Microsoft’s pitch for the perfect patch

23 Dec 2003

As IT director for Microsoft Europe, Middle East and Africa, Robert Ford (pictured) sits atop a vast empire of networked computers. So when he talks about the need for organisations to master their own IT governance, you had better believe he knows what he’s talking about. Under his jurisdiction are some 20,000 PCs and two data centres. To complicate the cutting-edge architecture even further, Microsoft employees are increasingly empowered with PDAs and smart phones that add mobile layers to the infrastructure.

His responsibilities for the world’s number one software vendor make him a regular on the Microsoft conference circuit, brought out to offer organisations a hands-on insight into IT management. While many of his experiences may be atypical and the comfort zone of having the original programmers just an email away, he still has a useful insight into how an IT department can help increase an organisation’s efficiencies.

He was recently at a Dublin seminar talking about strengthening security – a topic as inextricably linked with Microsoft as the Windows platform that has become the main target for virus writers. The top-line pitch for prospective Microsoft customers was that bullet-proofing security can provide a 60pc reduction in potential targeted attacks and that productivity will rise by up to 30pc as maintenance, administration and troubleshooting demands fall. There is also an underlying argument about driving down costs through server consolidation and centralised administration.

In short, good IT is as much about the management as the technology. “Security and manageability go hand and hand,” says Ford. “Unless you now exactly what’s in your environment — and not just desktops, I mean every server — and have true governance over it all, you won’t be able to make it secure.”

Microsoft is by no means alone, especially in the security sector, in making the case for the importance of people and processes. It’s just that the argument is much more personal with Windows, the number one OS and the number one target. It didn’t go unnoticed that Blaster, one of the year’s most prevalent worms, came with an embedded personal message to Bill Gates.

“Security has become our number one priority over the last three years,” says Ford, “and a quarter of our consultancy work is now about helping customers understand security issues. It’s a price you pay and a responsibility you have to accept.”

Whatever about the arguments of how watertight software can ever become, it’s accepted that there will always be vulnerabilities. The reality for a modern IT department is that its monthly duties must now encompass a cycle that starts with software holes, moves through software patches and hopefully resolves in a software fix.

For Robert Ford the key to managing the virus wars – and at the heart of his own architecture – is the Microsoft Systems Management Server 2003. It’s the latest version of its change-management software that’s designed for the large-scale deployment of Windows. Its ability to automate patch deployment and asset-management, according to Ford, makes it the core tool in running an efficient and well organised system.

“It used to take a year to come up with a patch and deploy it,” says Ford. “Microsoft now has it down to a month. We publish less patches a month than some but we’re faster deploying them. It’s about getting the best repair and being the fastest to act.”

The problem, however, is often at the customer end. “For some, the cost and complexity of patches make them somewhat apathetic in deploying them,” says Ford. “They have to down tools and it’s a big effort. We just drop the patch on Systems Management Server and out it goes.”

Ford’s argument is that with the right governance, an IT department doesn’t have to be wasting its time fire fighting security holes. “The thing that surprises me the most [about businesses] is that they think it’s about technology. And if problems can be sorted out by spending more money then they’re happy,” says Ford. “That’s terrible. There are a lot of governance and management issues.”

He believes that it’s the job of the chief information officer to make sure that the board is up to speed with the issues and that things are run with clear management principles rather than by costly expedients.

“How do you add value if you’re constantly firefighting?” he says. “If all the CIO is doing is fighting fires then he doesn’t deserve to be at the top table. They have to educate the business. They have the weapons to earn a seat on the board.”

By Ian Campbell