Before I actually start with content, let me briefly give you some background: I took the role of the Chief Security Advisor (CSA) in EMEA (Europe, Middle East and Africa) after having been 5 years the CSA in Switzerland. I went through all the nice challenges of Nimda, Code Red, Slammer, Blaster, Sasser and some more. February 1st, I joined the EMEA organization to expand my function over the whole region. Now, in Switzerland we have kind of a unwritten agreement between the "classe politique" (the politicians) and the journalists: During the first 100 days the press does not aggressively talk about the politician. After 100 days the politician (especially ministers) give a press conference to report on his/her initial findings – I am not that important, therefore I just blog.
Looking at this, it would be my time to look back at the first period in this role – being an engineer, it is not too important that it took me 143 days J
The Chief Security Advisors in the countries Microsoft has offices have basically one important goal: Building trust! Building trust with our companies, governments, law enforcement, press, analysts, partners and last but definitely not least consumers. But trust not only in Microsoft. We work with the industry to help to gain trust in the information infrastructure as a whole. In EMEA alone, we are working with 15 CSAs and I am extremely proud being part of this great community.
Besides this community, there are a lot of people working with us to achieve this goal:
- Marketing to work especially on campaigns to educate consumers, parents, kids and small and medium business in how to safely work with computers on the Internet
- Legal and Corporate Affairs to train and support Law Enforcement
- PR to work with press to communicate with important external audiences what Microsoft is doing
- Security Support to help customers under attacks
- and a many, many more
The biggest highlights during this first phase were definitely the product launches with Windows Vista on the top. Windows Vista is the first product being engineered and developed with security in mind from the beginning and is a testament to our Security Development Lifecycle as research by my colleague Jeff Jones shows. Additionally we launched Forefront Client Security. Are we done now? No, definitely not. Products are by far not the end of the road but a fundamentally secure platform is key. Will we ever be secure? No – there is no such thing as 100% secure because threats and criminal behind them constantly evolve, but definitely Windows Vista is the most secure Operating System we shipped ever.
I am convinced that we have to work even harder to make sure we stay focused on the new challenges.
Therefore, let's talk about priorities as this is usually the core of a 100-day-press-conference:
Basically there are three things on my list. The first is 'earn the trust of my customers'. So is the second and so is the third. If I had more room available in this blog, you'd see the same thing all the way down it.
In order to do this, I will focus on different areas:
- Grow the CSA Community: It is obvious to all of us that the CSAs add a lot of value to Microsoft as well as to the security economy. Therefore we have to grow the community across the region.
- Support inter-governmental organizations in their efforts around Critical Infrastructure Protection: The UN is developing a framework for developing countries; the EU is running different programs that support their member states and for NATO the theme is at the core of their mission. As a lot of the critical infrastructure is built on Microsoft technology our involvement is quite natural. At country level many of our local CSAs contribute to an support their governments in this area.
- Law Enforcement: If you look at my recent post around the Digital Phishnet Conference in Berlin, I made it crystal clear: If we (being the industry) want to effectively fight crime on the Internet, we all have to be ready to share sensitive information and work together. This means collaboration between law enforcement, the vendors and the targeted companies. Microsoft already plays a leading role in this respect but we definitely have to work to improve collaboration even between competitors.
- Secure Development across the Industry: Years ago, when I did my first keynote on Trustworthy Computing, I stated that Trustworthy Computing is an industry initiative. The point I was making is that we all have a collective responsibility, not Microsoft in isolation – today great progress is being made. Where do the attacks move to? Up the stack! We are productizing your Security Development Lifecycle at the moment; We published books on our processes; We deliver our tools as part of Visual Studio; We do outreach with these processes even to competitors. Looking at the recent chatter around Safari, I do not blame Apple, not by far but basically it is nothing else then a "welcome to our world". The economy is different, the motivation of attackers to go after the platform with the biggest distribution is big. We definitely have to drive for an adoption across the software industry.
- Proactive Outreach: In a lot of countries we are already doing a lot of proactive outreach activities to raise the awareness and help with concrete solutions for consumers, SMBs, kids and parents. GetSafeOnline (UK), Deutschland sicher im Netz (Germany), Sicuramente Web (Italy), Turvallisesti Netissä (Finland), different "National Security Days" (Finland, Norway, Switzerland, Netherlands, …) and a lot, lot more. This has definitely to continue.
Besides these priorities, all the CSAs will further engage with the security community in the region and work with our customers of all sizes to help them to solve their business problems in a secure and safe way.
So, let's jointly work to "make the Internet a safer place"