Unfortunately most of the "hard" work will be metrics massaging, redefining words and covering stuff.<p>But the first phase will be a lot of "security & quality" presentations to the troops, some hiring and ground prep-work so the blaming can be done when things go south.<p>I would like to be more positive, but I already saw this cycle too many times.<p>How about security being part of the requirements to keep a job instead of monetary bonus? and this has to be applied to the top, only then to the bottom.
A bit curious how is it worded. I wonder, will it actually improve security, or will it be metrics that are being played around actually decreasing security (e.g. Teams might stop registering/tracking issues as a way of not having registered bugs)
"...its Senior Leadership Team's pay partially dependent on whether the company is "meeting our security plans and milestones," though Bell didn't specify how much executive pay would be dependent on meeting those security goals."<p>What's the percentage? What are the milestones?<p>Edit: The "security plans and milestones" appear to be here: <a href="https://www.microsoft.com/en-us/security/blog/2024/05/03/security-above-all-else-expanding-microsofts-secure-future-initiative/" rel="nofollow">https://www.microsoft.com/en-us/security/blog/2024/05/03/sec...</a>
Perhaps they should tie executive pay to customer satisfaction?<p>Security is somewhere under that umbrella. Also all the other stuff end users give a shit about that Microsoft doesn't...
Funny how I've heard from an Azure employee who worked with many big clients that very few among them cared about security - the incentives were just not there.<p>Seems like they're finally doing something about that, to set an example for the rest of the industry.
If anyone is dumb enough to trust Microsoft after all the shit they've pulled over the last 30+ years, including the most recent collection of large-scale security fuckups, they deserve what they get.
Related recent discussion: <a href="https://news.ycombinator.com/item?id=40228212">https://news.ycombinator.com/item?id=40228212</a>
"Secure by default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.".<p>Let me guess: logging in with a Microsoft Account is a security protection, as is collecting more telemetry, for security of course.
Charlie has been at MSFT a little while now, I suspect he knows how the machine works.<p>I would expect this to result in lower feature velocity. In theory features are tied to increasing revenue. If so, I wonder if he is actually willing to make that trade off.
I wonder why is Microsoft doing this now? They had blithely ignored security for many years. Their products have been insecure by default as long as I can remember.
This is like the Samsung managers that have to work 6 days a week. What a drain on morale.<p>Software in particular has been so lucky to have so many people able to steam ahead, break ground, make features and new products. This caring for the rest, looking at longer lifecycle & maintaining... It's not fun. It's not inspirational. It's not fast. It doesn't feel productive or creative.<p>And that's some of the next decades for this profession. An end to fun and innovation. More being yolked and driven by external demands & stressors. Good luck all.
Fun fact: for many years now executive (and manager) pay at Microsoft has been tied to meeting diversity quotas, and hiring straight white men when you’re under quota required exec approval: <a href="https://www.cspicenter.com/p/what-diversity-and-inclusion-means" rel="nofollow">https://www.cspicenter.com/p/what-diversity-and-inclusion-me...</a>.<p>How this particular new “tying” of one thing to another impacts the overall state of things is anyone’s guess.