Security came onto Nadella’s radar in 2024 because Microsoft was compromised quite thoroughly (and avoidably) by the Russian intelligence services that year.
Midnight Blizzard was the turning point after a decade of neglect, that saw a lot of amazing work done by some very talented people during the Trustworthy Computing era (following the Gates memo) being unwound.
Yes, I'm aware of that, but I'm telling you "Security is Microsoft's #1 priority" isn't a novel thing Nadella came up with, Bill Gates been saying that many times too.
Just two examples. I think saying "Security is the most important!" is part of the job description of a Microsoft CEO, since they keep repeating it, yet security keeps being a low priority.
The difference in 2002 is that Gates actually meant it, I know this because I got to see it first hand.
Windows XP SP3 was all about security. Vista introduced massive improvements with things like UAC, ASLR, Bitlocker, secure boot and add-ons like EMET that eventually got rolled into Windows itself. At the same time, there were massive changes in the engineering culture in terms of the secure development lifecycle.
A lot of other, arguably sexier feature work took a back seat to get all of these things across the line.
I remember asking Steve Balmer somewhat before this (late 90s?) "will Microsoft ever prioritize security over new features?". He looked at me like I'd kicked his puppy and said "we would never do that". Culture comes from the top and all that...
