Information Security

Thoughts & Experiences from Todd Kutzke

July, 2009

Blog - About

About Information Security

About Me

Last Update: April 20, 2009

I am Todd Kutzke, Senior Director of Information Security (InfoSec) at Microsoft. My role is to manage Microsoft’s information security risk. I make it my priority to protect Microsoft. Our mission is to enable secure & reliable business for Microsoft and our customers. Every day, I’m challenged to make trade off decisions between security and performance. This blog is a place where I’ll share with you what I’ve learned in the process and the challenges we face in information security.

You could say security found me. When I joined Microsoft about 10 years ago in 1999, growing demands for security and privacy programs as well performance services opened an opportunity for me to build a team from the ground up. This was the beginning of the ACE (Assessment, Consulting & Engineering) Team. We first formed the ACE Performance team focusing on providing performance services to internal Microsoft. In 2001, we then naturally progressed to form the ACE Security team to support our security and privacy programs which encompassed security assessment, compliance to governance. In 2004 we were given the great opportunity to offer our internal Microsoft security services to external Microsoft customers through Microsoft Consulting Services. This formed the ACE Services team. In 2008, my team expanded again and became a part of Microsoft IT’s Information Security group.

We continue to provide Microsoft customers with the best in Microsoft IT, IP and services globally.


Personal Philosophy:

“Do what you say you will do.”

  • Information Security

    Risk Analysis

    Risk analysis is an intimidating topic for security risk management organizations. Analysis takes precious time and can be complicated. Many times identified risks are vague and there are not a lot of facts to put around the risks. Organizations want...
  • Information Security

    Awareness – Part 1: Empowering the People

    It’s well understood that security is a 3-pronged problem covering people, process and technology. Any solution devised to manage a given information security risk must effectively harmonize the people, the processes and the technologies to optimize the...
  • Information Security

    Awareness – Part 2: Socializing Security

    In my last post on Awareness , I discussed an overview of our Awareness program and how we break up our initiative into breadth campaigns and depth programs to cover both the generic and the specific. In this post, I’d like to discuss a little bit about...
Page 1 of 1 (3 items)