Thought for the day:Responsibility, reliability and respect

Hard-hitting IT columnist Simon Moores gives his personal take on the hot issue of the day.You may remember that last month...

Hard-hitting IT columnist Simon Moores gives his personal take on the hot issue of the day.You may remember that last month Microsoft chief security officer Stuart Okin invited me to the Microsoft Campus in Reading. He offered me unrestricted and uncensored access to anyone I would like to question about the seriousness of the company's Trustworthy Computing security strategy.

There isn't the space here for a detailed report, but I'll share my early impressions with you. Microsoft, try as hard it likes, seems unable to shift the weary cynicism that surrounds its claims that security is a number one priority and that improvements are already beginning to show.

The Trustworthy Computing initiative, which started back in April, has given the company a number of different problems. As one person I spoke with commented that trust is not something that you can enforce, it's a process, and the results are frequently invisible.

So what should Microsoft do? Should it keep vulnerabilities a secret until a patch is available, or should it disclose an exploit the moment it appears? Most of the people I have spoken to inside the company so far agree that Trustworthy Computing was, with the benefit of hindsight, the wrong phrase to describe what Microsoft is trying to achieve.

Responsible computing might have been a better choice of phrase because Microsoft wants its customers to understand that security is a partnership, where both vendor and customer share an equal responsibility to ensure that all possible precautions have been taken to avoid a security compromise.

In fact, Microsoft tells me that it has now made a higher security setting a default in its products, reversing its previous policy, which for faster and easier installation had security as an optional state.

"It's a functional trade-off," I'm told, "but it's the beginning of a change which impacts all our software, which previously focused far more on ease of use over other considerations."

Of course, the legacy of millions of users with earlier versions of Windows will be with us for several more years yet. There's no magic wand at work here, simply seeing the light won't be enough to switch off the threat until we're all using up-to-date software and clearly understand what steps are required to keep the hackers at a comfortable distance.

What I did say to my Microsoft friends over lunch is that if we're going to talk about Responsible Computing, then it's back to school for the company to study the "Three Rs" which, in this case, happen to be Responsibility, Reliability and Respect.

Without these three in equal measure, as fundamental principles of both software engineering and marketing, reforming the company's reputation for security is a non-starter. But there's always hope, so watch this space!

What is your view?
Is security a partnership between the software company and its users? Tell us in an e-mail >> CW360.com reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.

Zentelligence Setting the world to rights with the collected thoughts and opinions of the futurist writer, broadcaster and Computer Weekly columnist Simon Moores.
This was last published in October 2002

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close