Microsoft attempts security culture reinvention

It might be something of a joke in IT circles to use the words “Microsoft” and “security” in the same sentence, but Bill Gates’ senior advisor on the subject is on a mission to change all that.

“As a company we’re changing our bias to say safety and security first,” explained Craig Mundie, Microsoft Corp.’s senior vice-president of advanced strategies, during an interview with InfoWorld in Redmond, Wash., last week.

His mission is not only to convince people Microsoft products are trustworthy, but also convince the IT industry that it has taken the wrong tack on security.

After spending the first six of his nine years at Microsoft date developing products, he asserts that focusing on security as an end in itself misses the point.

Speaking as the man appointed to champion security and privacy within Microsoft from the highest levels, he said privacy is actually the goal. Security products and methodologies are actually the means to that goal. “People don’t buy locks to own locks,” he said.

So, have security-focused vendors in markets like anti-virus and network security got it wrong? “Yes,” Mundie asserted. The solution from a company like Microsoft is offering customers “platform services,” he says. “The service component of these things has to be beyond reproach with respect to trust.”

As a result, he implies the industry can expect to hear more about the company’s “Trustworthy Computing Initiative,” one of Bill Gates’ pet projects.

Of course, Microsoft’s track record in security is less than stellar. A multitude of virus outbreaks that exploit vulnerabilities in products like Outlook, Exchange, and IIS Server have done little to help the company’s reputation.

Mundie concedes Microsoft has “learned some lessons” but claims it’s “no better or worse” than other vendors.

The net result of those lessons is Microsoft has decided to preset security defaults built into its software at the highest settings. In days gone by, products were shipped out the door with security settings preset at low levels, giving IT managers flexibility and choice in how security policies were administered.

The problem with that approach, Mundie argues, is the volume of servers and personal computers in the marketplace continues to outstrip the available IT administration resources in most companies. In short, Microsoft believes repackaging its software is needed to save IT managers and users from themselves.

“People errors are the bulk of the problem with [security] errors today,” he said.

Interestingly enough, by Mundie’s own admission he has plenty of work ahead of him to affect cultural change within Microsoft to bring security and privacy issues to the top of the agenda.

Microsoft’s recently launched Windows XP operating system does not ship with the basic firewall feature enabled, leaving the savvy home user or diligent IT manager to take care of switching it on. “In retrospect, we probably should have turned it on by default,” he said.