Every Microsoft employee is now being judged on their security work

This can only be a good thing, as long as it doesn't fall victim to pointless upper management driven metrics (Goodhart's law, "When a measure becomes a target, it ceases to be a good measure"), but qualitative ones instead

This reads like it came from Microsoft&#x27;s security initiative from 20 years ago.<p>&gt; Microsoft made it clear earlier this year that it was planning to make security its top priority, following years of security issues and mounting criticisms. Starting today, the software giant is now tying its security efforts to employee performance reviews.<p>Back then, Microsoft held free conferences all over the US to discuss secure programming techniques.<p>That being said, I&#x27;ve encountered some developers who, because they weren&#x27;t around 20 years ago, make boneheaded security mistakes. Penalizing developers in performance reviews for (cough) obvious, unprofessional security flaws is rather important.

I’ve been in situations where the top announces sweeping, high priority directives to assuage customers and the board, but have no concrete or cohesive plan so they just bounce the problem off the bottom of the hierarchy. It’s called ass covering, and it doesn’t usually work out very well.

Are features going to be de-prioritized in favour of hardening existing code? Or are employees expected to keep doing what they are doing just &quot;with security in mind&quot;?<p>The article makes it sound like the later. Which will be about as effective as &quot;thoughts and prayers.&quot;

&gt; Microsoft employees will have to demonstrate how they’ve made impactful security changes.<p>What if you’re, say, a graphic designer or something? “The Windows 12 default wallpaper is extra-secure”.

Can we get the people judged that allegedly did not prioritize critical security issues properly: <a href="https:&#x2F;&#x2F;www.propublica.org&#x2F;article&#x2F;microsoft-solarwinds-golden-saml-data-breach-russian-hackers" rel="nofollow">https:&#x2F;&#x2F;www.propublica.org&#x2F;article&#x2F;microsoft-solarwinds-gold...</a>

How do they define &quot;security&quot; exactly? Does security include privacy? Will they pull back on all the advertising and tracking they&#x27;ve been forcing upon their users? Will they pull back from injecting AI into everything? How will this affect the backwards compatibility of Windows applications?<p>It&#x27;s pointless PR talk without explicitly stating specifics of how this is going to affect their products and services.

I&#x27;m kind of surprised this wasn&#x27;t already a thing. Are we to believe that up until literally today, most employees at MS didn&#x27;t have to think about security? The same MS who&#x27;s products and platforms are certified for use in, and also actively used in defence, banking, health etc.

Everything old is new again: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Trustworthy_computing" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Trustworthy_computing</a> But, of course, there&#x27;s not a peep about TwC in the memo.

I have this theory I cannot prove that Microsoft has had an existential level security breach, something like a full access breach to all of Azure, but it is covered up in a &quot;too big to fail&quot; type manner.<p>I have absolutely no way to prove this gut feeling.

Theatre