Since I'll be coming here regularly, it seems fitting to share with you a bit about my background and what my plans are for this blog.
I've spent a long time in the security industry. In the early nineties I co-founded an endpoint-to-endpoint VPN company. CA bought it, and I stayed on as their security architect for eight years. Then I came to Microsoft two years ago, and I'm currently an architect in the Identity and Security Division. I spend most of my time thinking about our next wave of Forefront security management products, our protection technologies, and how Microsoft can do its part to help transform the security industry.
Transform's a big word. And it's not really very precise, so I need to elaborate a bit.
I believe we expect our customers to think and know too much about security. Whether our customers are consumers, information workers, IT professionals, risk officers, or security experts, we ask them to make limited-context security decisions; to understand the current threats and attacks on their identities, information, and infrastructure; to know the security ramifications of each action they take; and to use the tools we provide to build their own safe and secure environments.
Basically, the security industry builds products that work best when they are consumed by security experts. Which isn't bad, because security experts need tools to do their jobs, and because most security capabilities aren't operationalized to the point where it's easy to hand the reins over to non-experts.
But there aren't enough security experts in the world to go around. Experts are under incredibly high cost, compliance, and complexity pressures. And, frankly, most of the security experts I know wish we'd hurry up and operationalize larger chunks of security so they can enlist others to get the job done.
When we buy a car, security comes built-in. The seat belts, air bags, alarm system, even tracking systems are part of the car's infrastructure. True, there's an aftermarket for advanced security features if we want bulletproof windshields or five point harnesses, but by and large, the security we get with our cars (a) doesn't require us to be security experts, and (b) meets most of our needs.
More importantly, when we buy a car, security usually isn't top of mind. We're buying the car to be productive. Or efficient. Or maybe even noticeable. Yes, we want security baked into the car, and it's a consideration as we make our choice, but unless we're buying a presidential limo or an armored truck, it's won't be the driving factor.
My own personal vision of a utopian IT world has almost no standalone security products in it. Security services come inside applications and as part of the IT dial tone, and what little is exposed is consumable by non-experts. This is the world I see when I close my eyes, sit back, and dream of how Microsoft can help make the world a safer place.
To transform the security industry, we need to do two things: operationalize more and more of security, and bake it deeper into our applications. We'll need to ship more expertise like best practices and automatic responses, and we'll need to shift the security story to one about risk management. This will be quite a challenge, and we sure don't have all the answers yet, but this is going to be the main thrust of what I'll be blogging about.
I hope that this blog turns into a dialog. Please feel free to leave comments, questions, and criticisms. Let's work together and nail this transformation!