Perhaps companies and consumers are far more likely to upgrade their Office products on the strength of new features, and Microsoft is just playing to that business reality. But in this day and age, the company no longer can afford to underplay security.
Look no further than Microsoft's last fiscal quarter to see the effect the MSBlaster worm and other security exploits are having on the company's bottom line. In the quarter ended Sept. 30, license sales of two of Microsoft's flagship product lines--client operating systems and desktop applications--were flat in part because "high-profile attacks diverted the focus of our customers, sales force and channel from renewals," said CFO John Connors. In other words, security problems with Microsoft software have raised the table stakes so high that some customers are thinking twice about re-anteing. Some are even considering switching to another platform, as hard as that may be.
Microsoft--and other dominant IT vendors such as Cisco, IBM and Oracle--must prove to customers that security no longer is an ancillary consideration, limited to the vendors' security teams and reserved for discussions with security professionals. Just as the technology ROI discussion has been organized and extended beyond the CFO's suite, so, too, must the information security discussion be moved beyond the infosec salon.
Vendors can certainly talk a good security game when they're pressed on the issue, or when security is the subject of the day at a conference. But security needs to be the subject of their every day--from product development and testing through rollout and update.
Microsoft customers are tired of hearing that Windows 2003 has X percent fewer vulnerabilities than Windows 2000 or Linux. Cisco customers are tired of hearing that they can manage their Cisco routers and switches in a secure manner if they're willing to pay a hefty premium. Oracle customers are tired of hearing about "unbreakable" database security when that security is known to break.