« Another one bites the dust | Main | A week of missed appointments? »
January 26, 2006
True confessions from Microsoft
This is probably evidence of the post-Robert Scoble Microsoft [we've been harsh on the boy, at times, but he's energetic, if not insanely driven, and influential]: Mike Nash, one of the company's security satraps agreed to a full and frank discussion from the lion's den of Slashdot.
Among his admissions: "Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time."
And: "What the events of the last 5-10 years have taught us (or at least taught me) is that the more you have turned on, the more attack surface area the system has and therefore the more vulnerable it is. If you assume near perfect quality or that there is no one out there trying to attack you, it might even be an ok decision. But since you can't, we need to be more selective about what things we turn on by default."
Now, he says, "Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization."
Right or wrong, he's a brave man. And at least the company now sees a buck or two in stronger security.
Posted by cw at January 26, 2006 12:11 PM