Microsoft’s security sales hit an all-time high in 2022, surpassing $20 billion in annual revenue. It comes as the industry debates the company’s status as a target of tech giants and security vendors.
The Redmond, Washington-based company reported on its earnings call this week that revenue in its security business rose 33% year-over-year and 50% from two years ago. During the current economic downturn, the division has grown faster than all of Microsoft’s other major products.
“We are the only company with integrated end-to-end tools spanning identity security, compliance, device management and privacy, and we interact with more than 65 trillion transactions every day,” Microsoft CEO Satya Nadella said on the earnings call. signal to inform and train.” “We have a presence in all the major categories we serve.”
The CEO also highlighted that the number of customers with four or more workloads on Microsoft has increased by more than 40% over the past year, and called for the decision by the $4.46 billion British sporting goods retailer Fraser’s Group to switch from 10 Security vendors integrated into Microsoft.
Nadella focused specifically on identity, noting that Roku, the $2.76 billion digital media player maker, uses Azure Active Directory to move identity and access management to the cloud. According to a July IDC report, Microsoft has nearly 25 percent of the identity and access management market, with Okta in second place with 9.2 percent.
Additionally, Nadella said the company’s combined XDR and SIEM capabilities have attracted $11.61 billion Japanese pharmaceutical giant Astellas Pharma, $8.5 billion Spanish transportation infrastructure company Ferrovial and the University of Toronto to Microsoft Sentinel.
As Microsoft solidifies its leadership as a security vendor, the debate continues over whether Microsoft’s own technology is a significant contributor to enterprise risk.
The element of contention is the emergence of security breaches related to product offerings. According to the CISA exploited vulnerability list, since the beginning of 2022, Microsoft has reported 169 security vulnerabilities, accounting for 30% of the total number of vulnerabilities discovered in the past year. In 2021, major security agencies including FBI, NSA, CISA, CIA highlighted the 15 most common vulnerabilities and exposures (CVEs) exploited by hackers, nine of which (60%) were due to cybersecurity flaws in Microsoft systems Caused.
Most recently, Microsoft confirmed that misconfigured endpoints could lead to unauthorized access to certain customer data—an incident that sparked a debate about the severity between the company and threat intelligence firm SOCRadar in October 2022. In November, Microsoft patched six zero-day vulnerabilities, including two critical ones that have been exploited by threat actors for months.
A Microsoft spokesperson told SC Media in a statement that “in today’s threat landscape, no company or individual is safe from attack” — something that has been proven true over the past few years, with numerous attacks on technology and security. The same is true of corporate violations. Large number of instances Microsoft technology also needs to be considered when evaluating exposures.
But some industry leaders have expressed concern about Microsoft’s credibility in running the security business. Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, detailed a phenomenon he calls the “Microsoft paradox” in a December op-ed for Fortune, noting that Microsoft gains financially from functional vulnerabilities.
“if [Microsoft] It can do amazing things for the security community when it’s slow to release more secure code, discontinue old features (like Apple), or try to get its huge customer base to a good security baseline faster (like Google) . But that’s not the case,” Kalumber wrote. “Instead of investing millions of dollars in preventing vulnerabilities and exploitable configurations, Microsoft profits from their existence. So, on the one hand, the company spreads bugs and hosts malware, and on the other hand, it’s in charge of ‘protecting’ users from those bugs and threats. ”
Microsoft Threat, Microsoft Contributed
It’s worth noting that Proofpoint is one of Microsoft’s main competitors in the email security space. It was taken private by Thoma Bravo in 2021 “at least in part because of Microsoft’s entry into the market,” said Rik Turner, senior principal analyst at Omdia.
“Proofpoint’s comments could be misguided because they have a financial incentive to make people suspicious of Microsoft,” added Malcolm Harkins, chief security and trust officer at Epiphany Systems and former chief security and privacy officer at Intel.
While Huggins did acknowledge that the security industry as a whole has a financial incentive to see the risk cycle continue as vendors profit from the insecurity of computing, he said it was unlikely Microsoft would risk its brand reputation and legal repercussions The risk of vulnerabilities and malware propagation remains in business applications. Instead, he sees the opposite: Microsoft will use the lessons learned from the security business to improve the security of its business applications, such as Microsoft Office.
Microsoft did not directly address the criticism in comments provided to SC Media, but a spokesperson did reiterate that the 65 trillion security signals processed daily by its cloud productivity and security products (mentioned on the earnings call) are capable of analyzing more than 25 Billion endpoints signal every day and stop 34.7 billion identity threats and 37 billion email threats in a year.
The Microsoft spokesperson also referred to the “extensive amount of data and research” done for the Defender community. “We fundamentally believe that collaboration is critical and that all suppliers must work together to make the world a safer place.”
For the industry as a whole, Turner said Microsoft’s presence in the security market is a positive — promoting competition, but also placing greater emphasis on standards like the FIDO Alliance’s passwordless authentication to drive awareness and adoption.
But suppliers beware, Turner said. “Even if you develop complementary technologies, it’s a bit like sleeping with an elephant,” he said. “If Microsoft buys your competitor or develops a capability on its own, you’re going to be knocked out.”