Business Technology: Security, Microsoft, And High-Stakes Poker
Microsoft is playing high-stakes poker with its customers over the security of its products and technologies, and so far, Bob Evans says, the company's raises and bluffs have held up. But the other players are getting tired of the game, and Microsoft might find that dominating such a game will be little more than a Pyrrhic victory.
Among the many legends, truths, and half-truths we've all heard about Bill Gates are the tales of his poker prowess back in his college days. He's reputed to have been a terrific player in many respects, but with a particular talent for the cold-faced, high-stakes bluff. Or is it a bluff?
It would seem that Gates and Microsoft are willing to play a similar gut-wrenching and all-in staredown this year over the ultimate state of the security of its products and technologies. But the odd thing about this match at this time is that the competitors in the game aren't the bad guys launching all the attacks, but rather Microsoft's customers.
Microsoft and Gates are betting that their customers will give the company and its somewhat shaky security history another 6-9 months to substantially improve existing products while simultaneously releasing new software conceived and developed with security as a top priority. It's as if Gates and Co. have pushed a massive stack of chips into the middle of the table and said, "This matches what your company's already spent on Windows infrastructure and applications and standardization, and"--they push another heaping pile into the center of the table--"this raise represents what you'd have to spend on top of that to migrate to a different platform."
Across the table, Microsoft's customers have to assess the options and run the numbers: "Can I afford to believe Microsoft yet again? Can I believe that this time they're really serious about security? Can I bet my company that they'll get it right? Conversely, can I bet my company on a hunch that a migration to a relatively untried alternative will quickly and seamlessly make me better off in 6 months than I am today?"
Consider the leap--rather, leaps--of faith Microsoft is asking its customers to take to finally find out what cards the company is holding:
1) In the past 2 years, Microsoft has acquired four security-software companies. Good news, right? Well, maybe. The most recent of those deals, for Sybari Software, won't close until the middle of this year. And Microsoft has given its customers no indication yet, other than vague generalities, of how the products of those companies will work together , or how they'll buttress Microsoft's existing products. But, as our John Foley reported 2 weeks ago, Microsoft security VP Mike Nash "acknowledged it's important that customers be able to manage Microsoft's security tools together." Does that make you feel better? More secure? Well, how about this: Nash also said, "We do think that there needs to be a management capability to allow enterprises to both control and monitor their security technologies like anti-spam and antivirus....We're currently working through specific requirements." Philosophically, that's nice. But practically, WHEN will this be done? WHEN can customers expect to begin to benefit from these Microsoft initiatives? The company's not saying. But perhaps that's by design, because a Microsoft spokeswoman, pressed by Foley for details, put it this way: "Ultimately, what matters is not what we say, but what we do." So put that in your strategic security plan for the year.
2) When will the company offer a bulletproof operating system, rather than ones predicated on continuous rolling patches? "They still haven't shipped a desktop operating system that was designed and coded after they started caring about security," Gartner analyst John Pescatore told InformationWeek via E-mail. And just when will that forthcoming operating system, the much-discussed Longhorn, be available? Next year. Since Microsoft knows all too well that this game is modeled on "jacks or better, trips to win," it also knows that despite their mounting frustration, few players will drop out because they've already poured a ton of money into the pot and don't want to miss out on a chance of a significant payoff. Is this a hard-edged approach? You bet. But it's also a pretty effective gambling strategy...for a while.
The heartbreaking effort to identify all 2,749 victims of the World Trade Center terror attacks is over. After an agonizing wait of 3-1/2 years, the families of 1,164 of the dead are being told by the Medical Examiner's Office that it has exhausted all the DNA technology currently available....Of the people who have been officially reported as missing from the World Trade Center and the innocent victims who died on the planes that hit the buildings, 1,585 have been identified, according to the Medical Examiner's Office.
-- New York Post, Feb. 23
3) Triggered by the surge of security concerns, and no doubt less than thrilled to see Mozilla's Firefox browser exceed 25 million downloads 10 days ago, Microsoft says it will release a security-enhanced version of its widely used Internet Explorer browser sooner than expected. Gates told attendees of the RSA security conference that a beta version of the IE 7.0 would be released in the summer, but he said nothing about what features could be expected; whether it would run on older versions of Windows, which account for more than half of all Windows PCs in use; and when the beta version would give way to the real thing. "I'll see your frustration and I'll raise ya six months."
4) Microsoft had a terrific chance, with Gates in front of the assembled security multitudes at the RSA event, to declare clear intentions of its forthcoming role as a security powerhouse. That could've been portrayed in various ways--acquisitions, new development models, new market priorities, new partnerships, new approaches--but instead, the company offered little in the way of vision, strategy, or direction. As TechWeb's Gregg Keizer wrote 10 days ago, "Microsoft has missed an opportunity to clarify its strategy for the security market and articulate whether it plans to be a leader in consumer and enterprise security solutions," said Neil MacDonald, a research director at Gartner, in an advisory published on [the firm's] Web site." Keizer added that MacDonald "blasted" Microsoft for its muddled approach to the increasingly dire security situation, and said the company's product strategy is not only unclear but also outdated: "Microsoft's overriding goal should be to eliminate the need for [antivirus] and [anti-spyware] products, not simply to enter the market with look-alike products at lower prices." And perhaps most damning of all, Keizer wrote, MacDonald skewered Microsoft about its apparent unwillingness to make the forthcoming more-secure version of Internet Explorer available to the majority of Windows users: "The decision to restrict IE 7.0 to the XP platform also suggests that Microsoft wants to force users of older platforms to upgrade if they want improved security," MacDonald added."
Now, granted, software is not simple to create, and the escalating skills and inventiveness of the loathsome bastards behind the epidemic of cybercrime present a daunting challenge. And, to be sure, Microsoft has significantly increased its commitment to making all of its products and technologies more secure.
But that's not enough. It's not enough to just stare across the table and say, "I know you won't drop out because you're already invested every chip you have and you've got nowhere to go, so just sit tight and wait til I decide what I'm gonna do." Microsoft's customers have their own businesses to attend to, their own problems to solve, their own strategic initiatives to push forward--is it too much for them to ask Microsoft to share with them a clear, cohesive, and comprehensive security road map and strategy? And I'm not talking about dusting off Microsoft's three-year-old "Trustworthy Computing" gambit that the company launched with considerable promise before doing next to nothing to articulate to the market that the company is really and truly serious about that theme, which today retains about as much credibility as Dan Rather.
I think one card-game lesson Microsoft does not want to learn first-hand is that high-stakes poker is fun if and only if you've still got somebody else willing to play.
To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 18, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."