Apple is getting a lecture on its security response process from the unlikeliest of places.
In a classic flipping of the script, a Microsoft program manager who regularly serves as the public face of the software makers security response process rapped Apple for the way it handles security guidance to customers.
In a series of entries on his personal blog at Stepto.com, Microsoft program manager Stephen Toulouse called on the Cupertino, Calif.-based Apple to hire a security czar and revamp the way information is released when Mac OS X updates are shipped.
"Look, the only way you can tackle security issues is by getting out ahead of them and clearly communicating to your users the threat, and the clear guidance on how to be safe," Toulouse declared in a reaction to what he described as the "recent trials and tribulations of Apple in the security space."
"Heres the reality, for the next couple of years the Mac OS will experience increasing security threats and mark my words, the company will have to seek outside expertise in the form of a head of security communications in the next 12 months," Toulouse added.
He said Apple needs a person "steeped in security issues, true technical analysis, and can lead a good security team to get good guidance out there."
Toulouses statements, which were posted on his own blog and reflected only his personal opinions, echoes a growing sentiment—in and outside Redmond—that Microsoft is now the standard by which other vendors are judged when it comes to dealing to security crises.
In the aftermath of the Blaster and Slammer worm attacks, Microsoft has made significant changes to the way it fesses up to security vulnerabilities and communicates with hackers in the private research community.
Toulouse said the company certainly learned from its own problems. "A lot of the attacks Apple is experiencing today are just like the most prevalent threats on Windows: Attacks that require the user to take an action first. Weve learned the lesson of getting out there fast and providing clear prescriptive guidance," he added.
In response to an Apple spokesman who was quoted in a BusinessWeek article as saying the company does not need a security figurehead because the entire Apple staff cares about security, Toulouse said: "Thats a little like saying the White House shouldnt have a Department of Homeland Security because, DUH, everyone in the government cares about security!"
A separate entry on Toulouses blog also takes issue with statements from Apple that the content in its security advisories are similar to those released by Microsoft.