How Reorganization Might Change Microsoft's Security Strategy
Microsoft's folding its Trustworthy Computing group into two other groups, along with related staff cuts, raise questions among security professionals.As part of its plan to reduce its workforce by 18,000, Microsoft has cut an unspecified number of positions in its Trustworthy Computing group and split the security and privacy teams, placing them in separate business groups within the company. While the reorganization has caused some concern among security experts that Microsoft may be de-emphasizing security, both the company and a source familiar with the company's security operations have stressed that the move could help the software developer make its products more secure. While a separate Trustworthy Computing group more effectively communicated the idea of Microsoft's security focus to outsiders, having security people embedded within product groups allows the designers to focus on security much earlier in the creation process, Christopher Budd, global threat communications manager at security firm Trend Micro, told eWEEK. Budd, who worked in Microsoft's Security Response Center and managed the vulnerability patch process for about a decade, argued that most changes to Microsoft security efforts occurred before the creation of a separate TwC group in 2008. Now, that the security groups are more tightly integrated with the business, they will likely have more impact, he said. "For security and privacy to be really effective, they need to be part of the business," he said. "If you have the security people integrated as part of the business from the get-go, you don't have the problem of frustration caused by the security group requesting changes."
In 2002, buffeted by code-quality issues and a string of fast-infecting threats, such as the Code Red and Nimda worms, Bill Gates, then CEO of Microsoft, released a memo calling for the company to focus on security. Called the Trustworthy Computing Initiative, the effort has changed the way Microsoft has handled patches, increased the company's focus on secure development and helped the company forge a better relationship with security researchers.