CSO

After joining Microsoft in 1999, I was nearly always ridiculed at security conferences because of Microsoft's poor reputation when it came to writing software that was vulnerable to attack.  I would always respond that we were working to make things better - and we were, but the pace was slow.  The Code Red event was really the first time that we gained significant momentum - as security experts within the company it was our first opportunity to organize a coordinated response to an attack on a Microsoft product.  The security improvements that resulted from the lessons learned from that attack were integrated into Microsoft products - but there still was not a company-wide security effort that had decent traction.

Then Slammer hit and there was more innovation and improvements made to Microsoft products, but it wasn't until Blaster that there was truly a cultural shift within Microsoft towards a focus on security.  As someone who 'toughed it out' in the early days of security at Microsoft, I can honestly say that I was proud at the advancements that were made over time.  What was most exciting to me was to see how Microsoft went about building a great team of security professionals - throughout the company in many different roles.  From the software engineers writing code, to the support staff that responded to incidents - there was a consistent commitment to excellence when it came to security.  

Looking back at the opportunities that I had to work with other security professionals at Microsoft, it would be hard to find another place on earth with so many talented and dedicated individuals.  From folks like Michael Howard and Steve Lipner, to Jeff Jones, Jesper Johansson and Steve Riley - there was always someone to bounce ideas off of and think about new ways of approaching security problems.  As Microsoft went from the worst in the industry to a leader in many aspects of security - it was just like with a championship NFL team - it's hard to keep the talent together.  

Over the last year it is amazing to see just how the expertise that Microsoft helped develop and nurture has impacted the industry.  Here's a brief list of people that I've worked with and where they are now:

Elliot Lewis - Merrill Lynch
Window Snyder - Mozilla
Jesper Johansson - Amazon

There are too many other security professionals who made valuable contributions to improving Microsoft's security who have gone on to other opportunities.  

The irony here: What would anyone have said in 1999 if it were suggested that it would be Microsoft's security talent that others were trying to attract?  I don't think anyone could have imagined it.  But, it goes to show just how committed Microsoft is to security. There are many others who are still at Microsoft - working to make things better still.  And then there are many like myself who are taking the lessons that we learned there and applying them to new scenarios.