This story is available exclusively on Business Insider Prime.
Join BI Prime and start reading now.
- The US fight against COVID-19 began just 10 miles from Microsoft’s Redmond, Washington, headquarters.
- No other US tech company grappled with the disease locally and in its core daily business quite the same way.
- Microsoft leaned heavily on Zero Trust — its egalitarian security philosophy — to help its staff and users everywhere work remotely.
- Microsoft rapidly accelerated its cloud-based cybersecurity, allowing it to serve and protect its own remote workers — and pass those advancements on to customers.
- Analysts say the empathetic approach to security signals a new, more humane direction for the company.
- Visit Business Insider’s homepage for more stories.
The first COVID-19 death in the US was reported on February 29 at a long-term-care facility in Kirkland, Washington, just 10 miles from the global headquarters of Microsoft. At that time, the US had just 22 known cases.
Bret Arsenault, Microsoft’s chief information-security officer, an avuncular 30-year veteran of the company who oversees crisis management, had “playbooks,” a set of online emergency plans. The last time those playbooks were used was to address icy streets around campus last winter. There’s no section covering what to do in the event of a pandemic that was about to change the world and its workplaces, perhaps forever.
So Arsenault and a handful of other Microsoft security leaders effectively wrote the playbook for sending its 156,000 employees worldwide home and into a new kind of remote work. And with millions of customers relying on Microsoft — Office 365 alone has over 200 million commercial monthly users — it was important to get it right.
A remote workforce of far-flung employees presented new vulnerabilities — from unsecured coworking tools to email scams targeting employees at home. In response, the company doubled down on the philosophy of Zero Trust — a cornerstone of its customer-facing approach to cybersecurity going forward.
It has also started offering cybersecurity data and tools to its customers, often for free, to help them navigate the very same struggles Microsoft went through in setting up its employees in this new work-from-home world. A tech titan armed with a nimble cloud solution and backed by $1 billion security budget stepped in as few companies could have.
Business Insider spoke with a half dozen Microsoft executives across its cybersecurity business about how the company has approached the subject of cybersecurity in the months following the arrival of the pandemic in America.
The executives credited CEO Satya Nadella, who recently completed his sixth year at the reins of the trillion-dollar company, with making the company more empathetic to customers in such difficult times.
“Our attitude going into this, from top leadership down, was, ‘Our customers need help right now. So let’s go help them, and we’ll figure the rest of it out,'” Ann Johnson, Microsoft’s corporate vice president of Cybersecurity Solutions Group, told Business Insider. This, she said, was part of “the evolution under Satya.”
‘I’m not a marketing guy’
Zero Trust is a cybersecurity-industry trend, first named by the analysts at Forrester Research, that is reinventing how enterprises protect their computer networks. The approach dispenses with the idea of a network that must be protected from outsiders and is open to trusted users. Instead, it assumes a network has been compromised and requires that all users — from CEO to new employee — be verified continually.
Microsoft’s approach to Zero Trust centers on strong user identity, device-health verification, validation of application health, and secure least privilege access to corporate resources and services. And no passwords — Microsoft uses fingerprints and facial recognition instead.
“What it means is everyone gets verified the same way,” Arsenault said. “It’s a terrible name, Zero Trust. It just sounds awful, like we don’t trust anyone. But it’s ours and I’m not a marketing guy.”
Nadella told Business Insider in a statement: “Security remains a strategic priority for every organization and the shift to remote work has only increased the need for integrated, end-to-end Zero Trust security architecture that reduces both cost and complexity. We’re focused on providing comprehensive identity, security and compliance solutions to protect people and organizations spanning identity management, devices, cloud applications, data and infrastructure.”
6 months in 2 days
Microsoft embraced Zero Trust before the pandemic, but the sudden shift to remote work kicked that process into high gear.
This was never more clear than on day two of the company’s work-from-home experiment, when employees began inexplicably coming back to the Redmond campus.
“Why are they coming back?” Arsenault said he wondered. “What’s going on?”
The employees, not knowing they were being sent home indefinitely, had left their work computers at their desks, as usual. Microsoft couldn’t let them back into their offices, which are still deemed unsafe.
So Arsenault took the plunge and sent the company’s Zero Trust security into all of the employees’ homes. They created 34,000 remote desktops for all the employees who needed to recreate their work computer on a home computer. The project was on the road map for six months. Arsenault and his team did it in two days.
It was a remarkable acceleration of digital transformation that would happen around the world over the next several months. But if Microsoft had not taken that plunge, many other companies using their tools would have had to wait. If the software giant’s teams were not squared away at home on Teams, they could not have built the added security features, protected hospitals, or communicated the free offers.
Nadella’s empathy put to the test
Nadella is famed as the major force behind a dramatic turnaround at Microsoft. When he first took over in 2014, Microsoft was increasingly seen as a has-been in a tech industry dominated by Apple, Google, Facebook, and Amazon. Over six years later, Microsoft is valued at about $1.4 trillion, more than any of those rivals.
A pandemic landing in its backyard may have tested Microsoft’s resurgence more than anything else. The announcement of the first death near Microsoft turned out to be inaccurate, but Washington state leaped to the front of the US crisis, nevertheless. On March 2, there were six known US deaths, all in Washington. That day, Microsoft published a blog entry highlighting its free-access tier to Microsoft Teams’ coworking tools — which provide built-in security in vulnerable areas like videoconferencing and file sharing. The company soon added more free tools in a cascade of offers.
If giving away these features was bad for the bottom line, it was good for Microsoft and Nadella’s legacy, one expert suggested. “This is Satya Nadella’s Microsoft,” Daniel Newman, a founding partner and principal analyst at Futurum Research, said. “The best leaders have understood that solidarity is going to get more long-term viability than being opportunistic.”
Offering live support for any hospital
In March, Microsoft quietly began offering security support for hospitals, including live support of hospitals under attack from ransomware – a major concern as the pandemic ramped up.
Tom Burt, Microsoft’s corporate vice president of customer security and trust, was painfully soft-spoken in discussing the free healthcare offer in mid-April.
“It just occurred to us as we were getting into the COVID-19 crisis, and that healthcare organizations could be under threat from nation-state actors,” he said. “We’re in a unique position to do this, so we feel like we really should.”
Not everyone was impressed by this initiative. Mike Hamilton, the former security chief for the city of Seattle, downplayed the Microsoft outreach to hospitals as “not unlike what a lot of other companies are doing” — including his, CI Security. Hamilton, a cybersecurity veteran, said Microsoft could be making more meaningful offers, such as giving enterprise customers free access to the data that Microsoft’s antivirus and other tools collect in protecting companies’ networks.
But Eric Johnson, the dean of Vanderbilt University’s Owen Graduate School of Management, disagreed. In a study last year, Johnson and other Vanderbilt professors found patchwork cybersecurity systems from multiple vendors were costing hospitals much-needed time and that more seamless security solutions could save lives. “This is great news for healthcare,” Johnson said of Microsoft’s offer, because many hospitals struggle with “heterogeneous IT” and depend on vendors for security. “So having Microsoft jump in to help will be big for them,” he added.
A larger solution only a big company could offer
That same theme — a larger solution that only a company of Microsoft’s scale could offer — again popped up when the software giant made available in May a data stream from its products that any company could use to block email threats related to COVID-19 and the recession. Scam emails carrying malicious links were pounding employee email boxes, and Microsoft’s offer to let competitors use their data to block threats was an unusual gesture.
“This is a step we haven’t taken before,” John Lambert, the general manager of the Microsoft Threat Intelligence Center, told Business Insider. In a highly competitive industry in which companies often guard threat intelligence as a company asset, Microsoft was making its information free to all companies.
“That’s what’s different about this — you don’t have to be a customer,” Lambert said.
Johnson, the Microsoft security-products vice president, said the company’s $1 billion annual security budget and 3,500 cybersecurity workers allowed it to think about two things that almost no other company can right now: The next big disaster and that the workplace, as we knew it pre-COVID-19, may never be the same again. “Some people will just never come back into the office to work. How do we address that from a security standpoint?” he said.
Cybersecurity has been a bustling marketplace of competing innovation for the past several years. That hasn’t always been navigable by enterprises or consumers and has sometimes led to enterprises getting stuck with the patchwork of systems that Vanderbilt’s researchers found risked patients’ lives. Microsoft’s new role during the pandemic as a benevolent unifier that partners with smaller companies has been good for cybersecurity, some analysts say.
But there is a sobering historical note about Microsoft’s culture. Bill Gates and Steve Ballmer, Nadella’s predecessors, were known in their own ways for their willingness to play hardball with friends and foes alike. Could Nadella’s empathetic Microsoft, which rushed to the world’s aid — and into a cybersecurity leadership role — backslide into such tactics again?
Newman, the analyst who cited “Satya Nadella’s Microsoft,” doesn’t think so.
He said: “They have a responsibility to shareholders to make a profit, no doubt. Giving things away doesn’t make sense in perpetuity. But right now, chasing profits doesn’t make sense, either.
“They have just taken on this new role of global leadership in security that maybe no one else could have in this key moment. They’re not going to just run off and leave the healthcare and local municipalities they pledged to help. They see themselves as a leader in security and the COVID economy. They want to be that leader. And they will stay there.”