A few years ago, the one and only question about the competitive dynamics among the hyperscalers was this: Is the #1 player Microsoft, with its incredibly broad and big product portfolio, or Amazon, with its first-mover status from back at the dawn of the infrastructures-as-a-service (IaaS) market?
But in the Cloud Wars, time and tide wait for no company, and having a fixation on perfecting your past rather than a fierce focus on delighting your customers is a sure sign of trouble.
For Microsoft, the most-glaring example of that was its disastrous mindset regarding security and its significance and value to customers. So Microsoft bumbled along with an outdated security strategy, outdated security technologies, outdated priorities for security investments, outdated security leadership, and outdated perceptions of the impact its security shortcomings and failures would have on customers.
Ask Cloud Wars AI Agent about this analysis
Here’s a handful of my analyses of Microsoft’s security troubles over the past several months:
- “Microsoft Cybersecurity Disaster Triggers Customer Doubt, Competitor Opportunity“
- WATCH: “Cybersecurity Special Report: Customer Fallout Amid Microsoft Challenges“
- “Can Satya Nadella Fix Microsoft’s Badly Broken Security Culture?“
- WATCH: “Can Satya Nadella Fix Microsoft’s Security Disaster?“
- WATCH: “Satya Nadella: Why No Mention of China Cybersecurity Disaster?“
In Satya Nadella’s otherwise remarkable 10-1/2-year tenure as CEO, his utter blind spot about security now stands out starkly as the single biggest threat to the company’s leadership in the enterprise cloud.
In case you think I’m overstating it, look at what Nadella himself said six months ago about the massive top-to-bottom overhaul of Microsoft’s security business. Here’s an excerpt from my May 9 analysis headlined “Can Satya Nadella Repair Microsoft’s Badly Broken Security Culture?“, with verbatim comments from Nadella followed by my comments on each:
Again, to see the full memo, please check out the full article from theverge.com. After each excerpt, I’ve offered some comments in italics.
- ‘Underscores our responsibility’: “The recent findings by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack, from summer 2023, underscore the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors.” All of that is unequivocally true — but I believe Nadella should have focused on not only “the severity of the threats facing our company” but also the Microsoft technological and cultural shortcomings and deficiencies that the CSRB report laid out in extreme detail. To see some of the most-striking examples of those findings, check out my April 8 analysis.
- Companywide commitment: “Going forward, we will commit the entirety of our organization to SFI [Secure Future Initiative], as we double down on this initiative with an approach grounded in three core principles: Secure by Design: Security comes first when designing any product or service; Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional; Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats.” Implicit in Nadella’s words is the acknowledgment that security was certainly not a companywide commitment, and that Microsoft — for all of its good intentions — is playing catch-up.
- A terrible metaphor: “Security is a team sport, and accelerating SFI isn’t just job number one for our security teams — it’s everyone’s top priority and our customers’ greatest need.” I get the idea, but that was a tin-eared metaphor: I don’t think a single Microsoft customer equates the safety and security of his/her business — and its very survival — as anything resembling a “sport.”
- #1 investment priority: “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.” Again, that’s a good remediation step — but it also underscores that Microsoft has not been doing this in the past, and has instead just chosen to speak loftily about its huge commitments to security.
But more than two years before Nadella had his cybersecurity epiphany, Google Cloud was moving aggressively into the world of AI-powered cybersecurity by announcing in March 2022 that it would spend $5.4 billion to acquire Mandiant and its threat-intelligence business. (The deal closed in September of 2022.)
Since then, Mandiant has become a core element within Google Cloud’s wide-ranging security business as well as a significant factor behind the surging customer demand for Google Cloud’s capabilities that has pushed its Q3 growth rate to 35%, capping off a five-quarter growth acceleration that looks like this: 22.5%, 25.7%, 28.4%, 28.8%, 35.0%.
Over that same stretch of the past five quarters, here’s what Microsoft’s cloud growth looks like: 24%, 24%, 23%, 21%, 22%.
So while I have to tip my cap to Microsoft for its fiscal-Q1 cloud results of $38.9 billion, up 22%, I will also raise this question: What is going on in the minds of customers as Google Cloud saw its growth rate jump from 28.8% in Q2 to 35.0% in Q3, while over the same period of time Microsoft’s grew from 21% to 22%?
In a very strong market — you know, the greatest growth market the world has ever known — why did Google Cloud see much more dramatic boost in its growth rate over the past three months than did Microsoft?
Final Thought
Over the past week or so, I’ve seen a number of reports stating that Nadella voluntarily asked for his compensation to be cut by $5.5 million as a direct consequence of the company’s cybersecurity failings. I think it’s an excellent idea, but without wanting to sound too much like a public scold, I think that public display is much more style than substance: Since Nadella still took home $79.1 million for the fiscal year ended June 30, that’s voluntary give-back amounts to a 6.5% reduction in what would otherwise have been an $84.6-million pay package.
I’m a fully committed free-market capitalist. But when Satya Nadella agrees to an annual compensation package that’s 63% higher than the $45 million he took home in fiscal 2024 *despite* presiding over a horribly flawed and outdated security strategy, then Nadella’s own mindset reflects a corporate outlook that still fails to recognize the burdens Nadella’s company is laying at the feet of its customers.
And I think Microsoft is beginning to find out that customers are growing increasingly sick and tired of having to deal with inadequate security services and technologies.
Meanwhile, Google Cloud’s growth rate jumped 6.2 points quarter to quarter, while Microsoft’s rose 1 point.
Coincidence? Maybe.
But I don’t believe in coincidence.
