Microsoft manages physical security for all its facilities from three global security operations centres (GSOCs): one in Redmond, one in London, and one in Hyderabad. But reaching the stage where that was possible required some complex tactics to transform the traditional vision of of security as "guns, guards and gates" to something that actually helped Gates' business.
Mike Howard, Microsoft's chief security officer, gave a presentation to the Australian Security Industry Association (ASIAL) conference in Melbourne today on how Microsoft approached that transformation. As he explained, after a career in various police forces and the CIA, he began working at Microsoft in 2002, initially heading up the executive protection operation — the people responsible for ensuring Bill Gates, Steve Ballmer and other MS notables weren't attacked in public. (Gates was infamously hit with a cream pie at the World Economic Forum in 1998, so having bodyguards did seem necessary.)
That first-hand knowledge proved to be useful when Howard took the CSO role. "The year I spent in executive protection gave me a bit of an entree to the people in the C-suite and helped me in establishing a bit of a reputation in terms of getting things organised and leading and getting things done."
Howard was charged with replacing Microsoft's existing piecemeal security strategy with one that could cope with rapid global expansion. "Taking a strategic look at our organisation, I realised we didn't have the bandwidth to deal with that exponential growth, and we didn't really have the technology." Microsoft at that point ran 15 physical security centres around the world.
"Many had atrophied," Howard said. "We had 60 different technologies that had been incorporated into our global security organisation. It was through no fault of anybody — there was just no strategy behind the technology."
Making that change to just three centres, each of which could also act as failovers for the other in the event of an unexpected outage at one site, wasn't easy, however. Many staff in the existing Redmond centre took the view that it should take the leading role.
"One of the biggest challenges was our existing team. They were really reluctant to give up the centralised model," Brian Tuskan, senior director of technology and investigations, explained during a Skype cross to the conference.
The Indian location was also somewhat unexpected. "We were looking for space in Asia and SIngapore is where our HQ is," Tuskan said. "But the cost structure to put something in there was a lot of money. We were able to get four times the space in Hyderabad."
The final major challenge was having the shift funded. "We have really worked on developing trust with the executives to get buy-off from the C-suite," Howard said. " It takes a lot of shoe leather and knocking on doors. We wanted to get away from the perception of some leaders that we were 'guns, guards and gates'. You have to spell out to the folks above you why you need the investment. What is the value-add for the entire company? That went a long way to getting buy-in."
"Executives won't give you the time of day if you talk about tactical stuff," Tuskan agreed. "If you talk about how to mitigate risk and how you help the bottom line of the company, they listen."