Microsoft's internal auditor discusses the company's IT security outlook

Scott Charney is Microsoft's internal auditor, see what he and his team control.

Scott Charney is a man on the move. Since his appointment last April as Microsoft's "chief security strategist," he's logged more than 185,000 miles crisscrossing the country advocating better software security.

If we don't do security well, people will migrate away from us. And if we don't do security right, they should.


Scott Charney,
chief security strategistMicrosoft, Inc.

While Charney spends a lot of time on the road, his unit--the Security Strategies Group--is charged with being the internal security auditor for Microsoft's Trustworthy Computing effort. "In an organization of 55,000 people, it's not enough to put your finger in the dam. You have to fix the dam," says Charney.

Charney's team of eight acts as part internal auditor that checks code development, part SWAT team that helps business units implement security plans and part evangelist preaching the virtues of better security.

"My goal is how to figure to make our products, services and infrastructures more secure," he says.

The Security Strategies Group is the only unit empowered to impose the Trustworthy Computing edict across the company. Charney says he's bringing division heads and product mangers to the table to work out security issues that cut across Microsoft's vast, decentralized bureaucracy.

"With everyone focused on security, this hasn't been a hard sell, which is what I was worried about when I came here," Charney says. "Here in the security space, everyone gets it."

But critics say Charney is little more than a figurehead, and his unit is being used for mundane tasks. And some say Charney, a former Department of Justice official, spends more time in Washington, D.C., keeping regulators off Microsoft's back rather than devoting time to preaching security to the Microsoft troops.

Charney dismisses such criticism, saying he and his unit are playing a valuable role internally to Microsoft and pushing the security agenda externally. Strong software security, he says, is imperative for Microsoft's business future and the country's security. "If we don't do security well, people will migrate away from us. And if we don't do security right, they should," Charney says.

Dig Deeper on IT security audits and audit frameworks