Czar sets out security stall

The man charged with leading Microsoft's efforts to secure its software has vowed to put the interests of enterprises above the company's consumer customers.

Stuart Okin was appointed last week to the newly created post of UK chief security officer. His role is to bring together the raft of security initiatives sparked by Bill Gates's promise to clean up the company's act on security.

Microsoft CTO Craig Monday recently said that reaching a trusted state with security, reliability and privacy could take up to 10 years. "I support that for consumers, but for enterprises we need to do it as quickly as possible," said Okin.

He would not commit to a specific timescale, but said the company was in consultation with customers and developer forums to ascertain the key short-term goals.

Okin said it was difficult to gauge the company's progress. "We can't just go to vulnerability tracking sites to judge whether we're being effective. If we find more vulnerabilities it could be an indication we're doing well, providing they're fixed quickly."

Okin renewed Microsoft's attack on those who publish the details of vulnerabilities as soon as they are discovered.

"It is irresponsible for any finder to issue details until a patch is available. It's like leaving home, leaving the door open and announcing it with a megaphone," he said.

But Deri Jones, security services director at NTA Monitor, said that published vulnerabilities gave suppliers an incentive to get things done faster, and that network managers had a right to know.

"Honesty and openness mean things get fixed," he said. "If Microsoft and other vendors fixed vulnerabilities in a timely fashion, then that argument would hold water.

"If you don't publish the information, then sysadmins don't have the choice to turn off a feature. It goes round the hacker community fast enough, and network managers should be able to make an informed choice."

Comment on this story