[HN Gopher] Microsoft ties executive pay to security after multi...
___________________________________________________________________
Microsoft ties executive pay to security after multiple failures
and breaches
Author : stalfosknight
Score : 79 points
Date : 2024-05-03 21:32 UTC (1 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| ripvanwinkle wrote:
| about time. you also need a clawback provision since it can take
| a while for flaws to be detected and the execs could be in new
| jobs by then.
| stoperaticless wrote:
| A bit curious how is it worded. I wonder, will it actually
| improve security, or will it be metrics that are being played
| around actually decreasing security (e.g. Teams might stop
| registering/tracking issues as a way of not having registered
| bugs)
| thegrim33 wrote:
| Pretty much the definition of
| https://en.wikipedia.org/wiki/Goodhart%27s_law
| fsflover wrote:
| Related recent discussion:
| https://news.ycombinator.com/item?id=40228212
| dinvlad wrote:
| Funny how I've heard from an Azure employee who worked with many
| big clients that very few among them cared about security - the
| incentives were just not there.
|
| Seems like they're finally doing something about that, to set an
| example.
| magicalhippo wrote:
| We're getting drowned by security checklist by clients now.
|
| A lot of them don't make much sense for us, we primarily make a
| Win32 B2B program hosted by these customers themselves and a
| lot of the checklists are all about more generic web SaaS
| things (because we charge like SaaS). But the person on the
| other end wants all the questions answered regardless.
|
| Seems that as long as you can put a checkmark in a box that you
| follow various "best practices" and whatnot, actual details
| don't matter. You put a checkmark in a box, you did your best.
| Atotalnoob wrote:
| This is basically what I have experienced.
|
| My current place, there are developers still using like node
| 10 and other ancient software, but god forbid you not fill
| out a checklist.
| kstrauser wrote:
| From being on the buying side, it's likely that the person
| sending you that questionnaire knows a lot of it is
| irrelevant to your situation, but they're personally
| reviewing 100 vendors this year (no, seriously) and there
| aren't enough hours in the week for them to make exceptions
| for everyone.
|
| Very often the best answer would be like:
|
| > Q: Do you use multi-tenant databases?
|
| > A: N/A: you'll be deploying our product on your own server.
|
| That's actually a perfectly fine answer! The person reading
| it doesn't have to explain large gaps in the answers to their
| boss. It documents why this isn't relevant in a way their
| successor can easily understand next year when they're
| reviewing those 100 vendors as part of their annual Vendor
| Management Policy(tm) process.
| Terr_ wrote:
| Sometimes it feels like:
|
| "Which controls exist for medical data?"
|
| "Sir, this is a Wendy's(tm) app."
| kstrauser wrote:
| I get it! I've been on both sides of that table many
| times.
|
| If you see the same questions over and over and over
| again, consider filling out a SIG LITE questionnaire and
| offering that to buyers from the start. If you can give
| them all or most of the info they need in a common
| format, you might be able to head off a lot of follow-up
| questions.
| delusional wrote:
| You can write whatever you want. Nobody is ever looking at
| that document again. By the time the annual process rolls
| around the process has already changed so much that it's
| now insufficient. The mandate from management will be to
| "do it right for future vendors, but blanket approve the
| previously signed agreements"
|
| It's the same thing every time because the actual security
| is in the details, but details are so fucking boring.
| kstrauser wrote:
| I doubt that's the case. I've been working in/near enterprise
| sales for quite a while now. Security is considered unglamorous
| table-stakes: companies won't buy your stuff because you're
| doing all the right things, but they'll definitely _not_ buy
| your stuff if you 're not.
|
| Giant products like AWS and Azure are too big to grill about
| their security controls. If you try to ask an AWS rep about
| something, they'll direct you to their security portal where
| you can download a SOC2 report and a few other things. That's
| about all you'll get from them unless you're equally huge. The
| most you can really go by is their reputation. If you trust
| AWS, buy their product. If you don't, don't. That's all the
| prior research a typical < 10,000 employee business can
| possibly do.
|
| My suspicion is that your friend is only talking to clients
| who've vetted Azure and figured "it's Microsoft: they're big so
| they probably know more about it than I do". It's not that they
| don't care. It's that there's nothing they can do about it. The
| people who don't already trust Azure would never have gotten as
| far as talking to your friend in the first place.
| cjk2 wrote:
| It's not even that. Everyone has someone else to blame now so
| they give less of a shit about being accountable for picking
| a platform provider.
| voidfunc wrote:
| It really depends on the Team. Trying to broad stroke anything
| about Microsoft engineering is impossible because it's a
| patchwork of business units and teams that rarely communicate
| and work together unless forced. Some Teams are very visible
| and have top talent on them that prioritize and think about
| security. Some services do not... problem is security is very
| much a "you're only as strong as your weakest link" kinda
| thing.
|
| This is a step in the right direction to get the top-layer
| prioritizing security.
| wrs wrote:
| I had heard the previous overriding directive was "DO AI" so now
| am wondering how that combines with "DO SECURITY".
| Nasrudith wrote:
| They are antithetical really. AI is fundamentally about
| undefined behavior because we cannot define it better
| algorithmically (putting aside the AI algorithms themselves).
| Security is about avoiding such undefined behavior and only
| doing things that we expect. At best you have a very secured
| sandbox to keep the AI in, away from anything but user input
| and training data.
| ChrisArchitect wrote:
| Actual article: https://www.microsoft.com/en-
| us/security/blog/2024/05/03/sec...
|
| (https://news.ycombinator.com/item?id=40249290)
| OnionBlender wrote:
| The Ars Technica article is a lot more critical of Microsoft
| and provides some history. That said, it is frustrating how
| most of the links just link to other Ars articles.
| warkdarrior wrote:
| Everybody is copying the Wikipedia model, trying very hard to
| keep you on their website.
| tithe wrote:
| "...its Senior Leadership Team's pay partially dependent on
| whether the company is "meeting our security plans and
| milestones," though Bell didn't specify how much executive pay
| would be dependent on meeting those security goals."
|
| What's the percentage? What are the milestones?
|
| Edit: The "security plans and milestones" appear to be here:
| https://www.microsoft.com/en-us/security/blog/2024/05/03/sec...
| tracerbulletx wrote:
| For sure will result mostly in hiding and not admitting things.
| Crontab wrote:
| MS might not be providing security but at least they are giving
| us the Copilot key and in-Windows advertising.
| GreedIsGood wrote:
| Charlie has been at MSFT a little while now, I suspect he knows
| how the machine works.
|
| I would expect this to result in lower feature velocity. In
| theory features are tied to increasing revenue. If so, I wonder
| if he is actually willing to make that trade off.
| jauntywundrkind wrote:
| This is like the Samsung managers that have to work 6 days a
| week. What a drain on morale.
|
| Software in particular has been so lucky to have so many people
| able to steam ahead, break ground, make features and new
| products. This caring for the rest, looking at longer lifecycle &
| maintaining... It's not fun. It's not inspirational. It's not
| fast. It doesn't feel productive or creative.
|
| And that's some of the next decades for this profession. An end
| to fun and innovation. More being yolked and driven by external
| demands & stressors. Good luck all.
| PedroBatista wrote:
| Unfortunately most of the "hard" work will be metrics massaging,
| redefining words and covering stuff.
|
| But the first phase will be a lot of "security & quality"
| presentations to the troops, some hiring and ground prep-work so
| the blaming can be done when things go south.
|
| I would like to be more positive, but I already saw this cycle
| too many times.
|
| How about security being part of the requirements to keep a job
| instead of monetary bonus? and this has to be applied to the top,
| only then to the bottom.
| userbinator wrote:
| More excuses to justify increasing authoritarianism. I don't
| think this will have any positive effect.
___________________________________________________________________
(page generated 2024-05-03 23:00 UTC)