Q&A: Making Microsoft Software More Secure

As Microsoft consults customers, government agencies, and other technology companies to help bolster the security of its products--and broader computer networks--chief security strategist Scott Charney is the man on the hot seat.

Charney reports to chief technical officer Craig Mundie, and replaces former Microsoft security czar Howard Schmidt, who left in December. Before going to work for Microsoft on April 1, Charney led PricewaterhouseCoopers' cybercrime practice. He's also headed the U.S. Justice Department's computer crime unit, and worked as an assistant district attorney in Bronx County, N.Y. InformationWeek senior writer Aaron Ricadela spoke with Charney in April.

INFORMATIONWEEK: How have you spent your time during your first month at Microsoft?

CHARNEY: At first, I spent my time getting up to speed on the burning issues. My job is twofold: internal and external. Internally, it's been about finding out about the Windows security push, patch management, code reviews, things like that. My vision for the Redmond-centric part of the job is devising better ways to secure products and services.

And about half my time is spent in Washington, D.C. People still look to the government to protect public safety and national security. But the government has said it's the private sector that owns, maintains, and designs these critical infrastructures.

INFORMATIONWEEK: Where do you think you can make a difference in guiding Microsoft's product strategy?

CHARNEY: The products have to be easy to use for security purposes. The old model was that it's the user's responsibility to see if vulnerabilities had been reported, and patches had been made available. Windows XP has a notification system that says when a critical update's been made available. The difficulty is, the user base isn't monolithic. My mom may just want to click a balloon. But an IT manager may not want to; they would need to download the update to a server where they can do the regression testing they need to ... Also, Windows XP's firewall is turned on by default. That's the kind of stuff we as a company have to focus on more.

INFORMATIONWEEK: Will customers pay more for more secure products?

CHARNEY: I can't speak yet from Microsoft's perspective, but at PricewaterhouseCoopers, when the economy slid, money become tight. Companies are willing to pay more for security, but there are some obstacles. They have to see a real return on investment.

And sometimes, they have product shock. A virus-checker may be easy to buy. But with more complex systems like intrusion detection, it's harder to do comparative shopping. Sometimes you hear about interesting technologies like digital watermarking. But you're not sure if it will become mainstream, and may not be sure the vendor will be in business in six months.

INFORMATIONWEEK: How quickly does Microsoft need to warn its customers about vulnerabilities in its software products?

CHARNEY: This issue about information sharing--do you share threat and vulnerability information?--isn't just with our business customers. It's been a debate in the IT community for at least five years. If you say there's a vulnerability but no patch, you're just asking hackers to create havoc. And it's not like every system administrator applies a patch within minutes of getting notification. On the other hand, if you don't issue warnings, the bad guys will still attack these existing, latent vulnerabilities. It's been done ad hoc, but it's now a subject of debate about whether there should be computer industry best practices. You still are creating a race.