It really depends on the Team. Trying to broad stroke anything about Microsoft engineering is impossible because it's a patchwork of business units and teams that rarely communicate and work together unless forced. Some Teams are very visible and have top talent on them that prioritize and think about security. Some services do not... problem is security is very much a "you're only as strong as your weakest link" kinda thing.
This is a step in the right direction to get the top-layer prioritizing security.
Couldn’t agree more. I can’t emphasize enough how BIG Microsoft is and how many dimensions of security there are. Nobody has as many attack vectors as we do. I’m pretty confident in saying that. It’s a super hard problem and nearly impossible to enforce all of them from an organizational standpoint. But this is a great step in trying to do so.
That's true - he was talking about clients though, if my memory serves well.
The main challenge he highlighted is there're no financial incentives for most companies in the industry to stay secure (unless you're a security company) - the punishment (including reputational risk) is just way too small.
This is a step in the right direction to get the top-layer prioritizing security.