Q&A: Making Microsoft Software More Secure - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:14 PM

Q&A: Making Microsoft Software More Secure

Microsoft's Scott Charney is the man on the hot seat--he's the new guy responsible for the company's security strategy. If that makes you think ''What Microsoft security strategy?,'' then you'll begin to realize the nature of the challenge ahead of him.

As Microsoft consults customers, government agencies, and other technology companies to help bolster the security of its products--and broader computer networks--chief security strategist Scott Charney is the man on the hot seat.

Charney reports to chief technical officer Craig Mundie, and replaces former Microsoft security czar Howard Schmidt, who left in December. Before going to work for Microsoft on April 1, Charney led PricewaterhouseCoopers' cybercrime practice. He's also headed the U.S. Justice Department's computer crime unit, and worked as an assistant district attorney in Bronx County, N.Y. InformationWeek senior writer Aaron Ricadela spoke with Charney in April.

INFORMATIONWEEK: How have you spent your time during your first month at Microsoft?

CHARNEY: At first, I spent my time getting up to speed on the burning issues. My job is twofold: internal and external. Internally, it's been about finding out about the Windows security push, patch management, code reviews, things like that. My vision for the Redmond-centric part of the job is devising better ways to secure products and services.

And about half my time is spent in Washington, D.C. People still look to the government to protect public safety and national security. But the government has said it's the private sector that owns, maintains, and designs these critical infrastructures.

INFORMATIONWEEK: Where do you think you can make a difference in guiding Microsoft's product strategy?

CHARNEY: The products have to be easy to use for security purposes. The old model was that it's the user's responsibility to see if vulnerabilities had been reported, and patches had been made available. Windows XP has a notification system that says when a critical update's been made available. The difficulty is, the user base isn't monolithic. My mom may just want to click a balloon. But an IT manager may not want to; they would need to download the update to a server where they can do the regression testing they need to ... Also, Windows XP's firewall is turned on by default. That's the kind of stuff we as a company have to focus on more.

INFORMATIONWEEK: Will customers pay more for more secure products?

CHARNEY: I can't speak yet from Microsoft's perspective, but at PricewaterhouseCoopers, when the economy slid, money become tight. Companies are willing to pay more for security, but there are some obstacles. They have to see a real return on investment.

And sometimes, they have product shock. A virus-checker may be easy to buy. But with more complex systems like intrusion detection, it's harder to do comparative shopping. Sometimes you hear about interesting technologies like digital watermarking. But you're not sure if it will become mainstream, and may not be sure the vendor will be in business in six months.

INFORMATIONWEEK: How quickly does Microsoft need to warn its customers about vulnerabilities in its software products?

CHARNEY: This issue about information sharing--do you share threat and vulnerability information?--isn't just with our business customers. It's been a debate in the IT community for at least five years. If you say there's a vulnerability but no patch, you're just asking hackers to create havoc. And it's not like every system administrator applies a patch within minutes of getting notification. On the other hand, if you don't issue warnings, the bad guys will still attack these existing, latent vulnerabilities. It's been done ad hoc, but it's now a subject of debate about whether there should be computer industry best practices. You still are creating a race.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
Register for InformationWeek Newsletters
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll