How Reorganization Might Change Microsoft's Security Strategy

Microsoft's folding its Trustworthy Computing group into two other groups, along with related staff cuts, raise questions among security professionals.

Microsofgt security strategy

As part of its plan to reduce its workforce by 18,000, Microsoft has cut an unspecified number of positions in its Trustworthy Computing group and split the security and privacy teams, placing them in separate business groups within the company.

While the reorganization has caused some concern among security experts that Microsoft may be de-emphasizing security, both the company and a source familiar with the company's security operations have stressed that the move could help the software developer make its products more secure. While a separate Trustworthy Computing group more effectively communicated the idea of Microsoft's security focus to outsiders, having security people embedded within product groups allows the designers to focus on security much earlier in the creation process, Christopher Budd, global threat communications manager at security firm Trend Micro, told eWEEK.

Budd, who worked in Microsoft's Security Response Center and managed the vulnerability patch process for about a decade, argued that most changes to Microsoft security efforts occurred before the creation of a separate TwC group in 2008. Now, that the security groups are more tightly integrated with the business, they will likely have more impact, he said.

"For security and privacy to be really effective, they need to be part of the business," he said. "If you have the security people integrated as part of the business from the get-go, you don't have the problem of frustration caused by the security group requesting changes."

In 2002, buffeted by code-quality issues and a string of fast-infecting threats, such as the Code Red and Nimda worms, Bill Gates, then CEO of Microsoft, released a memo calling for the company to focus on security. Called the Trustworthy Computing Initiative, the effort has changed the way Microsoft has handled patches, increased the company's focus on secure development and helped the company forge a better relationship with security researchers.

Scott Charney, corporate vice president of Trustworthy Computing, who joined the company soon after the memo, underscored how much had changed in a blog post published Sept. 22.

"When I joined Microsoft in 2002, it was about stopping the bleeding, healing the ecosystem and, dare I say it, sometimes getting ahead of the curve," he said. "But in the future, with new deployment cadences and a mobile-first, cloud-first world, it is dangerous to rely upon past paradigms that were built for a different environment."

Charney assured the software company's customers that the new organization is meant to improve product security. A former attorney from the Department of Justice, Charney will continue to lead the security-focused part of the team under the Cloud and Enterprise Division at Microsoft. The privacy-focused group will be housed in the company's Legal and Corporate Affairs group.

"By consolidating work within the company, as well as altering some reporting structures, Microsoft will be able to make a number of trust-related decisions more quickly and execute plans with greater speed, whether the objective is to get innovations into the hands of our customers, improve our engineering systems, ensure compliance with legal or corporate policies or engage with regulators around the world," Charney said.

"While I am proud of our past, we need to plan for the future," he added.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...