[Editor’s Note: GeekWire contributor Christopher Budd worked in Microsoft’s Security Response Center for 10 years.]

microsoft logoThere’s an obvious question after this week’s changes at Microsoft: what does the announced split-up of the Trustworthy Computing Group (TwC) mean for security and privacy at Microsoft?

Unfortunately, there’s not been a lot of specific information out of Microsoft so far. I did ask Microsoft for more details but they’re not ready to give more than they’ve publicly disclosed. However, based on my time at Microsoft in the Microsoft Security Response Center (MSRC) and TwC and what they have said publicly, I think we can draw some reasonable inferences as far as what’s going to happen with security and privacy at Microsoft, as well as what it could mean long-term.

They key thing is that while the Trustworthy Computing Group as a named entity is going away, that doesn’t mean that “Trustworthy Computing” is dead at Microsoft. Trustworthy Computing as a concept and principle began with the Bill Gates memo on January 15, 2002. Trustworthy Computing existed before the Trustworthy Computing Group and can (and hopefully will) continue to exist without it.

First, I believe we can expect that the Microsoft Security Response Center and the Microsoft Security Engineering Center (MSEC) will move over to Scott Guthrie’s Cloud and Enterprise division. The MSRC is the group responsible for handling vulnerabilities in all Microsoft products and services and MSEC is the group responsible for improving the security of Microsoft products and services including the ongoing Security Development Lifecycle (SDL). Both of these groups are ultimately engineering at their core so a move like this would make sense. This would be consistent with what John Lambert in TwC tweeted yesterday.

Second, I think we can expect the Privacy group to move over to Brad Smith’s Legal and Corporate Affairs (LCA) group. Privacy as a discipline tends to be more policy and compliance focused so being part of LCA would make sense. Plus, there tends to be a lot of lawyers in Privacy for obvious reasons, so LCA would be a logical fit culturally and organizationally.

In a way, these changes make organizational sense. Beyond the reasons I’ve already outlined, the movement of the MSRC and MSEC actually represent a step back to the future. Before the old Security Business Unit (SBU) was merged with the then-much-smaller TwC around 2008, it was organizationally part of the Windows product group. Arguably the Cloud and Enterprise group are the successor to the Windows group, so the MSRC and MSEC can be seen as coming home again.

This is all well and good but what does this mean in real terms?

First, it can mean good things for security at Microsoft. The reality is that real power at Microsoft derives from how much revenue your group is responsible for. When the MSRC and the predecessor to MSEC were part of Windows they were able to leverage the power of that group to get things done. TwC was never a revenue-generating group and its power suffered for it. In my opinion from my time there, we were able to get more done as part of Windows than as part of the stand-alone TwC because of that reality. It also puts the security engineering groups closer to the people doing the actual engineering, which is how things really get done at Microsoft. Mary Jo Foley has said there are rumors of changes to the patching process at Microsoft: moving these groups like this can support that better. As context, the last major changes we saw around how Microsoft does patching happened when these groups were part of Windows. There haven’t been major changes to patching methodology since these groups were made part of TwC in 2008.

For Privacy too, these changes can be good for similar reasons. While LCA isn’t a revenue-generating group, it carries nearly the same weight as one.  LCA has historically been the one group with the power to go toe-to-toe with groups like Windows and Office and impose changes that affect those businesses due to things like anti-Trust concerns. At its heart, Privacy is often about telling businesses “no you can’t do that even though its’ good for your business”: being part of LCA can make those arguments much more effective than they are now.

This all means that while TwC as a group will be going away, it could in fact actually be good for security and privacy over the long-term: TwC as an applied principle around security and privacy could emerge stronger than they have been.

That’s not to say this is an easy thing. I know a lot of good people who are suddenly out of work. And the “optics” (to use a Microsoft-ism) of “getting rid” of TwC aren’t good and can leave an impression that security and privacy aren’t priorities any more.

But below the surface, given how things really work at Microsoft, this could be a good thing for security and privacy at Microsoft if they execute on it the right way. Only time will tell, though: the truth of what this means will be shown in actions and not words. Microsoft has a strong legacy in security and privacy, which many of us spent years helping to build up. We’re all hoping these changes enhance and further that legacy not diminish it.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.