• United States



Microsoft’s Culture Clash

Apr 15, 20052 mins
CSO and CISOData and Information Security

There didn’t seem to be any downsides in Howard Schmidt’s mind. In the late 1990s, the former CSO at Microsoft watched as the company’s Web presence exploded

and experienced rising numbers of attacks. Schmidt, who headed up IT security, and others had to decide which investigators from physical or IT security should respond. “That’s when we saw value in converging the two,” says Schmidt.

Soon the decision was made to converge the IT and physical security teams as a whole. In the spring of 2000, Bob Herbold, Microsoft’s then-COO, gave Schmidt the OK to move security out of the IT organization into his. (The new merged group would report to the COO.) But soon there were problems. “I made my biggest mistakeI didn’t anticipate the cultural differences,” says Schmidt. The physical folks had expected to be promoted to the same pay levels as the IT staff. Schmidt had intended to cross-train his team, but he realized that while some of the physical people were on the way to get technical training, they didn’t have the technical aptitude of some IT security people.

The bottom line was that HR decided that pay scales would remain the same. That ticked off some of the physical folks. “Initially everybody was excited, but in a matter of months there was the perspective that, I’m doing the same job, I should be getting higher compensation. It became a distraction from the day-to-day work,” he says.

About a year later, when the COO retired, Schmidt helped form a new group, Microsoft’s trustworthy computing security group. The converged security team was moved back into the IT organization under the CIO. And after 9/11, Schmidt left Microsoft to work full-time on national cybersecurity in the White House. But he still believes in convergence. “The best manager of a security organization has physical and IT experience,” he says.