Remarks by Steve Ballmer, CEO, Microsoft Corporation
“Partnership, Innovation and Customer Focus”
Microsoft Worldwide Partner Conference
New Orleans, Louisiana
October 9, 2003
STEVE BALLMER: It’s a real privilege and pleasure for me to have the chance to be here with you. Last year when I spoke at the Fusion conference, I think I was the last speaker and the auditorium was basically empty when I got up. So I’m pleased this year to be the first speaker and I’ll see if it’s empty again by the time I finish and we’ll do some kind of compare.
I’ve had a little bit better luck with the Stampede audience over the years. I’ve spoken a couple of times, and everybody’s always stayed to the end, but that was one of the benefits of holding this conference in Fargo, North Dakota; there just weren’t that many flights out of town. (Laughter.)
I have a few things I want to say to you today, but I’ll say on balance the stuff that I’ll choose to focus in on in this speech will be a little different than I would normally do with you. I’m going to try to provide an overall context on our business briefly, but you’re going to hear from so many experts, who are going to be able to tell you so many wonderful things, that I’ve chosen to do a little bit of framing of where we are and how we’re thinking about our work together and what we need to do for our customers.
But then I really want to spend a lot of my time on the No. 1 issue that I’m hearing from our joint customers, because if we understand it, if we understand both the threat and the opportunity that it represents, I think it’s going to help all of our partners, no matter what your competence is, no matter what your focus is, it’s going to help all of us perform better in our own businesses and in service of our customers.
I chose to call this speech “Partnership, Innovation and Customer Focus.” I’m going to come back to these themes at the end, because at the end of the day I don’t care what kind of a business you’re in, I think these three fundamental tenets should be very important to you.
Your innovation may be in the efficiency with which you can deliver a service or help a customer manage a license or do something with another asset. It may be on the efficiency side. It may be on the new ideas side. But all of us are in a position where we have to reach out, find appropriate partners, innovate in the fundamental work that we do, and then have excellence in execution against our target customers and listen very intently to what they say. And I’m going to give you a little bit of a feel for that ecosystem, if you will, inside Microsoft.
Before I do that, though, I want to say thank you. For me, the partner community that has built up around Microsoft products and the work that we do is one of the real sources of pride that I have as CEO of this company. And the work that you do — tireless; I know it’s been a rough couple of years, frankly, for a lot of our partners — we appreciate so wholeheartedly. The degree to which our success and your success are tied together is absolute.
And I can’t say enough. Thanks, thanks, thanks, thanks for your dedication, your patience, your hard work, your support, your perseverance. And frankly, since I know I’m going to be up here for a bunch of questions afterwards, I know you’re also going to keep doing what I know you do very best, which is to push us and push us and push us and push us to be better. And we love that.
I’m SteveB@Microsoft.com. If we don’t get to your question or issue or problem today, I want to hear it, Allison wants to hear it, the whole team wants to hear it, because we know that the way in which your entrepreneurial instincts and our business tie together, you’re going to push us in amazing ways to do things that are better for you and better for our mutual customers. And the value in that is absolutely fantastic. So I first say thanks to all here.
I want to give a little bit of a context around our whole partner strategy. And it really goes back pretty much to the founding of the company. And I’m not sure whether it was a very overt and clear and sort of conscious strategy, because I didn’t arrive at Microsoft till about 1980, but by the time I arrived there was clearly a sense that Bill Gates had in his mind that in this business you had to pick your expertise. And people couldn’t be expert at everything and you had to go have relationships with the folks who did the things that you weren’t expert in.
This was absolutely clear when I arrived 23 years ago as the 30th employee in the company. There was no grand statement of our partner strategy; Bill just made it clear there were some things he didn’t want the company to do because we wouldn’t be any good at them anyway.
And so, in a sense, out of that desire to focus we have evolved and learned and built the current strategy we have to specialize and form partnerships in a variety of ways. Every year I get questions from partners who say, “Are you guys going to do more of what we do? Are you going to try to be more direct? Are you going to go compete with IBM Global Services? Are you really going to be in every part of the software business or is it just going to appear that way to some members of the press? What is your strategy?”
And I say our strategy remains invariant. We’re going to continue to focus in on what we’re good at. The strength of our company, in partnership with all the companies in this room and many, many, many thousands of others around the globe is so important. And the range and variety of things that you do is amazing: people who build computers, people who write applications, who give training, who resell products, who provide services, a variety of things. And I’m not trying to be exhaustive nor am I trying to be exclusive, because we’ve had such a broad range of partners and that’s essential, we think, for our success.
I guess we’d say 1992, ’93 was really kind of a milestone, watershed time for us, because the basis for what has been our really only consistent partner program per se really got set up in ’92. Now, Great Plains and Navision have had partner programs also of long running, but Microsoft Classic, if you will, the sort of last major innovation was ’92.
In the introduction today of the next-generation Partner Program, I hope we get a lot of feedback. We certainly have vetted it very broadly, as Allison had a chance to describe, but we are focused on essentially two key elements which I think should be absolutely of mutual advantage.
Number 1 is we want to get better alignment between you and us and our customers and our products in the scenarios that they can fit in, in those customers. If that pipe, if that alignment is clear, it reduces selling costs for all of us and it’ll improve the benefits that we can deliver for our customers. And that’s what competences are all about. That’s what our go-to-market selling approach is all about. Let’s get the alignment that lets us be efficient and lets us deliver greater value to our customers.
The second major element or program, from my perspective, is to increase the number of benefits and the range of benefits and the value of the benefits that we provide to our best partners. And so there’s a lot of work to try to distinguish what does it mean to be a best partner, and Allison talked about some of that, and then we want to make sure we’re there for you many more places through tele-management, through increased technical support, et cetera.
And those are really the two key principles, to be better aligned in front of the customer and let us be able to better support you in delivering that ultimate benefit to the customer.
So that’s sort of where I think we are today. Now, with that said, there’s one other kind of big thing happening from my perspective here today and that’s the chance to, in a formal sense welcome the merger of our two big partner communities, the Microsoft Classic partners and the partners who’ve done an unbelievable job building their businesses around the Microsoft Business Solutions product line — Great Plains, Solomon, Axapta, Navision. And I think it’s important to bring the two communities together. United we stand, divided we’re just as weak or strong as the other guys. I don’t think we fall, but united we have an opportunity to do great things.
I think what we’re doing here is joining two incredible partner communities. The work both Great Plains and Navision have done building their partner communities, from my perspective, were amazing. And those partners are as focused and loyal and fierce and competitive and smart as any I’ve ever met. So I’m glad to be able to join these two communities, because I think together, and potentially with other additions over the years, we’re going to build the next great Microsoft business.
I do believe the business applications area, focused on small, medium and small-enterprise customers, we don’t have to go up against SAP and General Motors, but just the business we pick for ourselves is just a wonderful, huge opportunity, not just for the business applications themselves, but for the business intelligence, the portal, the systems infrastructure that goes around it. And bringing the two communities together, I think, is key to that.
I know there’s a bit of apprehension among some of the Microsoft Business Solutions partners about what the business opportunity is going to look like when you get involved with people who think high volume, high volume, high volume. And believe me, I do think high volume. I sort of sit there and say, “What will it take for us to have a business application — ERP, CRM, something — in 50, 60, 70 percent of all the small and medium businesses in the world?”
I think you want us to think that way and we will continue to think that way in a context where we realize that the business models for the Microsoft Business Solution partners have been different historically than the business models for the folks who’ve been involved with the rest of the Microsoft product line.
And so we’re going to be very sensitive to making sure that we preserve and enhance the opportunity for you as partners, whether on the Business Solutions side or the classic side, to make money. We know that’s why you’re in business and we want the Microsoft platform and Microsoft business application to be the best place for you to make money, and that really will remain first and foremost in our minds.
I just want to take a second and just remind everybody about the kind of amazing work that all of you do. We’ll take three examples for today; the London Stock Exchange. The London Stock Exchange is migrating off of all of its old UNIX legacy applications onto Windows Server to run the business of the business of the stock exchange through cooperation between Microsoft and our partner Accenture. It’s really an amazing case study, and the London Stock Exchange is one of the early customers taking the plunge with Windows Server 2003.
With our partner Proximity we’ve done a bunch of work in marketing and campaign management for Panasonic around .NET, showcasing again the advantages of rapid application development and application integration that come from using the .NET suite of tools.
With Collins Computing, we’ve done work for Six Flags Amusement Park. It’s always nice to have names that people really recognize. This one has resonated very well even at the Ballmer household, I have to say. And the work that’s been done there in terms of portal and information distribution solutions is quite amazing.
And these are just three of what are literally tens of thousands of cases that the folks in this room have gone out and delivered on every day in all parts of the world at all times. And I think that if you stop and compare notes during the course of this conference, what you can learn from each other about the latest and greatest and smartest things that you’ve all done, it will be one of the, if not the greatest source of value of this conference — learning from each other and understanding the best practices that you can carry back and use in your businesses every day.
That’s the partnership piece of what I want to say today. I want to move now and talk a little bit about innovation. There’s a lot of hullabaloo these days in the press about whether the IT industry is done for, it’s past its glory days. I read just yesterday in The Economist or The Financial Times, people are saying, “Oh, IT goes in 10- or 20-year cycles and it’ll be another 20 years before there’s another good cycle.” Harvard Business Review — I don’t even remember the name of the article anymore; I call it in my head “Is IT Dead? The End of IT Innovation.”
I think all that is such hogwash. I’m so excited about the next 10 years, at least. You’ve got to ask me in seven years how I think about the 10 years after that. But at least the next 10 years, I couldn’t be more enthusiastic about what we see — the opportunities, the chance to change the world, the chance to do innovative work. And if we and the vendor community and our partners, translating that into real customer value, do innovative work, this industry is going to continue to absolutely grow and thrive.
We’re growing our R & D budget this year. We’ll spend about $6.8 billion in R & D, and that’s up year-on-year. We’re adding people because we have so much faith and confidence in the new things that can be done, should be done and that our customers will love when we do them that we’ve got the pedal to the medal.
People say, “Come on, Steve, isn’t this just about the 168,000th feature in Microsoft, Word, blah, blah, blah?” No, this is about changes that everybody sees. There’s a great review in InfoWorld that I read online on the way here where they really appreciate that, for example, in the new Office 2003 product, where people say, “Look, this isn’t just about the last feature; it’s about improving collaboration, it’s about improving annotation, it’s about improving reading and note-taking for absolutely everyone.” And it’s these kinds of scenarios that are important.
Put your hand up right now if you’ve got a computer turned on right now on your lap. Show of hands. Does anybody see any hands? There’s a few. I’m being a little facetious here. How much are computers aiding this meeting, you right now, right here? How many people in the audience have 100 percent of the people in their companies with them at this conference? Show of hands. Okay, that’s what I expected — hardly anybody.
Why, when we’re doing a meeting like this, and I’m speaking, why don’t you have a Tablet in your hands on which you’re making notes? Why isn’t the video that nobody ever watches of this speech being beamed over the wireless networks and captured on the hard disk in your computer? Why aren’t your notes being synchronized with the audio and video that you capture and the PowerPoints that I have up?
Why, when you write that note that says, “Steve’s going on too long” or “Steve’s not making sense,” isn’t that being captured in a way that you can pass to your people? Why, when you write, “Harry, better look into this,” why isn’t that automatically dispatched to Harry? Why? Why? Why? Why? Why? Because we have work to do, all of us. We’ve got work to do. And until it’s hard to come up with unmet needs, we should all be excited about the possibilities and the prospects in more innovation.
And I just list some areas: real-time communications, reading, annotation and inking, collaboration, business applications, really getting B2B stuff to work well, application integration, mobility, business intelligence. I can go on for 15 minutes on any of these subjects but I don’t have 15 minutes, according to the clock down here, so I won’t. But I want people to share our enthusiasm and I want you to be able to share that enthusiasm when you’re out in front of your customers, because I think absolutely the next 10 years are going to be as good as the last 10.
And the last 10 were pretty darn good. Cell phones, PCs and the Internet basically all came into broad distribution in the last 10 years. And I think we’re going to see more positive change through innovation in the next 10 years.
I want to put innovation in context, particularly in a competitive context, from Microsoft. People say to me a lot, “What is your strategy to compete? What’s your strategy to compete with IBM? What’s your strategy to compete with Oracle? What’s your strategy to compete with Linux? And what’s your strategy to compete with open source?” — where that’s somehow a religion instead of like a product.
The truth is our products compete with other products, and our products compete with other products in a variety of ways, starting with the innovation and value delivered in the product running right through to the services and training of our partners and the applications that our partners built.
But we’ve got to start by having products that deliver the best value in every scenario that our customers care about. And so when we think about innovation, we think about innovation in a value sense for our customers and a competitive sense.
If I see a scenario — “Oh, somebody thinks Linux is better at high-performance computing than Windows,” we get engineers and they look at it and they look at it and they look at it and they say, “How do we be better? How do we get better? How do we push the state of the art? How do we help move UNIX applications down to Windows easier than UNIX applications to” — what’s the other thing? — “Linux? How do we make that easier?” That was not Freudian. (Laughter.) That was a little extra emotion, but it was not Freudian. “How do we do these things? What prices do we need? How do we improve the offer? Do we need additional partner support?”
So you take any one of these scenarios, and I’ll tell you, I feel good about the total value proposition, total cost proposition that we deliver versus competition. And you’ll hear a lot about, you know, sort of competitive issues and blah, blah, blah, but you can pick any one. We’ve got to make it easier to do application development on our platform. We think we’re there. We’ve got to have a better file, print and collaborative environment than the other guy does. We think we’re there. We’ve got to be able to scale up better than the competition. And all of these have an element of partner support, product innovation, price.
And I just want you to know how hard we’re working not just on the abstract of how we compete, company-to-company or philosophy-to-philosophy; we’re working on the things that matter to you. How do you put the best value proposition for a given customer scenario in front of your customers and why is the Windows the anchor tended to that value proposition? And if you ever, ever, ever come to a day where you don’t think we offer the best value proposition for something, I repeat, I’m SteveB@Microsoft.com and I want to hear about it because we will drive our organization relentlessly on all of the scenarios that are important to you in terms of value proposition delivered from this company.
I want to turn now — before we roll the video, I want to turn — I talked a little bit about partnership and I talked a little bit about innovation, but I actually want to spend the bulk of my time today talking about customer focus and responsiveness. And I want to highlight for you the No. 1 set of issues we’re hearing from our customers. And so we thought we’d do that through the voice of some of our partners and the kinds of things you and our customers are feeding back to us. So let’s roll the video, please.
STEVE BALLMER: There come times I think in any industry, and certainly in any company’s kind of existence, that you have to really step back and hear what people are saying to you and take those as defining moments to galvanize action.
I think our company has been through a phase over the last eight years really where there have been things that we’ve been hit with that caused us to have to really dig down deep, a defining moment in our evolution as a company, let alone our work with our partners.
The call of the Internet in 1995, and this notion that we were being left behind, was a defining moment for our company.
The issues we had in terms of the lawsuit with the U.S. Government, et cetera, getting those in a position where we could resolve the matters and move into a compliance phase and assume what I would characterize as a new position of industry leadership, has been a defining moment for our company.
I think this issue, this crisis right now, that our customers and our partners are highlighting for us of security is that kind of defining moment.
I don’t recommend for most of you as entrepreneurs that you go through defining moments that quickly; tough on the system, frankly. But I think you’re given certain both opportunities and you have certain issues that if you just don’t respond to they’re essentially, what shall I say, mission-critical to the life of the organization.
And that’s the view we have at Microsoft about security. And I think that’s the view you as our partners also need to have. Not all of you will consider yourselves security experts, not all of you will make extra business or focus on the security issue, but, in fact, our whole industry at this stage, in my opinion, our whole industry is in some sense threatened by people’s fear to do new things because of these security issues, by the costs that are building up to manage and maintain a secure environment.
And whether your business is security or whether your business is something else, I think it’s important for you as entrepreneurs and partners to understand not only the centrality and priority that our company is placing on security, not only the opportunities that might bring you, but I actually want you to understand what we’re doing about it so that each and every one of you as you’re out doing whatever service, providing whatever value you provide to your mutual customers, you can be spokespeople, not only of our seriousness but of our very concrete set of work to help our customers be more secure. So I want to take a few minutes on that.
If you look at the video and put that in context with a lot of other things that we think we’re hearing from our customers. They fall into four areas, not necessarily in the order, in which all customers would mention them but in the order of today or last week’s level of intensity. The level of intensity is high on these four issues.
You’ve told us that the quality of the patching process is low and inconsistent.
You’ve told us that you need to know, and our customers need to know, what is the right way from a security standpoint to run an enterprise with Microsoft software in it.
You’ve told us that you can’t keep up with new patches, they come too quickly.
You’ve told us there’s still too many vulnerabilities in our products.
We’re working hard, very hard and I’m going to announce some concrete actions we’re taking today on all four of these items, improvements to the patching experience, guidance and training so people understand better how to secure their enterprises — because this is not an issue for Microsoft alone, it’s not an issue for Microsoft and our ISV partners alone, it’s not an issue for Microsoft and ISVs and you alone; it’s really an issue that we have to explain to people and train people and educate people as an issue we need to attack together as an industry with our customers.
I’ll talk about work we’re doing, and that we’ll make available, that will help you mitigate vulnerabilities, even if you can’t apply patches, which I think is a very important concept, kind of a new concept for us.
And lastly I’ll talk about our ongoing work to improve security and reduce the number of vulnerabilities in our products.
This is where the feedback is. There’s a lot we need to do. I’m going to talk about a longer term, broader roadmap, but this is here and now. When I talk about customer focus, this is really hearing the level of importance and the level of attention and focus our customers have on these issues, and making sure we provide you and our customers with the tools that you need to respond to these pain points.
First, let me make sure I talk about and really dramatize how much we understand the need to improve security, not just from what the customers are saying, but what we’re seeing in terms of the activities of the so-called bad guys in this world and how that intersects with the products.
The number of patches that we’ve put out has proliferated. That’s an issue. Perhaps more important, the time between us issuing a patch and [when] we see a concrete exploit that takes advantage of the vulnerability that the patch highlighted is shortening.
I think most people in this room probably understand that we’ve had very few attacks, very few exploits that actually preceded the patch. The hacker community actually uses our patches, in some senses, as blueprints to diagnose and understand vulnerabilities.
And so in some senses one of the key measures is how quickly after we put a patch out does somebody reverse engineer and provide the attack. Well, in Nimda, that was 331 days. For Blaster, it was 25 days. And it’s very critical to keep this in mind because the security approach that we and you recommend to our customer cannot put the customer on a treadmill where, if that number is down to 10 or 5, our customers are doomed not to have a good experience. We’ve got to take this into account as we and you put in place our plan for our mutual customers.
The exploits are more sophisticated, and all of that means we really have to do, as I say, we have to prioritize and we have to enable you to appropriately prioritize security. It’s our No. 1 priority.
And I’d love to tell you there’s a silver bullet. There is no silver bullet. People say, “Well, can’t you just fix all the vulnerabilities?” Even if all the vulnerabilities were fixed tomorrow morning in all of the products, there’s still 600 million computers, many of them downlevel, many of them on funny versions that wouldn’t have all of these vulnerabilities patched, fixed and up to date.
So we’re going go have to put in place a multi-streamed set of activities to help our customers be secure, and we’re going to have to recognize that some of this is about responding and helping customers and some of this is about doing innovative things, which help you and the customers to help themselves.
I want to explain a little bit how exploits happen and what we’re doing to try to in some senses, what shall I say, intersect with the people who are involved in the exploits of our products in such a way as to mitigate the damage that is done.
There’s a group of folks out there called security researchers. These are the people who actually, in addition to our own staff, because we have a team of security researchers internally, but in addition to our own staff, these are the people who discover vulnerabilities and it is part of what they do to go public and reveal those vulnerabilities.
What we have done over the last six months to a year is intersect with those people so that their disclosure of vulnerability is done in a more responsible way where we can collaborate up front on getting the fixes for those vulnerabilities done before disclosures happen. And more of those researchers today, many more are working with us cooperatively.
I can tell you I wish those people just would be quiet. It would be best for the world. That’s not going to happen, so we have to work in the right fashion with these security researchers.
Number two, there’s a set of people who actually look at the work of these security researchers or they reverse-engineer a patch that we put out, and that’s typically, as I said, what they do, and then they post to the Web. They don’t actually send a worm out; they just say, “Aha, here’s how somebody –” it’s a template — “here’s how you’d write a worm to attack Microsoft Windows.” It brings a certain degree of gratification to people to be the “Aha, I wrote it,” and yet they can feel like they didn’t actually send out the exploit or attack.
We’re trying to work with this group to build consensus that that kind of disclosure is simply not a good thing. Those people have First Amendment rights in the U.S. anyway, they can publish that information, but we are getting more and more industry experts to speak out against this notion that says it’s OK to put template attacks up on the Internet.
Third, there’s people who actually go out and write the worms and start spreading them. These people really are criminals. They’re not cute hackers; they are criminals, and we are trying to work very closely with law enforcement to make sure that these criminals are found and brought to justice. The threat of jail must be a deterrent to these hackers, because even if all of us do a perfect job on behalf of all of our customers, there’s still going to be somebody who can figure out some way to get through. And no more should it be allowed to create huge damage by sending a worm across the Internet than it would be to blow up a bomb in a building that didn’t have any people in it. It’s a serious crime, and we are working with law enforcement on this, as if it’s a serious crime, and pushing for prosecution.
With that kind of context on what the ecosystem looks like, let’s get back to the pain points that were highlighted in the video. First is the patching experience. We have taken very to heart the feedback that says we’ve got to improve the patching experience. And for our Windows 2000 generation of products and beyond — so Windows 2000, Windows XP, SQL Server 2000, Windows Server 2003 — everything that postdates Windows 2000, by May of next year we will have made these improvements in our patching experience.
Number one, we will have reduced complexity. You complained today appropriately that we’ve got about 68 different patching systems — that’s a little extreme — and therefore you can’t develop any real expertise and competence in these things. We will move to one patching experience by May of next year that works across Windows and all of the application products.
Number two, we are going to move to reduce the risk in the patch deployment. That means better quality in the patches where our execution has been imperfect. And, number two, we will provide rollback capability for all patches, so you can roll them out and roll them back if there is an application incompatibility or something unanticipated.
Number three, particularly when you have people at the end of slow links, we’ve gotten a lot of feedback that says you’ve got to reduce the size of patches. We’ve built the new Delta patching technology that will allow us to reduce patch sizes by anyplace between 30 percent and 80 percent, which will simplify patch deployment quite a bit.
People said our patches require too many reboots, too much rebooting of the system. We think we can cut the number of reboots by up to 30 percent for patches applied particularly to the server, where the downtime of a reboot is fundamentally not very acceptable for our mutual customers.
We have work under way to extend the automation technologies that we provide you and provide our customers for patch deployment. I’m going to talk in a minute about something called Software Update Services 2.0. It’s complemented by our high-end systems management products, the SMS product, SMS 2003.
And, particularly for our consumer and very, very small-business customers who use Windows Update, we are going to complement Windows Update with something we call Microsoft Update so there will be one place on Microsoft.com that all of the patches for all of the Microsoft products are available and people won’t have to go searching through our Website to get an integrated view of the patches, et cetera, that are necessary. (Applause.)
Let me ask questions. How many people in the room have actually deployed internally Software Update Services 1.0? How many have deployed Software Update Services 1.0 in a customer? OK, this is proving a point I’ve been making to our people.
Let me ask one more question: How many people really know what Software Update Services 1.0 is? OK, that’s kind of what I was afraid of.
So I really want to focus your attention — it’s almost like announcing Software Update Services, given the context of the lack of show of hands. Customers and you have been pounding us, pounding us, pounding us, for better patch automation solutions. We put something in the market. It’s free, it’s a downloadable thing, but we call it the Software Update Services. You can think about it as a server that a customer can install that talks to Microsoft Update and allows you to apply local policy for automatic distribution of patches the way Windows Update today can provide automated distribution of patches to consumer machines. It’s a low — not low-end — it is a patch-deployment automation system. We are bringing out an update to that patch-deployment automation solution, Software Update Services 2.0.
Remember, the thing talks to Microsoft Updates. It sees all the patches. It will bring them down to a corporation, and then it will apply those patches to the systems in that a corporation, with policy and with group machine management specified by you on behalf of our customers.
And so anytime somebody is saying to me we’ve got a problem with patch management, I’m going to ask two questions: Number one, is the customer an SMS customer? If so, SMS will be a superset of Software Update Services 2.0. And, if not — because Software Update Server is not a hard installation deployment management challenge — I’ll ask you, what do we need to do to make it a more effective tool in your tool bag?
And I guarantee you that if I come back to this conference, which I will — when I am back at this conference next year, I am going to ask people whether they’ve deployed Software Update Services 2.0. And if as few hands go up as went up today, I’m going to have a real issue with our product development people or with our marketing people, because, believe me, this is targeted at one of the key pain points that you and our customers have identified.
1.0 was a 1.0, 2.0 is a 2.0 and I really want to encourage you to start to get some experience, because this is a critical issue we need to help our customers with. It will scan the machines, let you know what needs to be patched, apply the policy, roll it out. It adds no cost, at least of acquisition. It is something that we provide to you that you can provide with only your service costs involved to your customers, and the new version will be available in half one of 2004. We have got to help get the word out if we are really going to do the right job on behalf of our customers. This is the corporate equivalent of Windows Update for the consumer market.
Third, on patching, people have said, “Look, Steve, we’ve got old systems. We have not been able to update those systems with the most recent service patch. We have to get you to extend security support for old releases.” So we will extend security support to June of next year for Windows 2000 Service Pack 2 and for Windows NT Workstations, Service Pack 6A.
Now, for a lot of our customers this is a critical issue. They simply cannot migrate off of these systems to more recent service packs. We are not even telling them that they should upgrade to Windows XP or blah-blah-blah. They’re just saying they can’t update the service pack, and I think it’s a key customer satisfaction point that we can continue support a longer period of time and help these customers with a graceful transition.
Number two. We have been putting out our patches on a very unpredictable schedule. We will now go to monthly patches — no more than monthly. If we don’t need monthly, we won’t have them. But no more than once a month, except for emergency patches which will be made available essentially immediately. That predictability is something you and our customers have highlighted to us we need to do, because people are feeling like they have to drop everything and deploy every patch at all times.
Number three, or number, I don’t know, N. I’ve lost track of where I am on counting now because I’m kind of revved up. In addition to patching, I talked about the importance of customer experience and customer training and customer education. Well, we are announcing today a couple of things that are very important. First, we will kick off a set here, I think by December 1st, of TechNet Security Seminars in cities around the world. We are going to put in place monthly security Webcasts that Mike Nash, who runs our security team, will host. We are going to do a dedicated seminar on writing secure code at our Professional Developers Conference. And we think we will reach, train and educate in security over 500,000 people within the next 12 months. We want to be in front of 12,000 people with security training through these avenues in the next 12 months — folks who work for you, folks who work for our customers — all go through the appropriate training on what it means to secure the enterprise.
We’re providing new information and guidance on how to secure your enterprise. These books — which you can also get on these CDs — but these books — makes them more practical to show — are all new information: “Securing a Wireless Land,” “Securing Windows Server 2000,” “Windows XP Security Guide,” “Windows Server 2003 Security Guide,” “Threats and Countermeasures, “Security Settings in Windows Servers and Windows Clients” — prescriptive guidance to try to help you and our customers to know exactly the kinds of things you need to do to implement a secure enterprise. It’s not all about Windows, but we want to help you get the Windows part right.
We’ll also be issuing by early November a report on how Microsoft secures Microsoft, documenting the practices of our own internal IT group: What third-party products do we use? What do we do for intrusion detection? What do we do for VPN users? What do we do for access? What do we do for authentication? What do we do with firewalling? We want to make sure you understand at least what we think is the best in place practice that we’ve seen for running a secure enterprise with a lot of Windows client and Windows Server. (Applause.)
We put in place a new Web site, which should be live today, Microsoft.com/security, that will have a lot of good information that keeps this flow up to date, and a new online community that we call the Security Zone, particularly for IT professionals who want to get in and talk about security topics that our people will be very active and involved in the forum, trying to make sure we are really feeding the community and feeding you the answers to the key questions that you’ve come up with on security.
Patching is critical, but patching is insufficient, for all the reasons I highlighted in terms of the speed with which new vulnerabilities are coming out. What we really want to do is make our customers resilient to attack, even when patches are not installed. Does that make sense? You should be able to have a kind of perimeter around you that protects you so that you can install patches on your own schedule — I’m not saying patching becomes irrelevant — but you should be able to apply patches on your own schedule, not on the schedules of the hackers.
Our goal essentially is to make seven out of every 10 of the patches we’ve ever done or ever will do installable when you want to install them, as opposed to us putting out a bulletin that says, “Now, now, now!” We can say if you have this perimeter defense in, you’re okay. If you have this safety measure in place, you’re okay — you can install this at your comfort within the next month or so.
So we are putting in place an effort, and we are going to start shipping a set of new technologies, that I generally refer to as safety technology.
We focus on this both at the client level and at the perimeter of the network for the business. Why those two places? We will never be able to go back and fix or put safety technologies on every installed version of Windows. So what we are trying to do is help you protect the corporation’s perimeter; and we are trying to help clients, particularly clients that people use from home to access corporate information, laptops that people move around with. We want to make sure that those are protected, so that you will have the time to apply patches when you want, and so that downlevel versions of the system are more impervious to attack.
There’s really four attack vectors that we want to provide safety from at the client level: malicious e-mails, viruses and worms that scan ports on the Internet, malicious Web content, and buffer overruns. And so what we are doing is designing technology that will shield a Windows XP system from any of those attacks.
At the corporate level the things we are most worried about are people who bring a laptop that’s been infected into work, or somebody who VPNs into work from home and their home computer got infected. As we’ve canvassed our customers, we find that those are really the top places where people are having security issues. People put in place firewalls, they have AV solutions. The top source of infection on some of these things is machines in homes get infected, and then they’re allowed to infect somehow the corporation.
So we need to help provide shields or safety measures that essentially block off an infected remote client or a laptop that comes back into the environment after it’s been out and been exposed. We call these safety technologies “inspection technologies” to help you inspect — “quarantine” almost is a little bit strong — but any system that gets introduced is inspected and you can refuse to allow it on the network if it doesn’t pass health inspection. So a VPN system or a laptop system can be inspected before you let it back on the network, before it infects anybody and once it’s inspected you can say, “You don’t look good — I’m not letting you back on the network for now.”
There’s a lot of technology involved in the concepts that I describe. We’re going to make improvements to the Internet connection firewall. It will be on by default, but we are going to make it more compatible with existing scenarios — printing, AOL, et cetera. And we are going to provide for central management of the Internet connection firewall, so that you can actually say, “I want the firewall off for Joe but on for Harry. I want it on now, and off then.”
We are doing work in the e-mail and instant-messaging technologies so that when content comes down we do more to filter and ensure that there’s no executable content in the e-mail that runs.
We are doing work in the browser and the work in the browser will make sure both that you cannot run ActiveX controls from Web sites that you haven’t sort of declared that you trust, and the improved browsing technologies will make sure that code that comes down, script that comes down from Web sites is isolated and kind of sandboxed, if you will, from what goes on the local machine so that Web sites have a much harder time of feeding malicious content into the browser that causes problem.
Improved memory protection. One of the things that has been a big issue for us is buffer overruns and heat problems. There’s new technologies that will help us essentially lock that memory so that worms and exploits can’t write into bad pieces of memory after a buffer-overrun problem. And then there’s the perimeter inspection technologies that I talked about that will go into the Windows Server.
To implement these technologies, there are two things we’ll introduce: a new version of Windows XP, which we’ll call Service Pack 2 — not a glamorous and glorious and exciting name, but exactly what our customers want right now, something that focuses very much on the security issues. I’d call it a service pack on steroids, and I really want it on your radar screen. We’ll deliver that in beta by the end of this year and RTM in the first part of next year, release to manufacturing. And then a service pack for Windows Server 2003 that adds role-based security configurations, making it easier to configure the system, and it has the inspection technologies that we talked about and that will follow the client by a few months. So both of these things we’re announcing today for delivery first part of next year.
I’ve been asked, “What about the quality of your code?” This is the fourth area. “How do we make sure there are fewer vulnerabilities in your product? Has this Trustworthy Computing thing that you announced — has it worked or hasn’t it worked?” I feel very much that it has worked, but we still have more work to do. For literally every stage of the software development process today we’ve got a set of training and a set of tools and a set of processes that we put in place to try and ensure that we wind up with secure code, without vulnerabilities. In the design phase we are doing security reviews. In the development stage we are doing security pushes, and we have extra tools that help look through a source code and spot potential security vulnerabilities. When the product is ready for release we put it through a security audit. And I talked a little bit about our security response practices previously.
So I think there’s been good strides and it shows up, if you will, in the numbers. Let me just highlight this for you — and it’s an imperfect record but it’s a much better record. SQL Server 2000 Service Pack 3 went through Trustworthy Computing release process. What we did was compare it to SQL Server 2000 and we said, “How many security bulletins were there within the first” — I’ve got remind myself now — “nine months of product shipment?” Before Trustworthy Computing release process, 10 vulnerabilities. After Trustworthy Computing release process, one vulnerability or bulletin in the first 10 months. Exchange went from five to zero. And if you look at Windows Server itself, Windows Server 2000, within the first 90 days, nine vulnerabilities, 17 within the first 150. For Windows Server 2003, three critical vulnerabilities in the first 90 days; four in the first 150.
That’s real improvement. It’s insufficient, but it’s real improvement.
A lot of you will hear the argument that says the best thing I can do for security is just walk away from Microsoft, the other systems are more secure, a mono culture is bad for security, a big argument that’s been in the press recently.
All of that is hogwash. Anybody want to guess how many security vulnerabilities there were in Red Hat 9 in its first 150 days? Just go to their Web site. Any guesses? Forty-three, 43.
And believe me, unless we’re going to evolve to a world in which there’s in which there’s hundreds of incompatible operating systems. If there’s one, if there’s two, if there’s three, there are still going to be hackers that go after those 43 vulnerabilities, or these four vulnerabilities. I think, competitively, we are in perfect competitively, we’re actually in good shape even if we don’t meet today the standards that customers want to see. There’s no other port in this security storm that’s safer than this port, and you need to know that and you need to be able to articulate that to your customers.
We have a lot more coming. I talked about today’s guidance, which really focuses in on training and prescriptive guidance and information. The first half of next year is really all about the client-side safety technology. The second part of next year is all about client-side safety. In addition, we’ll release these inspection technologies for the server. And we have a new version of our Internet Security and Acceleration Server, ISA, which is very important. How many people here would install Checkpoint or Cisco Firewall? Show of hands. How many people have installed ISA as a firewall?
We’ve got two nice things about the ISA 2004 product. Number one, it’s just a better firewall. And, number two, it is an application level firewall, so you’ll be able to pair it up, even in an environment that is fundamentally protected today at the lower level by Checkpoint or Cisco, you’ll be able to put in the ISA product so it provides application level firewalling in that time frame next year. And then, when we get out in the future, we’ll continue to enhance the safety technologies, and we will continue to enhance the core security of the operating system.
Security is a responsibility that as an industry leader we take very seriously. But we are not alone. There are a lot of companies that are involved in helping our customers have a secure environment, Symantec, RSA, ISS, VeriSign, Cisco, Checkpoint, systems integrators, there are many, many people in this business. We recognize and we are reaching out to these firms. Even as we improve the fundamental security in our products, we need these companies to work with us in partnership to provide a set of tools that you can use to secure your customer environment.
And so you’ll see us very active with the industry, even as we’re extending our own security capability, we know this is an industry challenge, and we look forward to robust and important partnerships with all of the security industry software companies, and with you to help our customers get to where they need to get.
What can you do for your customers today? Well, if this is a core competence of yours, congratulations. If it’s not a core competence of yours, it’s still something I would recommend to my customers. Have they performed a security audit? Do the customers have a security plan? Have they brought in a Microsoft partner who has been trained and understands how to do secure implementation? Do they have a patch management strategy based around our Software Update Server or anything else?
I would encourage people to upgrade all of their laptops to Windows XP. They ought to upgrade all machines, but the laptops are reasonable, and if we want this inspection to work and if we want the client-side safety to work, we absolutely should encourage those upgrades.
I would also encourage people to require Windows XP for people who are VPN’ing in from home. And I’d move my Internet-facing servers, not all of my internal servers but my Internet-facing servers, I certainly want to upgrade those and move those to Windows Server 2003 quickly to take advantage of the new security and inspection facilities that we talked about.
There is much to do still, much, much, much to do on security. It’s a journey. I think we’ve made some great progress. I think the stuff that we’re bringing to market today and announcing today for delivery over the next several months are very, very important milestones, but this is a journey that we’re on. And if we as an industry leader and you and the rest of our industry rise to the challenge, all of that innovation that I discussed, all of that stuff that I think will fundamentally change the world in the next ten years will come to happen. But if we suck all of our customer’s confidence down because of security problems in the industry, if we consume all of our customers resources simply managing security for the long run, the great and wonderful and innovative future that I anticipate isn’t going to happen the way I think it should, and the way that would bring our customers’ greatest value, and our partners greatest opportunities.
Partnership, innovation, best value, and customer focus and responsiveness: Those are the big lessons for me, me as a business person, me as an entrepreneur, and things I think I’d highlight for you. What are your defining moments, who are your key partners, what are you doing that’s innovative in operations or in new product creation, do you offer the best value to your customers and are you really listening, hearing, focusing, and responding? We all need to do our best. That’s all we can do. We’re dedicated to doing our best on these issues. We’re dedicated to helping you succeed and we’re dedicated to attacking the hard issues that our customers and our industry face.
I thank you very much for the time today. I’m super glad you’re here at the conference, and I look forward to your questions, your comments, feedback. It will be a lot of fun.