Security Is Main Focus

Microsoft names new chief security strategist; directive also targets privacy.

Microsoft Corp. is forging ahead with a corporate directive to improve security and privacy, instituting a companywide development policy and naming a new chief security strategist.

The moves come just weeks after Microsoft Chairman and Chief Software Architect Bill Gates sent a memo to all employees exhorting them to adopt Trustworthy Computing, Microsoft lingo for making security the focus of everything they do.

The Redmond, Wash., software company has named Scott Charney to lead its security strategy beginning April 1. Charney, a former security and cyber-crime specialist with Pricewaterhouse- Coopers, will replace Howard Schmidt, who is leaving to become vice chairman of the National Critical Infrastructure Protection Board.

Charney will take the security helm at a time when Microsoft products have been beset by serious security vulnerabilities over the past two years. Security experts often criticize Microsoft for not taking security more seriously. In the past, the company has made usability and functionality its top priorities when developing new products, but Gates memo and a spate of high-profile flaws in Microsoft products have shifted the focus to security.

Speaking to a group of privacy and security officers at the Privacy and Data Security Summit here last week, Richard Purcell, Microsofts corporate privacy officer, outlined an extensive privacy program that requires every department to survey itself on a prescribed set of policies and produce a so-called Privacy Health Index, or PHI.

Under the plan, which Microsoft is implementing companywide, departments may see their budgets slashed if they dont deliver an acceptable score on the survey.

"Ive been told by Bill Gates himself, If someone comes to me with a budget with $400,000 for a new product launch and their [PHI] score [is poor], Im going to tell them to take that money and fix the score," Purcell said.

The measurement process will continue, Purcell said, but each department will be required to submit its scores along with its biannual budget requests. The program is based on a 100-page internal document called the Privacy Directive, which lays out all the companys privacy goals.

Purcell said the PHI program and the Trustworthy Computing initiative in general are just the beginning of a series of corporate changes that Microsoft is undertaking in anticipation of the day when computing is no longer performed just by PCs.

As part of that effort, Microsoft has imposed a ban on writing new code during this month and instead will focus all its developers efforts on combing through the billions of lines of existing code in its products in a search for bugs and security flaws.

But even as things evolve within Microsoft, Charney faces the challenge of repairing the companys already-damaged reputation as well as ensuring Gates edict is met.

"As one of the industrys top computer security experts, Scott has wide-ranging experience in cyber-crime and computer forensics, which will make him an essential member of Microsofts Trustworthy Computing leadership team," said Craig Mundie, chief technical officer at Microsoft.

"Scott takes a long-term, industrywide perspective on security strategy and understands the critical challenge of building safe and secure software and services for our customers and the industry," Mundie said.