Cybersecurity, Policies and Training, Security Hardware and Technology

Upselling Security: Why It’s Problematic

Editor’s note: The views expressed in the following op-ed are the author’s own and do not necessarily reflect those of Total Security Advisor.

Earlier this month, over 26,000 infosecurity enthusiasts convened in San Francisco for a week of security-related product launches, trainings, expert presentations, and networking. Now in its 31st year, the annual RSA Conference is also a moment for reflecting on the state of the field. It’s been 2 years since the RSA Conference happened in person, and in that time, cybersecurity problems seemed to have gotten worse, not better: data compromises, ransomware attacks, and zero-day vulnerabilities discovered in the wild are all up.

It has been an especially bad period in security, however, for Microsoft, from the central role that Microsoft’s identity software products played in the SUNBURST (aka SolarWinds) campaign to the recent discovery of yet another critical vulnerability in Microsoft Office.

This got me thinking: if Microsoft’s products were more secure out of the box, would over 26,000 people still show up at the RSA Conference?

After all, the conference is predominantly concerned with how customers and end-users of IT manage security risks from IT vendors’ products, and Microsoft is arguably the most important IT vendor in the world. For example, Microsoft supplies a dominant share of the U.S. public-sector market for collaboration software, and its Windows operating system runs on around three-quarters of all desktop and laptop computers.

And yet, a report by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) found that 9 of the 15 most-routinely exploited vulnerabilities in 2021 involved Microsoft products. 

CISA also maintains a list of exploited vulnerabilities called the Known Exploited Vulnerabilities Catalog (KEVC) that federal agencies must patch by certain deadlines, pursuant to an order issued by CISA in November 2021. Microsoft products are far and away the most frequent entries in the catalog—in 2022 so far, for example, Microsoft products comprise one-quarter of the entries, more than twice as much as the vendor with the next most entries (Oracle) and almost 8 times as many as Apple and Google.

CISA first published the KEVC in November 2021, and it is up to nearly 800 entries as of this writing. So it’s not as though Microsoft is the only IT vendor whose products have security vulnerabilities. And as any security professional will tell you, there is no such thing as perfect security—some degree of security risk is inherent in complex IT systems.

But Microsoft stands out for the prevalence of vulnerabilities in its products and the severity of those vulnerabilities, in terms of the ability of threat actors to exploit them and cause harm to users. Other vendors do better, by this metric, which suggests that Microsoft could do better too.

The question is, why don’t they do better? The answer is simple: the market hasn’t forced them to. 

Partly, it’s because many customers don’t demand better cybersecurity from Microsoft: security is costly, and at times inconvenient, and many customers simply aren’t willing to pay a premium for more secure products. They prefer new features instead. 

But there are plenty of customers who do want better security; they just lack the negotiating leverage with Microsoft to get it at lower prices because Microsoft doesn’t feel the competitive heat. Microsoft’s security business is booming—$15 billion in 2022. It’s among their fastest-growing lines of business, which raises an uncomfortable question about Microsoft’s incentives: how much of Microsoft’s security business involves selling (or upselling) security solutions aimed at remedying security shortcomings in Microsoft’s own products? 

The answer depends in part on what security features and attributes, if any, ought to be viewed as “standard,” in the same way that certain security and safety features in automobiles—seatbelts, airbags, brakes—are part of the base model. In Microsoft’s case, it is no trivial matter for a business or consumer to switch operating systems, productivity software suites, and cloud service providers. Customer inertia—and the costs that customers must accept in order to overcome it—put Microsoft in a commanding negotiation position to dictate which security features and attributes are “standard,” versus the ones for which customers must pay a premium. And it has a strong business interest in preserving its ability to upsell security.

Microsoft needs to be more transparent about its security business. It has some of the best security people in the world working on shoring up Microsoft’s product and helping customers achieve more resilience against cyber threats. But there is an undeniable tension between selling IT products and services that customers reasonably expect to be safe out of the box and selling security services aimed at shoring up those same products. Software is not automobiles—there is no regulator dictating what features are standard versus which ones aren’t. Given Microsoft’s clout in the marketplace, it has a special responsibility to ensure that its customers are safe—and that its business incentives are aligned to support security.

Andrew Grotto is the William J. Perry International Security Fellow at Stanford University and the founding director of the Program on Geopolitics, Technology and Governance at the Stanford Cyber Policy Center. He serves as the faculty lead for the Cyber Policy and Security specialization in Stanford’s Ford Dorsey Master’s in International Policy degree program and teaches the core cyber policy course for the specialization. He is also a visiting fellow at the Hoover Institution. He served as senior director for cyber policy on the National Security Council during the Obama and Trump administrations from late 2015 through May 2017.