Making the Case for Security Optimism


The following is a post from Scott Charney, Corporate Vice President of Trustworthy Computing at Microsoft.

In today’s world it’s natural to focus on the ever-changing threat landscape, which at times can feel daunting and overwhelming for consumers, businesses and governments alike. There are real and serious concerns that we all continue to play a role in addressing.

In the midst of sometimes provocative headlines, the tangible progress being made to advance the industry is often overlooked. However, as I shared today in my RSA keynote, when I look at the breadth of the good work that industry and government is doing, I’m encouraged.

We are seeing key security industry accomplishments and government activity that will have long-term impact and together form a basis for optimism. Some of these improvements are being felt today, while others are laying a foundation for the future. 

When I step back and think about where the security industry has experienced tangible success, I think of three broad areas:

  • Fundamentals – how computing devices and services are built and deployed
  • Management – ensuring safe and reliable operations
  • Influences – the cultural context of economic forces, social requirements, and the political environment – which must all align with the technology


To make everything work together securely, we need strong security fundamentals that subsequent innovations can capitalize on. There has been encouraging progress in open standards, including the Unified Extensible Firmware Interface (UEFI) with Secure Boot and the ISO 27034 guideline for application security.

The development of the standards-based approach of UEFI has laid the groundwork for subsequent improvements to computer security. Innovations such as Secure Boot and measured boot have been incorporated into UEFI, helping operating systems become more resistant to rootkits and persistent malware.

Building security and privacy fundamentals into the development process has benefitted all IT users, raising the bar against malicious attackers. With the publication of ISO 27034, vendors and customers have a common language for requiring and providing security development practices in products.

Operational security has always been important within IT departments, but with the growth of Cloud Computing and dependence on outsourced operations, process excellence for operations, compliance and audit are more important than ever. 

While there are several encouraging examples I can think of in the area of management, I’d like to highlight some opportunities that cloud services and applications stores create for improving security and trust:

  • Minimum standards. Store operators can define requirements, including security and privacy, for software delivered through their stores.
  • Software review. App store operators have the capability to run automated scanning.
  • Remediation. Patching of course, but also the ability to temporarily or permanently disable unsupported or poorly behaving applications.
  • Latest version. Staying on the latest version is an operational best practice. With store-driven updating, this is improved significantly.

The benefits of well-operationalized security guidance are amplified when they are incorporated into best practices that can be shared with others at scale, which is why I consider the analysis and guidance published by the Australian Defence Signals Directorate (DSD) to be another encouraging example. They found that at least 85% of the cyber intrusions targeted at their systems could be prevented by following the first four mitigation strategies listed in their Top 4 Strategies to Mitigate Targeted Cyber Intrusions.


We’re seeing a flurry of cybersecurity and privacy-related activity at the national and international levels. Advancing broad cybersecurity and privacy standards and practices requires alignment among governments, industry and customers.

National Strategies, Policy Legislation

The Obama Administration’s cybersecurity Executive Order and the EU Cyber Directive are recent examples, but many countries have published cybersecurity strategies over the past few years, emphasizing their focus on cybersecurity. Examples include Ghana, Kenya, Tunisia, France, Italy and the Czech Republic, among many others. A similarly large list of countries have proposed or enacted cybersecurity-related legislation.
Harmonization and Norms

We’re seeing a growing interest and investment in harmonizing cybernorms at a global level. In 2011, the UK Conference on Cyberspace drew 700 participants from 60 countries, and in 2012, the Budapest Conference on Cyberspace had even larger participation. A third conference in Seoul is already planned for 2013.

Each progress point I’ve highlighted is at a different point along the continuum from “recognition of the importance of the problem” to “mature solution.” The important point is that cybersecurity issues are now widely recognized as needing coordinated action and we now have organized activity aimed at achieving clear goals.

Today, attackers persistent and determined, and the threat landscape continues to evolve along with the proliferation of devices and services. As an industry, we face difficult security challenges today just as we have faced in the past. We have collectively risen to those past challenges to make progress and create solutions that are helping provide safer and more trusted devices and services. Though I know that there will always be challenges, obstacles and less than perfect conditions, when I look at the breadth of the good work being done, I see many reasons to be optimistic. 

Leave a Reply