Microsoft looks for 'protection' money

After spending billions to secure its software, Microsoft sees security products as a selling point.

Microsoft has spent billions of dollars in recent years to secure its software. Now it's payback time.

Until recently, security was just something that the software company got hammered on--a perennial headache, with no upside. But now, four years after Chairman Bill Gates launched his Trustworthy Computing push, Microsoft is starting to see security as a potential selling point.

Last month, Windows chief Jim Allchin pointed to enhanced security as the top reason customers should move to Vista, the update to the operating system due this year. The software maker estimates that a third of its engineering time for the new Windows was spent on protective measures.

Alongside this, Microsoft has begun to sell its own brand of security products, including a $50-a-year OneCare consumer antivirus service and its upcoming Microsoft Client Protection software for businesses.

"There is a shift that we are seeing," said Mike Nash, the executive who heads Microsoft's security business. "As we're still making progress and still being scrutinized, we're also hearing that companies want more from us."

Though challenges remain, the opportunity for Microsoft is huge. The Yankee Group in January pegged the unsecured PC market--computers without antivirus software or that have lapsed antivirus subscriptions--as worth $15 billion. Enterprise customers already spend $3 billion a year on security, the analyst firm noted.

"What's driving Microsoft's investments? Money, of course," Yankee analysts said in their report. "These markets are collectively too large for Microsoft to ignore any longer."

Any revenue would help boost the return that Microsoft is getting on its investment in security, a push that Pescatore said costs the software maker hundreds of millions of dollars per year. The company has also been on a shopping spree that began with its 2003 purchase of Romania's GeCad and includes at least four other security software makers.

Gaps in security
A few years back, security was nothing but a headache for Microsoft and all customers wanted from the Redmond, Wash., company was software with fewer holes.

Microsoft still faces plenty of challenges in this arena. A recent public exploit for a flaw in how Windows handles some images was a reminder that hackers will make the most of unplugged holes.

And not everyone is keen on the idea of paying Microsoft to help secure the products it created. Businesses, in particular, are questioning the move, Gartner analyst John Pescatore said.

"'Wait a minute--Microsoft's software is causing the problem, and now they want me to pay extra to fix the problem?'" Pescatore said, summing up the reaction of some corporations to Microsoft's move toward selling security software.

While businesses may still be somewhat loath to pay Microsoft for security, Pescatore said that the company's reputation has improved from the days when the SQL Slammer and MSBlast worms dented it.

"They have spent three or four years taking security seriously," he said. "They have basically removed it as a liability compared to the Linuxes and Solarises."

Pescatore contrasts Microsoft's efforts with those of Oracle. While Microsoft has been improving its reputation, Oracle, he said, has largely been standing still and is losing its once-sterling reputation for security.

Even John Thompson, CEO of Symantec, has had to praise Microsoft's efforts. In a speech at last week's RSA Conference, Thompson noted that there were 100 attacks that posed a medium or high risk between 2002 and 2004, but only six such attacks last year.

"The broad adoption of firewalls and antivirus and intrusion detection software, and the progress quite frankly made by Microsoft in securing their operating platform, has made this possible," Symantec CEO John Thompson said last week. "Yes, I did say that," he added, to laughter from the crowd.

Featured Video