In addition to job loss from round 2 in the Microsoft employment cull last week, several groups within the company were disbanded and consolidated. One of those, the Trustworthy Computing group, I reported on Monday. A piece of what this group has been responsible for since 2002 is ensuring Microsoft products remain secure through updates and patches. Of course, as we know, the patches Microsoft has been releasing of late have seen diminished quality and have caused more widely reported problems than seemingly ever before. This has caused many organizations to alter their patching policies, extending the time to deploy by weeks in some cases. For critical security matters, and software exploits reported in the wild and advancing, this is clearly not a good situation. Some have gone as far as calling the security group at Microsoft the UnTrustworthy Computing group. And, with news last week that the group has been disbanded and assimilated by other, existing groups within Microsoft, customers are now wondering if being trustworthy is still a strong focus for Microsoft and how the company will be able to keep its products secure in an intensified, more dangerous security landscape.
Scott Charney, Corporate Vice President of Trustworthy Computing, recently took to Microsoft’s Cyber Trust blog to explain the situation and to give a better understanding of why the Trustworthy Computing group needed to change.
Scott reminisces a bit about the Trustworthy Computing initiative and illuminates how the security ecosystem has changed since 2002 and it’s because of the changes that Trustworthy Computing also needs to evolve to meet the demands of our modern world. He provides assurance that Trustworthy Computing remains a critical component and Microsoft still intends to keep its promise to customers to protect them and keep their data safe.
The Trustworthy Computing team is now part of the Cloud and Enterprise Division, integrating the group with the intent to make all of Microsoft responsible for customer safety. Specifically, the change will embed the Security Development Lifecycle (SDL) and the Online Security Assurance (OSA) programs directly into the engineering processes and legal policies in hopes that quality will improve across the board and give the company the ability to transform product security for new age.
Scott ends his missive by taking full responsibility as the architect of the changes and affirming his company’s commitment to Trustworthy Computing. He says:
Let me close by noting an important point: I was the architect of these changes. This is not about the company’s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing. When I joined Microsoft in 2002, it was about stopping the bleeding, healing the ecosystem and, dare I say it, sometimes getting ahead of the curve. But in the future, with new deployment cadences and a mobile-first, cloud-first world, it is dangerous to rely upon past paradigms that were built for a different environment. While I am proud of our past, we need to plan for the future.
I think we all believe Microsoft intends to do good. But, unfortunately, it’s not the pieces we don’t see that causes the most concern for customers. Quality is just as important as commitment in this case. Microsoft sends a message to customers once a month in the form of security updates and patches. That the company continues to deliver these on a regular cadence is important to show that, yes, Microsoft does still care about product security. However, for the past several months that message has been tarnished by updates that sometimes won’t do the simplest things like install or install correctly. Change in this area is needed and I understand that changes this monumental will take time to coalesce. So, we’ll have to give these changes adequate time to settle and allow the architect time to reinvent Microsoft’s processes. Let’s just hope the monthly message improves quickly.
We’re watching. And, listening.