BANGALORE: Many would scoff at the idea of the Redmond based software giant,
Microsoft, talking seriously about security and trying to advice customers on
the strategy that has to be built to ensure better levels of the same.
But for
Steve Riley, Product Manager, Security Business Unit and Dave Glover, Developer
Evangelist, Microsoft-Australia, its all part of the game. In India for the
first time to talk about the Unit's products and reach out to enterprises to
educate them on security strategy, the duo spoke with Sathya Mithra Ashok on
the Unit's functions and how Microsoft aims to change its perception on
security among enterprises.
Excerpts.
When
was the Security Business Unit formed and what does its functions include
The Unit was formed nearly three years ago. It was
formed to address some of the growing security issues within enterprises. Most
enterprises, which were having security problems, found it easy to blame the
technology alone. But that is not true. Security is less about technology and
more about the processes and people built up in the enterprise. In fact, if
enterprises concentrate on building the right processes and inculcate the right
people, they would find that they might not need all the additional blocking
mechanisms that many of them invest in regularly.
This attention to process must stem from basis
co-ordination between application development and operations, which will be
using the application. Teaching the basics of security to everybody in the organization
involved with IT is essential. It's also important to know and trust the people
who are involved in IT to a large extent, like your system administrators.
Most security threats for enterprises come from the
inside. There is always a human element to security and the person on the
inside already knows everything about the organization and therefore has much
less to do to harm it. Security is not about he brand, but about systems
management. Part of the fault lies with us too, in that we had not taken the
initiative to educate enterprises more proactively. The Unit aims to remedy
that.
There are around 1000 people in the Unit alone and
if you count in the extended people connected to the Unit it would be around
6000. Formerly, whatever number of products Microsoft had, that was the number
of ways of update implementation that there was. But now everything has to go
through the Unit and if the Unit finds that it lacks in security, it goes back
to development, even if there will be a delay in release. That is also part of
the Unit's functions.
Was the growing popularity of
open source operating systems part of the reason for the formation of the
Unit and the propagation of security as a process for Microsoft?
We are a competitive company. And there are a lot
of things we take into consideration. This would include IBM's initiatives,
Novell's work or open source as a whole. Therefore, open source, along with IBM
and Novell and other competitive initiatives would have been a consideration in
the formation of the Unit.
Are Indian
enterprises'outlook towards security the same as the world over?
We've been meeting CIOs and enterprise IT
representatives for over four days now in India. We find that everyone
acknowledges the importance of security but many of them don't understand how
to go about it. Also, many enterprises lack in properly skilled people to
handle their security. This is purely anecdotal but many of them we spoke to
opined that most trained people opted to work for the outsourced software service
providers rather than enterprises. And that situation is pretty unique to India
because there are not very many places where outsourcing is as big an activity
as here.
How much is revenue
generation a part of the Unit?
We are a for-profit company and its naïve to ignore
revenue-generating potentials of technology. Products associated with the Unit
generate most of the revenue and it comprises a really small part of the
overall revenues. Our products include the Internet Security and Acceleration
Server, Windows Rights Management Services and other products or patches
bundled with Windows and other MS products. But the fact is that revenues are
not as important as the idea of spreading the message of security as processes
and people oriented more than technology.
Microsoft has a huge
perception issue to battle in the area of security — the perception that
its software is open to more attacks than any other. How do you combat
that perception?
We talk to enterprises. We try to bring to light the fact that every
software has its vulnerabilities that can be exploited. We also point out to
them that with each upgrade of its various software offerings Microsoft has
steadily reduced the number of vulnerabilities in it. We demonstrate that it is
safe to keep even security within the Microsoft umbrella.
We also educate them on the fact that the software or technology cannot be
blamed all the time. That with proper processes and people in place, the
company would not need to have blocks in place to prevent exploitation of
vulnerabilities because the processes will ensure that there can be no
exploitation.
All of it boils down to customer satisfaction. If they are not satisfied,
they would look elsewhere. It's an uphill battle for Microsoft, but as long as
we can pass the message of security I think we have achieved quite a bit.