REDMOND, Wash., Nov. 29, 2005 — In the IT world, security is a subject that’s always on the move. The sophistication of new security threats is growing each year, and our ever-growing dependence on IT systems means that more and more personal, financial and other critical data must be secured. Adding to the complexity are legislation and regulation that have turned up the heat on companies to keep their information safe from harm. As a response to these issues, Microsoft is building its business around security software to secure customers’ IT infrastructure.
Having a skilled and innovative security partner ecosystem is central to the company’s approach, and therefore a large part of the effort has been significant changes to the Microsoft Partner Program, Security Solutions Competency, announced this week in partnership with long established certification programs from International Information Systems Security Certification Consortium (ISC)2 and Information Systems Audit and Control Association (ISACA).
According to Thomas Dawkins, group product manager and the person responsible for Microsoft’s security partner strategy, the revised Security Solutions Competency is a direct response to many discussions Microsoft has had with industry partners, analysts, field sales staff and others, who made specific recommendations on ways to make the program more useful to partners who work with products, services or solutions based around security.
“Our partners want business opportunities, a relationship that supports the development and growth of their security business, and meaningful program requirements that help position them as trusted advisers to customers,” Dawkins says. “Most importantly, they want technical information, support and guidance to assist them in the field, where they need us the most.”
The result is the first Microsoft Partner Program competency to include both the rigorous and sought-after third party validation from ISACA and (ISC)2, as well as the relevant Microsoft certifications as core elements. The restructured competency features two new specializations, one focused on security management, for those partners who focus on more “technology agnostic” services such as security policy, governance, compliance, risk assessment, risk management and auditing. The other is focused on infrastructure security — the technical side of the equation.
“We wanted to ensure that our partner program took an industry leading approach to being effective for the security industry as a whole,” Dawkins says. “Whether you’re working with Microsoft technology or providing security products, services or solutions — across the enterprise we want them to have a home in this program. As we grow our security product portfolio, this is one of those rare opportunities where a partner can grow with us.”
According to Dawkins, this takes the form of working directly with security partners to bring enhanced them revenue opportunities. “We look at this in four ways.” Dawkins says. “First and foremost, we are building a security products business, and we need our partners to help us do that. We have made considerable investments in changing the Security Competency and providing resources in the field to support the evolution of our security partner ecosystem. We will continue these investments in the coming year. Second, in the development of our ‘go to market’ strategies and product campaigns, we are including our partners as a part of our development strategy to gain their feedback and direction to how these campaigns can drive business for them. Third, we have created Product Guides and other product related resources to help our partners build services or solutions around our products. And finally, we will continue to create new and exciting business opportunities for our partners over the coming year.”
According to Dawkins and other involved with the new certifications, the company needed a new focus that draws a consistent approach to solving security issues for customers through the partner ecosystem. The new program recognizes the very rigorous certifications from ISACA and (ISC)2 — two of the most sought after validation programs in the industry, with two very standardized approaches to the issue.
According to Dow Williamson, Certified Information Systems Security Professional (CISSP) and director of corporate development for (ISC)2, new security technologies provide one piece of the puzzle, but the human element is the next great frontier in systems information security. His organization is the world’s foremost provider of information security training, education and certification and offers the CISSP and Systems Security Certified Practitioner (SSCP) credentials. After years in the business, he says, the industry and the people in it are still at the very tip of the iceberg.
“Qualified people are the key to an effective security program. (ISC)2 currently has approximately 40,000 information security certified members in about 127 countries around the world, and we estimate that in 2005, there are roughly 1.4 million information security professionals out there,” he says. “There’s a whole lot of work that has to be done in terms of professionalizing the information security workforce to meet the increasingly complex security demands of organizations worldwide. We applaud organizations such as Microsoft who want to work with partners that possess higher standard industry certifications.”
Kent Anderson, Certified Information Security Manager (CISM) and managing director of Network Risk Management LLC, is a member of the CISM Certification Board of ISACA, a security standards and certification powerhouse with more than 47,000 members in 140 countries. Anderson says it is vital for information security managers to have expertise in business management issues, and have services professionals with certifications working with them. According to Anderson, the business world is beginning to understand the importance of this, and as a result, ISACA’s CISM and Certified Information Systems Auditor (CISA) designations have experienced unprecedented growth.
“One of the key challenges for companies and government entities around the globe is to have a professional information security staff work in partnership with executives and managers in all areas of the business,” Anderson says. “The experience of the people securing our networks and information systems is more important than ever, and being able to test and certify their skills and knowledge — both at a technical level and a strategic or policy level — is a big element in reducing IT-related risks and adding value to the business.”
According to Jeff Aliber of Unisys Corp., a global provider of enterprise security services and a Microsoft Gold Certified security partner, the involvement of the two major standards organizations will provide a measure of assurance for customers that can in turn benefit solutions providers and systems integrators.
“(ISC)2 and ISACA are worldwide organizations that are primarily focused on standards,” Aliber says. “The industry has rallied around these organizations to define the appropriate backgrounds and skills required for security certification. For customers, who generally work in heterogeneous security environments, these broader industry certifications will provide assurance that our consultants are not only skilled with their Microsoft-based technology, but all of the other facets of their security ecosystem as well.”
Another Microsoft Certified Gold partner, Fabio Spina of Italian solution provider Cluster Reply, says that Microsoft’s new approach based on standards will help ease the deployment process as well. “It’s important to our customers that Microsoft is investing in solutions, in awareness, in the approach to these kinds of problems, and doing so in a standardized way,” Spina says. “This creates one standard solution, one standard approach, which makes it much easier for us to provide effective solutions for our customers, and permits the industry to have one solid, formal approach to managing security issues.”
Under terms of the relationship, the Microsoft Partner Program will work with security professionals to validate their certifications through ISACA and (ISC)2. When partners register to become a Microsoft certified security partner, their certifications will be validated through the two organizations.
“We’ve changed our own requirements to include their certifications, and extended upon what they have built — standards and methodologies for solving industry security issues and providing guidance to help customers secure their IT infrastructure,” Dawkins says. “This provides a unique situation where we’re increasing the level of expertise needed in the marketplace. At the same time it expands the availability and relevance of our program for our partners in the information security industry.”
Brad Gleason, global security practice manager for Getronics, a major worldwide provider of outsourced workspace management and IT security services, says that, while the program and Microsoft’s enhanced investment in the information security profession could lead to new opportunities, it also means bottom line security benefits for customers. For Getronics’ enterprise customers, this means enhancing service delivery for multi-year arrangements where Getronics has taken over management of the customer’s desktop, server and network environments.
“What our larger customers are asking for is to have security services woven in, integrated into a large outsourcing agreement, as opposed to being bolted on as a standalone service.” Gleason says. “To the extent we can weave our security services into our desktop environment to the point where it’s tightly integrated and seamless, we can deliver that at a predictable cost per seat on a recurring basis.
“We’re working closely with Microsoft on a number of fronts to integrate security throughout our portfolio offerings, so we can strengthen those offerings and improve the overall security position of our customers. But in the end, it’s being able to deploy competent professionals with a standardized best practices approach that really makes it happen.”