Microsoft Australia security team leader, Ben English, said the company was kicking off a range of initiatives, including;
- a series of seminars on security starting next week;
- training its security consulting partner base to deliver "an easily transferable, packaged service offering to address problems such as patch management and system hardening" to customers;
- auditing its local corporate customer base to establish its risk profile and;
- setting up an internal security mobilisation team.
English told ZDNet Australia the establishment of the internal team -- whose members come from across the company's business lines -- was designed to ensure the company as a whole took responsibility for security. "We're trying to encourage people from all aspects of the business to coordinate security strategy," he said.
The move comes as the company gears up for a series of one-day seminars on security -- focusing particularly on patch management and techniques for hardening corporate platforms to minimise the risk of breaches -- to be run in Australian cities from 1-18 March. The seminars, the speakers at which include Microsoft's director of security, George Stathakopoulos, are designed for developers and information technology professionals.
To date, Microsoft has recorded more than 7,000 registrations nationwide, with more than 1,000 registered for each of the seminars in Sydney, Melbourne and Brisbane.
English said he expected that figure -- which exceeded the number for some of Microsoft's major product announcements -- to match the number of eventual attendees.
The team leader added that the company had put more than 25 of its consulting partners who have security expertise through a training course which would allow them to deliver a packaged offering to customers -- Quickstart -- dealing with patch management and system hardening.
The packaged offering will not, however, be rolled out until an assessment of the local customer base's risk profile -- presently being undertaken by Microsoft Consulting Services (MCS) -- is completed. Once the assessment -- kicked off a month ago -- is done, expected within the next few weeks, MCS will pilot deployment of the packaged offering with select customers.
English also indicated the company was considering launching a subsidised security mitigation program for its enterprise user base, but was reticent about providing further details, including how much the software heavyweight had set aside for the initiative.
"We're in the process of reviewing our options," he said, adding that the value in dollar terms of the initiative was a secondary consideration of his. He was more concerned about customer willingness to participate in and take ownership of outcomes of a security mitigation exercise.
English said he had in mind a three-stage program to boost Microsoft's security performance and profile with its customer base, with the final stage hopefully completed by 2005/2006.
The aim of the first stage was to "get companies secure," with number of compact discs due for release over the next three to six months which would simplify the task of boosting security for both corporate and home users.
The second stage is based largely around technology developments, with mid-2004's Windows Service Pack 2 due to include a range of upgrades, including an expanded firewall and pop-up ad blocker within Internet Explorer.
Microsoft is also planning to release the Windows Security Center, a dashboard within Windows XP and a part of SP2 that will serve as a centralised place to view security settings and get advice on how to remedy personal computer vulnerabilities.
Service Pack 1 for Windows 2003 Server will be released in the second half of the year and will include improved quarantining technology designed to combat the threat posed by the connection of unsecured devices to corporate virtual private networks
English said the overriding objective of Microsoft's initiatives in this period was boosting platform resilience.
The third stage of his program? "In an ideal world," he said, "Microsoft would have had no significant security breaches for a 12-month period and be recognised as a leader in security".