Microsoft's CISO discusses security

Karen Worstell discusses how she keeps Redmond and its products secure.

As Karen Worstell decoded her final encryption exam, it became clear to the then-biology/chemistry student that her true calling was information security. Nearly 20 years later, the recently appointed Microsoft CSO is charged not only with securing what is arguably the biggest target on the Internet, but also with ensuring Microsoft's products meet high security standards.

How do you keep Microsoft and its internal architecture secure?
The thing that's cool about security is that it's such a complicated problem, and it touches every single part of IT. We use some very standard approaches that anyone would recognize -- we have a defense-in-depth strategy. We run a pretty much perimeter-less environment that's very focused on security at the host and application layers, as opposed to security out in the network.

You also have a role in product quality control. What security checks do Microsoft products have to pass?
Our product group has a security team that checks with its own security design lifecycles. Then, the product moves to the IT department in beta form. We deploy it in our production environment, and we have to sign off on it before it can be released to customers.

Do you have the authority to reject a Microsoft product if it doesn't meet your standards?
We do have the checks to make sure we are cool with the security before it goes out. Hopefully, all of those showstoppers have been identified before they get to us. But, if it came to that and we had a showstopper security issue, our job is to make sure those get caught before it goes out the door.

For more information

IT spyware guide

Spyware FAQ's

Do you at all deal with Microsoft customers? How do you interact with them?
I spend about one-third of my time talking to customers. Sometimes I'll go out and have one-on-one conversations with other CISOs and CEOs if they want to talk to the head security person at Microsoft. But, my whole security team works with our entire World Wide Field Services Organization to make sure they know how to talk to our customers. We have trained over 1,000 field service people in security best practices and prescriptive guidance. They are the primary ones who are on the ground talking to people, and we train them to do it.

What's it like having to be Microsoft's best customer?
I think it's an accepted part of the job. Working at Microsoft is intense, and our security checks are an expected part of what we do. It would be hard to work here as just part of the operations security team and not be part of the final product.

Do you take it as a personal challenge that hackers zero in on Windows and Internet Explorer?
No, I don't take it personally. If you look at the numbers, the actual statistics of Windows flaws relative to other platforms isn't out of proportion. Microsoft has demonstrated that it's one of the most responsive platform providers -- when we find a flaw, we fix it. And, hey, when you have the whole world looking at it, what more could you ask for?

Do you have any accountability if Microsoft gets hacked?
Yes, I do, as a matter of fact. My job is to make sure we don't have any business-impacting events. So, we are very busy doing all of the things we have to do to be proactive about that. We are also busy with monitoring a lot of things so we can find hints that something might be going wrong. And, we have a really good means to trace it if we see something developing.

How does Trustworthy Computing impact your internal operations, and what benefits do you derive from it? How does the internal security team contribute to it?
Trustworthy Computing is imbued in everything at Microsoft today -- there are even performance metrics for employees relative to supporting Trustworthy Computing. That's pretty significant; most companies don't get quite that far with security. Trustworthy Computing's four pillars -- security, privacy, reliability, and business integrity -- are all baked into our personal performance metrics. Every employee contributes to it every day. From an operational standpoint, the way it benefits me, as the CISO, is that I don't have an organization that I have to go out and make aware. I might need to work on giving them specific prescriptive guidance, but I don't have to work on getting their attention.

This article originally appeared on

Read more on IT risk management