Sunday, May 22, 2005

"Security - less about technology, more about processes"

Building the right processes and inculcating the right people may lessen the need for additional security mechanisms, say Microsoft's executives in an exclusive interview with CIOL.

 BANGALORE (21st May): Many would scoff at the idea of the Redmond based software giant, Microsoft, talking seriously about security and trying to advice customers on the strategy that has to be built to ensure better levels of the same. But for Steve Riley, Product Manager, Security Business Unit and Dave Glover, Developer Evangelist, Microsoft-Australia, its all part of the game. In India for the first time to talk about the Unit's products and reach out to enterprises to educate them on security strategy, the duo spoke with Sathya Mithra Ashok on the Unit's functions and how Microsoft aims to change its perception on security among enterprises.

Excerpts.

When was the Security Business Unit formed and what does its functions include

The Unit was formed nearly three years ago. It was formed to address some of the growing security issues within enterprises. Most enterprises, which were having security problems, found it easy to blame the technology alone. But that is not true. Security is less about technology and more about the processes and people built up in the enterprise. In fact, if enterprises concentrate on building the right processes and inculcate the right people, they would find that they might not need all the additional blocking mechanisms that many of them invest in regularly.
This attention to process must stem from basis co-ordination between application development and operations, which will be using the application. Teaching the basics of security to everybody in the organization involved with IT is essential. It's also important to know and trust the people who are involved in IT to a large extent, like your system administrators.
Most security threats for enterprises come from the inside. There is always a human element to security and the person on the inside already knows everything about the organization and therefore has much less to do to harm it. Security is not about he brand, but about systems management. Part of the fault lies with us too, in that we had not taken the initiative to educate enterprises more proactively. The Unit aims to remedy that.
There are around 1000 people in the Unit alone and if you count in the extended people connected to the Unit it would be around 6000. Formerly, whatever number of products Microsoft had, that was the number of ways of update implementation that there was. But now everything has to go through the Unit and if the Unit finds that it lacks in security, it goes back to development, even if there will be a delay in release. That is also part of the Unit's functions.

Was the growing popularity of open source operating systems part of the reason for the formation of the Unit and the propagation of security as a process for Microsoft?

We are a competitive company. And there are a lot of things we take into consideration. This would include IBM's initiatives, Novell's work or open source as a whole. Therefore, open source, along with IBM and Novell and other competitive initiatives would have been a consideration in the formation of the Unit.

Are Indian enterprises'outlook towards security the same as the world over?

We've been meeting CIOs and enterprise IT representatives for over four days now in India. We find that everyone acknowledges the importance of security but many of them don't understand how to go about it. Also, many enterprises lack in properly skilled people to handle their security. This is purely anecdotal but many of them we spoke to opined that most trained people opted to work for the outsourced software service providers rather than enterprises. And that situation is pretty unique to India because there are not very many places where outsourcing is as big an activity as here.

How much is revenue generation a part of the Unit?

We are a for-profit company and its naïve to ignore revenue-generating potentials of technology. Products associated with the Unit generate most of the revenue and it comprises a really small part of the overall revenues. Our products include the Internet Security and Acceleration Server, Windows Rights Management Services and other products or patches bundled with Windows and other MS products. But the fact is that revenues are not as important as the idea of spreading the message of security as processes and people oriented more than technology.

Microsoft has a huge perception issue to battle in the area of security – the perception that its software is open to more attacks than any other. How do you combat that perception?

We talk to enterprises. We try to bring to light the fact that every software has its vulnerabilities that can be exploited. We also point out to them that with each upgrade of its various software offerings Microsoft has steadily reduced the number of vulnerabilities in it. We demonstrate that it is safe to keep even security within the Microsoft umbrella.

We also educate them on the fact that the software or technology cannot be blamed all the time. That with proper processes and people in place, the company would not need to have blocks in place to prevent exploitation of vulnerabilities because the processes will ensure that there can be no exploitation.

All of it boils down to customer satisfaction. If they are not satisfied, they would look elsewhere. It's an uphill battle for Microsoft, but as long as we can pass the message of security I think we have achieved quite a bit.

Tech Notes

No comments: