Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Ping: Karen Worstell

Karen Worstell

As Karen Worstell decoded her final encryption exam, it became clear to the then-biology/chemistry student that her true calling was information security. Nearly 20 years later, the recently appointed Microsoft CISO is charged not only with securing what is arguably the biggest target on the Internet, but also with ensuring Microsoft's products meet high security standards.

How do you keep Microsoft and its internal architecture secure? The thing that's cool about security is that it's such a complicated problem, and it touches every single part of IT. We use some very standard approaches that anyone would recognize—we have a defense-in-depth strategy. We run a pretty much perimeterless environment that's very focused on security at the host and application layers, as opposed to security out in the network.

You also have a role in product quality control. What security checks do Microsoft products have to pass? Our product group has a security team that checks with its own security design lifecycles. Then, the product moves to the IT department in beta form. We deploy it in our production environment, and we have to sign off on it before it can be released to customers.

What's it like having to be Microsoft's best customer? I think that it's an accepted part of the job. Working at Microsoft is intense, and our security checks are an expected part of what we do. It would be hard to work here as just part of the operations security team and not be part of the final product.

Do you take it as a personal challenge that hackers zero in on Windows and Internet Explorer? No, I don't take it personally. If you look at the numbers, the actual statistics of Windows flaws relative to other platforms isn't out of proportion. Microsoft has demonstrated that it's one of the most responsive platform providers—when we find a flaw, we fix it. And, hey, when you have the whole world looking at it, what more could you ask for?

For the full text of this interview, visit

Article 14 of 15

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All