Microsoft also gets a read on security issues by holding CSO and CIO summits (Arsenault is executive host for the company's annual CSO Summit, at which 300 top CSOs, mostly from the United States, partake). Microsoft compares data from the two groups to determine whether security concerns are being taken seriously by CIOs.
In Microsoft's latest survey of CSOs, it found that protection is the top security issue (62 per cent), followed by identity/access management (57 per cent) and compliance (44 per cent and falling in the rankings, a finding consistent among CIOs as well). Secure messaging/collaboration is among issues on the rise, as is application architecture ("The biggest question there is how far back you go in your code base," Arsenault added). Patch management ranked 6th on this list, with 29 per cent citing it, though Arsenault says this topic ranked first about years ago.
Arsenault also spent a chunk of his talk discussing why Microsoft makes the security investment and partnership and technology decisions it does, and steps Microsoft has taken internally to shore up its security and protect its own intellectual property and systems. He noted that decisions, such as what security products to include in an operating system, aren't always up to Microsoft given certain regulatory restrictions. Others, such as how to integrate security and management products, are also complex. He also discussed the requirement to weigh the needs of enterprises, small businesses and consumers, noting that security at the consumer level can have a big impact on enterprise security.
Arsenault isn't your typical Microsoft speaker. He prefaced his talk by noting that he has spent his entire career at the company outside of the profit and loss side of things and doesn't really care whether you buy Microsoft Forefront security products or technology from someone else (he even fessed up to using Quicken rather than MSN Money). "I have a vested interest in reducing security risk in the overall environment so we don't slow down the computing stuff that's been going on or what you're doing over the Internet."