Microsoft Security Culture Shock

security strategist for Microsoft, told delegates at the CSI conference in Chicago on 11 November, that in order to make the new Redmond mantra of 'security before features' a reality, then the culture of the company would have to change. It would have to become less 'Darwinian', less internally competitive: "we need to change the culture to make it more centralized", he said. Now, it is a big thing to change a company's culture? How are you going to do that? Okin: In our view, Microsoft embraces change -we cycle through change rapidly, and on a regular basis. In terms of the steps, first there was Bill Gate's announcement at the start of 2002. Trustworthy computing is now firmly on our agenda. This high-level executive edict really is important. For example, I have a colleague who runs a security group on one of our products (I won't say which). He'd been used to squeezing in twoweek security stand-downs on product development. After the announcement his VP was saying: "how much time do you need?" It's had a real impact on budgets and development cycles. The second step has been the setting up of a new Security Business Unit, under Mike Nash. This has three responsibilities: our security products; communications, linked to the Microsoft Security Response Centre; and the education of the product groups. There is also a strong relation, here in the UK, with the research centre in Cambridge. Network Security: Why has Microsoft ignored security in the past? Okin: We don't feel we have; it's just that we haven't translated it over all the product sets before. We have made particular investments before -for example, in Kerberos and Ipsec -but it has not been generalised. Network Security: Why not? Okin: Because of the thing Scott Charney was saying. We have had a federated environment and that has to change.