Microsoft revealed some of the changes they’re making to address security today. Mostly it’s what you expect — a bunch of promises to secure “100%” of stuff, and tying executive compensation to these efforts.

Which is a good step, but it doesn’t solve the most glaring problem — Microsoft now makes 20 billion a year securing its own software.

A cynical man might point out that a thriving cybersecurity business incentivizes Microsoft to produce insecure products to force more people to buy their security products.

But even I, as cynical as I am, don’t think that’s the case. I think the problem is a bit more subtle and insidious.

How security comes to cost extra

Let’s say you are creating a cloud offering. Maybe it’s email. You sell it for $10 per user per month. Your engineers are hard at work improving this product — that’s where part of that $10/month goes.

They bring to you, the boss, an idea. The current logging system works great, but they’ve thought of a way to improve it. More detailed logs that would make it easier to know when there’s been some kind of intrusion. Now, you sell your current offering, with the current log system, for $10 a month, and your users have been happy with it. Should you offer up this new feature, which requires slightly more space to store log files, as a free upgrade?

OR should you tell the engineers to wait? Don’t put it in the base product. Let’s offer a $1 “Secure+” upgrade for the software that includes this new, advanced security enhancement. Surely everyone else is fine with the old logging system, and only the truly paranoid will pay for the upgraded offering — maybe they’re the only ones that need it! When you think about it like that, aren’t you kind of doing everyone a favor? If you rolled that feature out to everyone, you’d have to charge everyone a dollar more a month, and some people don’t need that security! Good job, you dynamo of a manager, saving people money by charging some other people $1 extra!

Let’s be clear about it

By creating “Security offerings” distinct from the base offerings, Microsoft has enabled themselves to carve off security enhancements that should have been included in the base product and charge for them, increasing their profits, but decreasing security for the majority of their customers.

And by “decreasing security” what I mean is that, because attacks are always becoming more sophisticated, built in “security features” that don’t change will become less and less effective — reducing security by staying the same over time.

What’s the solution?

Simply put, Microsoft should stop selling cybersecurity solutions that mitigate vulnerabilities in their own products. They should still be able to create cybersecurity solutions, but any solution that could reasonably be part of something you’re already paying for should just … be part of that thing you’re already paying for.

That’s the only change that could convince me that Microsoft is actually, legitimately serious about security. The money someone leaves on the table says a lot more about someone than the money they collect.