Microsoft’s Opportunity to Reinvigorate Security Leadership

The White House-hosted cybersecurity summit on August 25, 2021 was an opportunity for representatives from the private and public sectors to discuss how they can collaborate to address pressing information and computer security issues.  Many of the leading technology companies, such as Amazon, Google, IBM and Microsoft, made commitments to expand cybersecurity funding and to help address the shortage of skilled cybersecurity professionals.

Microsoft pledged to “invest $20 billion over the next five (5) years to accelerate efforts to integrate ‘cybersecurity by design’ and deliver advanced security solutions.  This was, by far, the largest commitment from any of the leading cloud and information technology companies in attendance.

$20 Billion, in Context

Microsoft’s commitment to invest $20 billion over five years to improve cybersecurity software resilience is a significant dollar amount. However, when put into context, the amount represents only a tiny share of the total amount companies are presently spending on (and earning from) cybersecurity. According to IDC and Gartner, the overall market for cybersecurity products and services was between $125 billion and $134 billion in 2020.

On average, then, Microsoft’s promise breaks down to $4 billion a year; substantially more than the $1 billion in security investment Microsoft committed to in 2017.  It is also only a fraction of the $10 billion in revenue Microsoft earned over a 12-month period from “advanced security and compliance” products and services sold to hundreds of thousands of enterprise customers.  In fiscal year 2021, for instance, Microsoft had total revenue of $168 billion with net income of $61 billion.

Reinvigorate Trustworthy Computing

One of the seminal moments in cybersecurity history was the “Trustworthy Computing” memo Bill Gates sent to all Microsoft employees on January 15, 2002. In that email, Gates (then chairman and chief software architect at the company) stated that Microsoft needed to focus on building more reliable products. Security requirements needed to be the priority.

That focus led to the development of Microsoft’s security development life cycle (SDL) process, on which all…