Information Security

Thoughts & Experiences from Todd Kutzke

Blog - About

About Information Security

About Me

Last Update: April 20, 2009

I am Todd Kutzke, Senior Director of Information Security (InfoSec) at Microsoft. My role is to manage Microsoft’s information security risk. I make it my priority to protect Microsoft. Our mission is to enable secure & reliable business for Microsoft and our customers. Every day, I’m challenged to make trade off decisions between security and performance. This blog is a place where I’ll share with you what I’ve learned in the process and the challenges we face in information security.

You could say security found me. When I joined Microsoft about 10 years ago in 1999, growing demands for security and privacy programs as well performance services opened an opportunity for me to build a team from the ground up. This was the beginning of the ACE (Assessment, Consulting & Engineering) Team. We first formed the ACE Performance team focusing on providing performance services to internal Microsoft. In 2001, we then naturally progressed to form the ACE Security team to support our security and privacy programs which encompassed security assessment, compliance to governance. In 2004 we were given the great opportunity to offer our internal Microsoft security services to external Microsoft customers through Microsoft Consulting Services. This formed the ACE Services team. In 2008, my team expanded again and became a part of Microsoft IT’s Information Security group.

We continue to provide Microsoft customers with the best in Microsoft IT, IP and services globally.

Accomplishments:

Personal Philosophy:

“Do what you say you will do.”

  • Information Security

    Reducing Operational Risk through Business Continuity Management

    • 0 Comments
    Hi all, I’m Tom Easthope, Sr. Program Manager on the Enterprise Business Continuity team at Microsoft. This blog entry is a companion to the video featuring my colleagues Phil Sodoma and Traci Bishop. In their video they talked about the several aspects...
  • Information Security

    InfoSec Assessment & Protection (A&P) Suite Released

    • 0 Comments
    The Information Security Tools (IST) team has released the InfoSec Assessment & Protection (A&P) Suite . The suite is made up of a technology stack of protection and assessment tools.  Anil Revuru (RV) and Mark Curphey in their recent podcast...
  • Information Security

    Anti-XSS Library v3.1 Released!

    • 2 Comments
    The Microsoft Information Security Tools (IST) team has released the latest Microsoft Anti-Cross Site Scripting (Anti-XSS) Library version 3.1 . How does a cross-site scripting (XSS) vulnerability occur? An example is when a web application does not encode...
  • Information Security

    Announcing the Connected Information Security Framework (CISF) and Risk Tracker

    • 0 Comments
    I’m excited to announce the release of the Connected Information Security Framework (CISF) developed by our own Microsoft Information Security Tools (IST) team. This software development framework comprises of API’s and reusable components that is designed...
  • Information Security

    Dogfooding: How Microsoft IT Information Security Dogfoods

    • 0 Comments
    Hi Mark Smith here. I’m a senior program manager on the Microsoft Information Security . I’m kicking off our blog series providing you a glimpse into how Microsoft’s IT Information Security (InfoSec) dogfoods. When launching a new product naturally there...
  • Information Security

    Process of Managing Risk

    • 0 Comments
    Information Security’s core function includes managing information security risk. Now there is a lot of content on the topic of “risk management” from both the academic world and the professional world that you can easily find on the internet. While we...
  • Information Security

    Awareness – Part 2: Socializing Security

    • 0 Comments
    In my last post on Awareness , I discussed an overview of our Awareness program and how we break up our initiative into breadth campaigns and depth programs to cover both the generic and the specific. In this post, I’d like to discuss a little bit about...
  • Information Security

    Data Collection & Fact Gathering

    • 0 Comments
    Information security risk management serves organizations best when it is proactive versus reactive. A reactive risk management program identifies a risk after the organization has been affected by the risk and has possibly experienced a risk event. This...
  • Information Security

    Awareness – Part 1: Empowering the People

    • 0 Comments
    It’s well understood that security is a 3-pronged problem covering people, process and technology. Any solution devised to manage a given information security risk must effectively harmonize the people, the processes and the technologies to optimize the...
  • Information Security

    Information Security in India

    • 0 Comments
    Next week I’m going to be in India to visit our team in Hyderabad. Outside of Redmond, USA, Hyderabad is our largest presence that makes up about 20% of our overall globally distributed Information Security team. It’s always a blast for me to visit India...
  • Information Security

    Welcome...

    • 0 Comments
    Welcome… My name is Todd Kutzke and I help lead the Information Security group within Microsoft. Organizationally, we sit inside Microsoft IT and together with our business partners, we help manage information security risk for Microsoft. The intent of...
  • Information Security

    Awareness – Part 3: Learning & Optimizing from Experience

    • 0 Comments
    In my last 2 posts on Information Security Awareness, I provided a little overview of the program and then discussed our framework around socializing security . I’d like to now discuss some of the things we’ve learned from driving awareness over the years...
  • Information Security

    From Hyderabad: Teamwork

    • 2 Comments
    I had a chance to play Cricket with the InfoSec India team this week. It was a great blast and it helped me frame an example I like to use to promote team work. Cricket, like a lot of sports, has many different roles that come together to make up a team...
  • Information Security

    Risk Analysis

    • 0 Comments
    Risk analysis is an intimidating topic for security risk management organizations. Analysis takes precious time and can be complicated. Many times identified risks are vague and there are not a lot of facts to put around the risks. Organizations want...
  • Information Security

    From Hyderabad: Local Leadership

    • 0 Comments
    I arrived in Hyderabad earlier this week and am underway meeting with the team members here. As I mentioned in the previous post , we realized early on how important it was to the overall success of InfoSec that we have presence in India. After we started...
  • Information Security

    From Hyderabad: Over The Weekend

    • 0 Comments
    Over the weekend, I had an opportunity to visit a few orphanages around Hyderabad. It’s an incredibly humbling experience. A little while back, I read a fantastic book titled “ Three Cups of Tea ” which really gets you thinking about the importance of...
  • Information Security

    Rethinking Information Security: Align vs. Govern

    • 1 Comments
    There is little doubt that information is fast becoming ubiquitous. In its digital form, you can have access to information over your desktop PC at home or work, your mobile laptop, your phone or even your entertainment system in your living room. The...
  • Information Security

    Beautiful Security

    • 0 Comments
    Mark Curphey , who also leads our Information Security Tools team , contributed a chapter in a security book that was recently released. It’s a great book and you can get his chapter online for free… read more here . -Todd
  • Information Security

    Information Security & Performance

    • 0 Comments
    Our mission in Information Security is to enable secure & reliable business . In going about our mission, we’ve constantly tried to take a very deliberate service-oriented view of information security rather than a purely enforcement approach. Like...
  • Information Security

    InfoSec A&P Suite – How to Use the Tools

    • 0 Comments
    InfoSec recently released their Assessment & Protection (A&P) Suite . To get the details of this suite, you can check out my last blog . Anil Revuru (RV) from the IST ( Information Security Tools ) team in his recent blog discusses how Web...
  • Information Security

    Announcing SDL-LOB

    • 0 Comments
    I’m very excited to announce the recently released SDL-LOB. You can read more here and be sure to check back regularly on www.msinfosec.com as we will be highlighting various aspects of SDL-LOB. -Todd
  • Information Security

    Risk Tracker v1.0 Release

    • 0 Comments
    Recently I shared with you the release of the CISF (Connected Information Security Framework) and Risk Tracker version 1.0 application developed by the Microsoft Information Security Tools (IST) team .  Risk Tracker built on CISF framework will help...
  • Information Security

    How to Integrate Risk Tracker with Internal HR Feeds

    • 0 Comments
    I’ve been discussing the Risk Tracker v1.0 application built on the CISF (Connected Information Security Framework) developed by our own team, Microsoft Information Security Tools (IST) team . Organizations who would like to deploy Risk Tracker in their...
Page 1 of 1 (23 items)