REDMOND, Wash., Jan. 13, 2004 — By this time each January, some people have already strayed from too-ambitious New Year’s resolutions, and perhaps even moved personal goals like daily gym workouts to the
“maybe next year”
category. On the business side, however, there’s still plenty of opportunity to turn good intentions into effective action.
In keeping with its charter to share best practices with customers, the internal IT organization that in essence
Microsoft has drawn up a Top 10 list of New Year’s resolutions aimed at helping businesses ensure IT success in 2004 (see list at right). To learn more about these guidelines and the reasoning behind them, PressPass sought out Ron Markezich, general manager of Global Technology Services for Microsoft IT, and Pete Boden , the group’s director of information security.
PressPass: Can you describe the Microsoft IT group and explain the role it plays at Microsoft?
Markezich: Microsoft IT is a group made up of roughly 3,500 IT professionals who provide internal IT services at Microsoft. We support the company’s global infrastructure needs by overseeing the hardware, applications, networks, and technology services used by 55,000 Microsoft employees in 85 countries. To give you an idea of the group’s scope, we’re responsible for a corporate network that includes more than 300,000 computers and runs about 400 applications. We’re also charged with deploying and using pre-release versions of Microsoft products internally and providing feedback to the software development teams. This process, which we call
“eating our own dog food,”
serves customers by ensuring that Microsoft products have passed muster in a demanding enterprise environment.
PressPass: What do you hope to achieve by compiling a list of New Year’s resolutions?
Markezich: We believe the changeover to a new year is a perfect time for companies to assess and evaluate their current processes and IT portfolio, and an excellent opportunity to think about new ways to extend the business value of their IT investments. We wanted to compile a
list of important issues that we believe companies of all sizes should be thinking about as we move into 2004 in hopes of helping IT professionals benefit from Microsoft’s in-house experience.
PressPass: Why should IT organizations adopt these resolutions? What evidence supports them?
Markezich: The recommendations reflect what we at Microsoft IT have found to be best practices for creating a more effective, secure, and productive IT infrastructure environment. The list is driven by the same top-level IT concerns we hear echoed by our large enterprise customers, so we know they’re issues that are shared across the industry.
Boden: And in some cases, we’ve learned to deal with IT issues at a magnified level, especially from a security perspective. For example, we believe Microsoft is one of the most frequently targeted entities on the Internet. We experience as many as 2,500 unique attacks, probes and scans on a daily basis, and we’re committed to sharing the internal practices we’ve developed to protect our environment so we can help customers successfully secure their environments. Plus, we’re constantly
“eating our own dog food”
at Microsoft IT. We have an obligation to the product groups that extends to pre-release testing of the software that our customers will eventually run. So we have firsthand knowledge of how it’s working, how it solves the problems we have, and how it can solve the problems our customers are likely to have.
PressPass: The first New Year’s resolution on the list is about enlisting CEO support for your IT mission. How important do you feel that is?
Markezich: That item is No. 1 for a reason. One of the dangers in an IT organization is catering to users who scream the loudest. Usually, that happens when you lack a strong mandate or solid buy-in from executives. So using the new year to revalidate the CEO’s support of your mission and what you’re trying to accomplish is probably the most important thing any IT shop should do. It’s especially important when your mission runs counter to user needs. For example, being in aggressive new-technology mode or outsourcing mode could cause some short-term constraints that lead to hardship for users. Securing CEO support during those times is critical.
Boden: I would also emphasize the importance of getting executive support for security policy enforcement and buy-in on key security messages.
If a policy isn’t supported at the top levels of an enterprise, it won’t be effective. Also, our bottom line is, we don’t establish any policy that we can’t enforce. We’ve put auditing measures in place for every security policy, and each has non-compliance consequences, whether that’s an e-mail sent to a user saying a password needs to be reset by a certain date, or whether we pull a certain machine off the network until the non-compliance issue is resolved.
PressPass: How do you make sure users are aware of key IT policies?
Boden: You’ll notice that re-communicating your IT and security policies to users made the Top 10 list as resolution No. 6. It’s a low-cost investment but it has immediate payoff, especially in terms of security because frequent reminders reduce your risk. I can’t overemphasize the importance of educating users about security risks and what they can do to protect themselves and the network. Our bottom-line experience is: Better-educated clients are more secure clients. Thus, the more we do to help people understand the risks what’s going on outside our network and on our network the more likely they are to comply with our policies, take appropriate steps to protect themselves and be proactive in the way they report incidents.
PressPass: Another resolution high on the Top 10 list recommends consolidating IT resources. Can you explain why that’s a good idea?
Markezich: We’ve learned that consolidating across the server and storage environment is a big opportunity in creating a more effective infrastructure. In the past two years, technology has been enhanced to the point where processing power is significantly less expensive, but many companies today aren’t fully utilizing the processing power they’ve already purchased. By consolidating across your processing resources, you can lower your costs as well as create a more manageable environment. Storage is another good area of focus because most companies use only 30 percent of the storage they own. By sharing storage across applications, you can increase utilization to about 80 percent and see some fairly significant return.
PressPass: You also urge IT shops to begin the year by reviewing and refining their most critical processes. Can you be more specific?
Markezich: IT professionals should make sure they have consistent change-management, configuration-management and release-management processes defined across the enterprise and across technologies. This helps ensure the availability and reliability of your IT environment. We’ve learned through experience that most of the issues you see in an enterprise aren’t related to the technology or the people but rather to processes that aren’t defined, standardized or followed. To ensure consistency in our operational processes, we use Microsoft Operations Framework, a tool that we also make available to customers.
PressPass: Pete, what about other security-related resolutions? What are the most important things an IT administrator can do at the beginning of a new year?
Boden: We always start with an assessment of security threat and risks, and then we base our to-do list on the results of that assessment. For example, we ask: What are the key external and internal threats to security and privacy? What are the highest risks? Where do we get the most cost-efficiency out of our security remediation work? Companies are also well-advised to identify their most critical assets, then make sure security is applied accordingly. The definition of
“most valuable asset”
will vary from one company to another. At Microsoft, it’s source code; at other companies, it might be product plans or mergers and acquisitions information. The point is to put more security measures in place around whatever assets you consider most critical. In a similar vein, a new year is a good time to apply more rigor to the way you define and assess risk, and to rank what’s important. At Microsoft IT, we follow a well-defined process to quantify risk, look at the alternatives for mitigation, and then prioritize any remediation tasks. That helps us answer to executive management about the security tasks we need to undertake first, then form plans to address other items in decreasing levels of urgency.
PressPass: Besides being good overall IT guidelines, do you think any of the Top 10 resolutions could help customers achieve some fairly immediate cost savings?
Markezich: We’ve certainly seen that as a bonus in some areas. For example, the fourth item on the list mentions brushing up on new technologies that can produce quick ROI. It’s important to remember that although technology spending slowed down for a while until the economy bounced back, innovation continued non-stop. The innovation of the past few years has introduced new wireless technologies, processing technologies and collaboration technologies, among others. It’s worthwhile to look at what’s available today, especially in light of recent changes to the workforce. We’re seeing more telecommuting, a more mobile distributed workforce, more companies with remote offices and so forth. Those trends present challenges that collaboration tools and wireless technologies can address very cost-effectively. So you should make sure your company has a strategy to use those tools and technologies across the enterprise, because they can significantly increase workforce productivity. Some of the other suggestions that made it to our Top 10 list also have good ROI potential. In particular, consolidating IT resources, which we talked about earlier, as well as resolution No. 8, which recommends going paperless, and resolution No. 10, which suggests deploying technology that enables virtual meetings.
PressPass: You also drew up a resolution that deals with pruning applications. Can you elaborate on that?
Markezich: One action we take every year and the beginning of the year is a good time to do it is get rid of any application that we’re not using to the extent we could or should be. It’s a fact of life in IT shops that you’re constantly adding new services and applications, but very rarely do you take anything away. When you do eliminate an application, you’re eliminating the cost of running and supporting that application, and you can invest the resources you’ve freed up in new areas that deliver more value. One area where we see insatiable demand for new solutions is in line-of-business applications, so we advise looking there for reduction opportunities. Often, business processes change, or business needs change, or competitive situations change that allow you to remove certain LOB applications that may have been valuable two or three years ago but aren’t today.
PressPass: What’s in store for Microsoft IT in the year ahead?
Markezich: A lot of our efforts in 2004 will revolve around building on the deployments we’ve done with the wave of products released last fall in conjunction with the Microsoft Office System. We will focus on taking further advantage of Office System 2003, Exchange Server 2003, Windows Server 2003, Systems Management Server 2003 and Microsoft Operations Manager 2004. We’ll be capitalizing on those innovative technologies through security enhancements, consolidation, collaboration and increased employee productivity. The key Microsoft product for us this year will be Office System 2003 for its productivity capabilities as well as the significant cost-reduction capabilities it offers for an IT shop, both from an application development and IT infrastructure perspective.
PressPass: Where can IT professionals get more information on Microsoft IT best practices?
Markezich: I would point them to our IT Showcase site on the Microsoft TechNet website (see Related Links at right).
Boden: I can suggest two good sources of information on how Microsoft IT implements security technologies and best practices at the company. The first is a white paper titled
“Security at Microsoft,”
posted online at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/msit/security/mssecbp.asp , and the second is an archived webcast on patching processes, accessible at http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032240800 & amp;Culture=en-US .