'The Defining-Moment Issue'

Perhaps companies and consumers are far more likely to upgrade their Office products on the strength of new features, and Microsoft is just playing to that business reality. But in this day and age, the company no longer can afford to underplay security.

Look no further than Microsoft's last fiscal quarter to see the effect the MSBlaster worm and other security exploits are having on the company's bottom line. In the quarter ended Sept. 30, license sales of two of Microsoft's flagship product lines--client operating systems and desktop applications--were flat in part because "high-profile attacks diverted the focus of our customers, sales force and channel from renewals," said CFO John Connors. In other words, security problems with Microsoft software have raised the table stakes so high that some customers are thinking twice about re-anteing. Some are even considering switching to another platform, as hard as that may be.

Microsoft--and other dominant IT vendors such as Cisco, IBM and Oracle--must prove to customers that security no longer is an ancillary consideration, limited to the vendors' security teams and reserved for discussions with security professionals. Just as the technology ROI discussion has been organized and extended beyond the CFO's suite, so, too, must the information security discussion be moved beyond the infosec salon.

Vendors can certainly talk a good security game when they're pressed on the issue, or when security is the subject of the day at a conference. But security needs to be the subject of their every day--from product development and testing through rollout and update.

Microsoft customers are tired of hearing that Windows 2003 has X percent fewer vulnerabilities than Windows 2000 or Linux. Cisco customers are tired of hearing that they can manage their Cisco routers and switches in a secure manner if they're willing to pay a hefty premium. Oracle customers are tired of hearing about "unbreakable" database security when that security is known to break.Customers want their strategic vendors to show them they're changing the way they develop products so that security is built into the core. That these vendors are seeking input from the researchers who discover bugs in their products. That these vendors will delay a product rollout or eschew a feature or level of integration to tighten security. Customers also want to learn how many dollars and hours their vendors are spending on security. They want to see quantifiable progress.

In an address to a conference in Florida the same day as the Office rollout in New York, Microsoft CEO Steve Ballmer outlined some steps the company is taking, like building distributed firewall technology into the next versions of Windows 2003 Server and XP. Ballmer called information security "a defining-moment issue for us," conceding: "I know we need to do better." In fact, it's a defining-moment issue for many vendors, all of which need to do better.

--Rob Preston, [email protected]

Post a comment or question on this story.