100 Brains: Microsoft's Katie Moussouris makes security accessible

Katie Moussouris has a tough job. She leads the Security Community Outreach and Strategy Team in the Microsoft Security Response Center. This, in layman’s terms, means that she is on the front lines of helping to ensure security of Microsoft’s products. She’s been a penetration tester for Fortune 500 companies, a code breaker and was on the popular @stake team when it was acquired by Symantec. Beyond her technical prowess, however, Moussouris has found a way to humanize security for those who are less technical and less connected. Considering that most security experts are born paranoids, she’s still been able to find ways to leverage social media to aid both her personal and professional connections, as well as further spread the word about Microsoft’s security movements. In the latest installment of 100 Brains, I ask Moussouris to share some examples of social and security, to chime in on security education for the masses, and her first social experiences on the web.

Q. Please share with me an important lesson that you have learned while using or promoting a service using social media. A. I follow a lot of cool, smart, funny, interesting people that I find by reading my friends’ and security researchers’ Twitter streams. I recently heard from a friend a security researcher I had been talking to was a bit freaked out when he noticed me following some of his friends.  I guess the lesson there is to know your audience, and anticipate when what you would consider “friendly following” on Twitter could be misconstrued as something weird or nefarious.

Q. Specifically with your work at Microsoft and considering how technical it is, how has social media played a part in it? Has it helped drive awareness or helped you better connect with the security community?

A. One of the ways I use social media in conjunction with the work I do in security outreach at Microsoft is to help spread the news about protections we make available to mitigate attacks, and the work we do behind the scenes to make our products more secure in the first place. One security reporter told me that he would never have known about Microsoft banning memcpy() as part of its Security Development Lifecycle if he hadn’t seen it in my Twitter stream. I think the security community appreciates the accessibility social media provides, and the ability to reach out to chat or ask questions in real time.

Q. There's a lot written about security and social media and education. Do you think it is reaching the right people?

A. I think that it doesn’t matter who it reaches, as there will always be people who will flock to social media sites regardless of whether or not their info is secure.  I personally assume and accept the elevated security risk in using social media. There was a time I tried to resist using graphical web browsers (I used lynx), due to my inherent paranoia, but the draw of The Onion online with hilarious photos drew me in and I began using another browser.  Similarly, the convenience features, and lure of all your friends in social media will draw even some of the most paranoid security people to join in. I think the right education for everyone about current social media and security is to set the expectation that it bears security risk, and that’s that. Use at your own risk!

Q. What was your first online 'social' experience? It could be an old-school BBS, a legacy social network, or even a chat room. Compared to that, did you ever believe that social would come as far as it has now?

A. I was on The Works BBS as a teen in the Boston area. It was there that I found out about local 2600 meetings, and it was the online place I could be my geeky self.  I met several people on that BBS who I don’t get to see very often, but who I still consider among my dearest friends.

My biggest shock about how mainstream social media has become was manifested last week when my mom joined Facebook. For me, this development either confirms we are in the midst of a digital golden age where social media has finally and forever integrated into every generation, or it heralds the coming of a digital apocalypse. Ladies and gentlemen, please place your bets!

Q. What do you think is the biggest mistake that less-than-savvy internet users make?

A. Aside from SHOUTING FOR NO REASON (an old pet peeve of mine, until I asked someone I was playing an online game with why they did it, only to be shamed by the fact that they replied that they were really old and typing in all caps was the only way they could see – sheesh, I’m a jerk! No wait, they were playing me for a fool and they were actually 15 years old in their mom’s basement!), I think the biggest mistake is assuming everything online – about any thing or any person - is true.

Q. Aside from any work you might do in social, how has social media changed your life? A. On a very personal level, when I finally broke down and joined Facebook last year, I was reunited with nuclear family members who I had not seen in over a decade. Words cannot express the bitter-sweetness of those reunions, and this would not have been possible in this lifetime without social media. It allows you to reconnect with people from every chapter and realm in your life – past, present, work, family, friends.

Q. Do you think it's possible to provide enough education so that users make smarter online decisions, or is it the usual case of security that it's not convenient so people prefer to be oblivious?

A. I think that even with education, we can never expect average users to make the best possible security decisions -  not because they necessarily lack the capacity or interest intrinsically, but because they really would need to spend too much time learning specialty information that we security people take for granted.  There is always a place for security education for users, but I think the more secure-by-default online experiences are equally as important.  If we stop expecting users to rise to our level of awareness, and shift to leave more of the security choices to the designers of the services or products, we can help users stay secure by making security decisions on their behalf. From there, experts can always change the defaults to suit their needs.

Q. Do you believe that the social networks fully understand how their users leverage them for business? Do you believe they are appropriately modeling their businesses to support that as well as succeed themselves?

A. There have been several instances of the rise and fall of social network civilizations. (Remember Friendster? How about Orkut?)  The pressure to continue to innovate rapidly can cause social networks today to feel that building new features is more important to ensure their survival than building everything with security in mind. This is the wrong approach, of course, and is short-sighted in that if there is a poor design decision made at the architecture level of a new feature that results in a security vulnerability, it will cost them and their users more to remediate it than if they had built more robust systems.  This is not a problem that is limited to social networks, but to any organization that fails to recognize that security assurance must be part of their development processes at each stage.

Q. Finally, what's one thing you want to make sure readers know about the web, social, etc.?

A. Be cautious about what you make available in any social network or online.

Social Business "100 Brains" is a series of 100 interviews with some of social media's most compelling "thinkers" and "tinkerers." Each interview aims to showcase each subject's most unique perspectives and talents. Interviews will run until December 31, 2010. Know a top "thinker" or "tinkerer"? Send an email using the form below.