Scott Charney has been on the hot seat ever since he joined Microsoft Corp. last year as the software giants chief security strategist. He arrived in Redmond, Wash., four months after Bill Gates sent out his famous memo outlining the companys new Trustworthy Computing initiative and a newfound commitment to security. He is not only the public face of that effort but also the man who is ultimately responsible for carrying out Gates instructions regarding security. Charney talked to eWEEK Senior Editor Dennis Fisher recently about the progress Microsoft has made in the last year and what lies ahead for Trustworthy Computing.
eWEEK: How do you think the company has done as far as Trustworthy Computing is concerned in the last year?
Charney: In some ways, I think weve made great progress. But then I look at it as a continuum, and it seems like weve made very small steps on a very long road. Some of the steps have been important ones. Before Trustworthy Computing, the delaying of products because of security concerns was not common practice at Microsoft—or in the industry, for that matter. Its an organizational change. Trustworthy Computing is a long-term effort, and some of the benefits have not yet been realized in the market.
eWEEK: How so?
Charney: Well, Windows .Net Server [2003] hasnt been released yet, but a lot of the work weve done in the security push will be evident in that release. Were doing a lot of after-action efforts where we look at things like whether the vulnerabilities we found in the security push are unique to a product or more widespread. We will continue the push constantly on every new product that we release. Overall, Im very pleased, but we still have a long way to go.
eWEEK: What other elements of Trustworthy Computing are you working on?
Charney: One of things Im looking at is, how do you come up with an objective measure of the security of a product? Our chief privacy officer, Richard Purcell, has developed this tool called the Privacy Health Index to assess the performance of each application. But when you think about trying to apply that to security, it gets kind of fuzzy. The questions we ask as part of the privacy index are binary, yes or no. But if you ask a developer if he did a security code review and he says yes, what does that mean? Its a really important thing. Were struggling to find the right system.
Page Two
: Microsoft Security: Whats Next?”>
eWEEK: What are some of the things that youd like to address in the coming year?
Charney: I think its important to [do the security] push on products that are taking on new roles in the marketplace, things like instant messaging and handhelds. We need to get ahead of the curve to make sure that were sensitive to how the technologys being used. We need to continue to make progress on Palladium. Our goal is making security easier to use. Think about how difficult it is to manage security. The technology has proliferated much faster than the training has. We need to analyze the training program, too. Its amazing how many people who have computer science degrees have no security training.
eWEEK: Do you think the idea of improving security has really taken hold inside the company?
Charney: I do. The number of e-mails that I see with people raising security issues is huge. That didnt happen before. The cultural change is very marked and very real.
eWEEK: Youve talked a lot about the security training that all of Microsofts developers went through. Is that something that will be ongoing in the future?
Charney: Definitely. Theres going to be continuous training. Were looking at ways to improve it and come up with an agenda for continuous professional growth.