Feature
News
5/9/2002
02:14 PM
Connect Directly
RSS
E-Mail
50%
50%

Q&A: Making Microsoft Software More Secure

Microsoft's Scott Charney is the man on the hot seat--he's the new guy responsible for the company's security strategy. If that makes you think ''What Microsoft security strategy?,'' then you'll begin to realize the nature of the challenge ahead of him.

As Microsoft consults customers, government agencies, and other technology companies to help bolster the security of its products--and broader computer networks--chief security strategist Scott Charney is the man on the hot seat.

Charney reports to chief technical officer Craig Mundie, and replaces former Microsoft security czar Howard Schmidt, who left in December. Before going to work for Microsoft on April 1, Charney led PricewaterhouseCoopers' cybercrime practice. He's also headed the U.S. Justice Department's computer crime unit, and worked as an assistant district attorney in Bronx County, N.Y. InformationWeek senior writer Aaron Ricadela spoke with Charney in April.

INFORMATIONWEEK: How have you spent your time during your first month at Microsoft?

CHARNEY: At first, I spent my time getting up to speed on the burning issues. My job is twofold: internal and external. Internally, it's been about finding out about the Windows security push, patch management, code reviews, things like that. My vision for the Redmond-centric part of the job is devising better ways to secure products and services.

And about half my time is spent in Washington, D.C. People still look to the government to protect public safety and national security. But the government has said it's the private sector that owns, maintains, and designs these critical infrastructures.

INFORMATIONWEEK: Where do you think you can make a difference in guiding Microsoft's product strategy?

CHARNEY: The products have to be easy to use for security purposes. The old model was that it's the user's responsibility to see if vulnerabilities had been reported, and patches had been made available. Windows XP has a notification system that says when a critical update's been made available. The difficulty is, the user base isn't monolithic. My mom may just want to click a balloon. But an IT manager may not want to; they would need to download the update to a server where they can do the regression testing they need to ... Also, Windows XP's firewall is turned on by default. That's the kind of stuff we as a company have to focus on more.

INFORMATIONWEEK: Will customers pay more for more secure products?

CHARNEY: I can't speak yet from Microsoft's perspective, but at PricewaterhouseCoopers, when the economy slid, money become tight. Companies are willing to pay more for security, but there are some obstacles. They have to see a real return on investment.

And sometimes, they have product shock. A virus-checker may be easy to buy. But with more complex systems like intrusion detection, it's harder to do comparative shopping. Sometimes you hear about interesting technologies like digital watermarking. But you're not sure if it will become mainstream, and may not be sure the vendor will be in business in six months.

INFORMATIONWEEK: How quickly does Microsoft need to warn its customers about vulnerabilities in its software products?

CHARNEY: This issue about information sharing--do you share threat and vulnerability information?--isn't just with our business customers. It's been a debate in the IT community for at least five years. If you say there's a vulnerability but no patch, you're just asking hackers to create havoc. And it's not like every system administrator applies a patch within minutes of getting notification. On the other hand, if you don't issue warnings, the bad guys will still attack these existing, latent vulnerabilities. It's been done ad hoc, but it's now a subject of debate about whether there should be computer industry best practices. You still are creating a race.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.