Feature
News
5/9/2002
02:14 PM
Connect Directly
RSS
E-Mail
50%
50%

Q&A: Making Microsoft Software More Secure

Microsoft's Scott Charney is the man on the hot seat--he's the new guy responsible for the company's security strategy. If that makes you think ''What Microsoft security strategy?,'' then you'll begin to realize the nature of the challenge ahead of him.

As Microsoft consults customers, government agencies, and other technology companies to help bolster the security of its products--and broader computer networks--chief security strategist Scott Charney is the man on the hot seat.

Charney reports to chief technical officer Craig Mundie, and replaces former Microsoft security czar Howard Schmidt, who left in December. Before going to work for Microsoft on April 1, Charney led PricewaterhouseCoopers' cybercrime practice. He's also headed the U.S. Justice Department's computer crime unit, and worked as an assistant district attorney in Bronx County, N.Y. InformationWeek senior writer Aaron Ricadela spoke with Charney in April.

INFORMATIONWEEK: How have you spent your time during your first month at Microsoft?

CHARNEY: At first, I spent my time getting up to speed on the burning issues. My job is twofold: internal and external. Internally, it's been about finding out about the Windows security push, patch management, code reviews, things like that. My vision for the Redmond-centric part of the job is devising better ways to secure products and services.

And about half my time is spent in Washington, D.C. People still look to the government to protect public safety and national security. But the government has said it's the private sector that owns, maintains, and designs these critical infrastructures.

INFORMATIONWEEK: Where do you think you can make a difference in guiding Microsoft's product strategy?

CHARNEY: The products have to be easy to use for security purposes. The old model was that it's the user's responsibility to see if vulnerabilities had been reported, and patches had been made available. Windows XP has a notification system that says when a critical update's been made available. The difficulty is, the user base isn't monolithic. My mom may just want to click a balloon. But an IT manager may not want to; they would need to download the update to a server where they can do the regression testing they need to ... Also, Windows XP's firewall is turned on by default. That's the kind of stuff we as a company have to focus on more.

INFORMATIONWEEK: Will customers pay more for more secure products?

CHARNEY: I can't speak yet from Microsoft's perspective, but at PricewaterhouseCoopers, when the economy slid, money become tight. Companies are willing to pay more for security, but there are some obstacles. They have to see a real return on investment.

And sometimes, they have product shock. A virus-checker may be easy to buy. But with more complex systems like intrusion detection, it's harder to do comparative shopping. Sometimes you hear about interesting technologies like digital watermarking. But you're not sure if it will become mainstream, and may not be sure the vendor will be in business in six months.

INFORMATIONWEEK: How quickly does Microsoft need to warn its customers about vulnerabilities in its software products?

CHARNEY: This issue about information sharing--do you share threat and vulnerability information?--isn't just with our business customers. It's been a debate in the IT community for at least five years. If you say there's a vulnerability but no patch, you're just asking hackers to create havoc. And it's not like every system administrator applies a patch within minutes of getting notification. On the other hand, if you don't issue warnings, the bad guys will still attack these existing, latent vulnerabilities. It's been done ad hoc, but it's now a subject of debate about whether there should be computer industry best practices. You still are creating a race.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.