aquarium in Atlanta. He was providing one of the keynote addresses, something he seems to be making his “retirement” avocation recently. Mike left Microsoft after 16-plus years as its very high-profile CSO, a position that provided him an opportunity to serve as an advocate for security and risk function for others serving a similar role in enterprise organizations. Given his time at the iconic Redmond, Washington corporate giant and a prior life as a veteran CIA operations chief during the tumultuous 1980s and 90s, Mike has a unique perspective on the business aspect of security and how risk shapes an organization’s survival.
Mike admits that when he began his career in corporate security “it was mostly the ‘break glass in case of emergency’ kind of approach from the folks in the C-suite”. At the time, Microsoft was a mostly domestic operation with only a small international footprint, that as he puts it; “Our (security operation) was U.S.-centric in the sense that the way we looked at security issues in London, Hyderabad and China was from our lens, so we would send investigators to manage cases there. We didn't understand business.”
But one thing Mike and his staff did understand was that remaining ignorant of the organization’s business and its strategic roadmap was not conducive to building a successful or sustainable security department.
“And so, one of the first things we did was really pounding shoe leather, going around, talking to the then folks in the C-suite,” explains Mike, who obviously already knew folks like Microsoft President and Founder Bill Gates and CEO Steve Ballmer because he’d been running executive protection. “I think they appreciated what we could bring from an EP (executive protection) standpoint. I don't think they really knew the totality of security and we weren't what we are now. So, the idea then was to go to the then leaders of the company and just talk to them and just let them know this is who we are, these are our capabilities, and we are anxious to find out more about your business. We want to find out more about what your strategies are, where are you going?”
Mike remembers that in those days Microsoft was an organization of “only” about 40,000 people, with the bulk of them in the United States, that was his team’s opportunity to begin selling the concept of security as part of the business risk function. And as the company began to rapidly expand internationally, this tact took on even more importance.
“Part of it (the sales pitch) was getting the C-suite to understand that you appreciated their strategies, you're willing to learn where they were going. Then we had to communicate how we could, from a security perspective, map to that and help them,” says Mike.
He continues to explain that the other piece of that roadmap was he and his staff provide an education to the board-level exec about the benefits of a proactive and progressive security effort.
“We have a lot of former this, that, and the other, right? Which is great. You need that varied capability. But we didn't have a business mindset. We weren't business enablers. So, the idea was not just getting the folks to know you -- the C-suite folks knowing who you are and what your capabilities are – you had to make them comfortable with the fact that you're here to help them conduct business and over a period of having them look at you in a different light. Like you had a seat at the table, that you were looked at as the subject-matter expert in security.
Mike made his bones pushing a simple, yet powerful mantra within his organization: “You're business people first; your business just happens to be security. It's not the other way around.”
