Microsoft's enterprise security under fire

The chief executive of security firm Symantec has launched a stinging attack on Microsoft, claiming that the Redmond giant cannot handle enterprise IT security because it lacks the specialist skills and business practices.

Speaking at the RSA Conference in San Francisco, John Thompson warned that companies should not expect Microsoft to solve their security woes.

"Microsoft's security initiatives are not sufficient for large enterprises," he said. "That's why security companies are the ones to do it: we are focused and not distracted by things like computer games and a host of other computer-related stuff."

Thompson maintained that the Sasser worm was a wake up call for the industry, since the speed at which it spread demonstrated weaknesses in the current way of protecting networks.

Sasser infected 90 per cent of the world's unpatched PCs in just 10 minutes, and went on to cause over $1bn in cleanup costs.

But the worm exploited a patchable hole in Microsoft code for which a fix had been available six months previously. With hackers now reverse engineering patches within days or weeks, IT managers can no longer rely on the Microsoft model, according to Thompson.

"Security as traditionally defined is no longer enough," he stated. "We need prevention ahead of attacks, and to make the process of managing security less costly and complex."

Victor Wheatman, managing vice president at analyst firm Gartner, echoed Thompson's view. "Microsoft is probably not going to solve its security issues," he said.

"Its security initiative is helping and it will improve. But at the same time it could inadvertently introduce new problems with new software."

Thompson then detailed how Symantec is gearing up to meet evolving security threats by creating tools that marry network management, security and system administration. It was this focus behind its acquisition of Veritas and Powerquest.

In the future, Thompson predicted that the new role of chief risk officer would handle security issues. He quoted a Forrester study suggesting that by 2007 over 75 per cent of large enterprises will have a risk management office led by a chief risk officer.

Finally Thompson warned of continuing consolidation within the industry. As companies are acquired, the number of security products would fall but their effectiveness would increase, he said.