As my first content-ful blog topic, I want to digress a little and talk about security and Microsoft and my own opinions on how both relate.  After all, I work at Microsoft as a Director in the Security group and my blog is a Microsoft technet blog.  I imagine that it might be helpful in future discussions if I articulate certain opinions and assumptions that help form the context for my personal viewpoint.  I may update this post as needed, so I can easily reference it later 😉

When I joined Microsoft in 2002, I focused most of my interview on assuring myself of two things:  1) Microsoft was indeed trying to take action to improve security in their products and 2) executive commitment was broad and deep, so that it wouldn’t diminish in importance after a couple of years.  Needless to say, since I am here, they convinced me enought to come on over and since then I’ve been able to draw my own conclusions based upon experience.

People.  There are some great security people here who work tirelessly to drive security improvement at Microsoft.  Steve Lipner was my vice-president back when I worked at Trusted Information Systems.  I have tremendous respect for him and he’s been at Microsoft pushing for good security policies and practicies now for several years.  Mike Howard – top notch engineer focused on getting developers to write code with security in mind.  George Stathakopoulos – self-described security geek (and General Manager) who loves to come to work each day to fight malicious attackers.  David Cross – working to turn arcane security technologies into usable security solutions.  There are many, many more.

Executive Commitment.   I can attest that I’ve met and been in meetings with Craig Mundie, Bill Gates, Steve Ballmer, Scott Charney, Brian Valentine, Will Poole, Jim Allchin (and others) where it was a crystal clear that security was a top executive priority.  Executive leadership that demonstrates how important security is to them – I can’t tell you how important that is in driving change.

Customer Focus.  Microsoft willingness to acknowledge past mistakes and take responsibility for making positive change.  Yes, we know we still have a lot of work to do in security.  More importantly, I’ve seen many, many instances of Microsoft facing hard security problems by working side-by-side with their customers and users to chart the course forward.

Business Acuity.  Say what?!?  That’s right, business smarts.  Computers and the network are critical to the economy.  All other things being equal, don’t you think customers would pick products that make it easier to manage security risk?  I do, and from my observations, so does Microsoft.

So, taken altogether, what does this mean?  I means that, based upon my experience and personal observations, Microsoft is truly committed to improving security for customers for the long-term.  It means I assume they are trying to do the right thing for security, even when they make mistakes.  I’ll not claim it’s perfect in either planning or execution, but it’s the necessary foundation and commitment necessary for progress.

Think Security – Jeff