Want CNET to notify you of price drops and the latest stories?

Microsoft looks for 'protection' money

After spending billions to secure its software, Microsoft sees security products as a selling point.

Ina Fried Former Staff writer, CNET News
During her years at CNET News, Ina Fried changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley.
Ina Fried
7 min read
Microsoft has spent billions of dollars in recent years to secure its software. Now it's payback time.

Until recently, security was just something that the software company got hammered on--a perennial headache, with no upside. But now, four years after Chairman Bill Gates launched his Trustworthy Computing push, Microsoft is starting to see security as a potential selling point.

Last month, Windows chief Jim Allchin pointed to enhanced security as the top reason customers should move to Vista, the update to the operating system due this year. The software maker estimates that a third of its engineering time for the new Windows was spent on protective measures.

Alongside this, Microsoft has begun to sell its own brand of security products, including a $50-a-year OneCare consumer antivirus service and its upcoming Microsoft Client Protection software for businesses.

"There is a shift that we are seeing," said Mike Nash, the executive who heads Microsoft's security business. "As we're still making progress and still being scrutinized, we're also hearing that companies want more from us."

Though challenges remain, the opportunity for Microsoft is huge. The Yankee Group in January pegged the unsecured PC market--computers without antivirus software or that have lapsed antivirus subscriptions--as worth $15 billion. Enterprise customers already spend $3 billion a year on security, the analyst firm noted.

"What's driving Microsoft's investments? Money, of course," Yankee analysts said in their report. "These markets are collectively too large for Microsoft to ignore any longer."

Any revenue would help boost the return that Microsoft is getting on its investment in security, a push that Pescatore said costs the software maker hundreds of millions of dollars per year. The company has also been on a shopping spree that began with its 2003 purchase of Romania's GeCad and includes at least four other security software makers.

Gaps in security
A few years back, security was nothing but a headache for Microsoft and all customers wanted from the Redmond, Wash., company was software with fewer holes.

Microsoft still faces plenty of challenges in this arena. A recent public exploit for a flaw in how Windows handles some images was a reminder that hackers will make the most of unplugged holes.

And not everyone is keen on the idea of paying Microsoft to help secure the products it created. Businesses, in particular, are questioning the move, Gartner analyst John Pescatore said.

"'Wait a minute--Microsoft's software is causing the problem, and now they want me to pay extra to fix the problem?'" Pescatore said, summing up the reaction of some corporations to Microsoft's move toward selling security software.

While businesses may still be somewhat loath to pay Microsoft for security, Pescatore said that the company's reputation has improved from the days when the SQL Slammer and MSBlast worms dented it.

"They have spent three or four years taking security seriously," he said. "They have basically removed it as a liability compared to the Linuxes and Solarises."

Pescatore contrasts Microsoft's efforts with those of Oracle. While Microsoft has been improving its reputation, Oracle, he said, has largely been standing still and is losing its once-sterling reputation for security.

Even John Thompson, CEO of Symantec, has had to praise Microsoft's efforts. In a speech at last week's RSA Conference, Thompson noted that there were 100 attacks that posed a medium or high risk between 2002 and 2004, but only six such attacks last year.

"The broad adoption of firewalls and antivirus and intrusion detection software, and the progress quite frankly made by Microsoft in securing their operating platform, has made this possible," Symantec CEO John Thompson said last week. "Yes, I did say that," he added, to laughter from the crowd.

Of course, Symantec is likely less thrilled with Microsoft's decision to move beyond hardening its own products, onto Symantec's turf of antivirus software. Analysts have pointed to that company as the one with the most to lose if Microsoft grabs share in the security market.

"As this company dominates the consumer antivirus market, it obviously has the most to lose," Morgan Stanley analyst Peter Kuper and Brian Essex said in a January 2005 report. "Symantec will likely be successful in softening the initial blow, but the prevailing winds should eventually impede growth, in our view."

At that time, the Morgan Stanley analysts argued that Microsoft would enter the consumer antivirus market "because it has no other choice." The analysts pointed to the millions of unprotected home Windows PCs as the largest security threat on the Internet.

Security milestones

A timeline of acquisitions and products to track Microsoft's move into the business of protection.

February 2006
Consumers will pay about $50 a year for antivirus service
Microsoft Client Protection
October 2005
Launches security software package aimed at protecting businesses from attacks
FrontBridge Technologies
July 2005
Buys provider of hosted e-mail and messaging security and compliance services, which will be offered with Exchange
Finjan Software
July 2005
Picks up maker of appliances for behavior-based protection against unknown security threats
Sybari Software
February 2005
Acquires producer of software to filter viruses and spam on e-mail networks and for collaboration
February 2005
Bill Gates outlines plans for anti-spyware application, launched in beta form a month earlier
Giant Company Software
December 2004
Acquires maker of technology to combat spyware, pop-ups and spam, which now forms the basis for Vista's anti-spyware protection
Windows XP SP2
August 2004
Security-themed Service Pack 2 update makes it out the door
June 2003
Buys maker of antivirus technology, used in Windows Malicious Software Removal Tool and OneCare consumer security product

In the report, Kuper and Essex made the point that security should be something that is part of a computer and not a separate application. "This may be a controversial comment, but in our view, security is more often a feature of a product or service rather than a separate product," the pair wrote.

They likened the products to car alarms, which were once only available as a standalone addition to an auto, but are now standard on many cars.

Perchance to lead
Pescatore said that when Microsoft got into the security business with its 2003 purchase of GeCad, it was largely a defensive move.

"Back then, it was more a reaction to all these worms and viruses that would hit Windows, and Microsoft would get yelled at," he said. But the software maker also clearly saw opportunity. "Symantec's stock price would go up every time there was a virus," Pescatore said.

Now, he added, the company has turned a liability into a chance to show leadership.

On the consumer front, Pescatore said that Microsoft is already in a good position, bringing a well-established and largely trusted brand into the market.

"If Microsoft's security products are easier to use, we think consumers will be very happy to buy from Microsoft," Pescatore said.

An open question, though, is whether Microsoft could end up a victim of its own success. If it succeeds in nabbing dollars from rivals like Symantec and McAfee, those companies could have less profit and therefore less money to invest in securing Windows.

Microsoft's Nash said that as long as other security companies innovate, there will be plenty of dollars to go around.

"As we address a set of issues, they'll be opportunities for them to build products that compete with the issues we are addressing, but also opportunities to go build more advanced things than we can do," Nash said. "We can't do it alone."

Another challenge for Microsoft is balancing the promotion of its OneCare antivirus service without unfairly tying it to the Windows operating system. Today, for example, Windows points to a Web site that offers various security products for customers who don't have antivirus installed. Nash said that site will continue to use objective criteria in determining the order sites get listed.

"We're certainly going to promote Microsoft OneCare off Microsoft.com. You should expect us to do that," Nash said. "When it comes to things that are a part of Windows, we will be fair."

Microsoft, meanwhile, is not content with just addressing security on the PC. The company is also starting to look at other opportunities, including helping businesses shore up mobile devices, said Amy Roberts, a director of product management in Microsoft's security technology unit.

"We need to stay vigilant to stay ahead of the potential security threats that mobile devices pose, both in terms of data security and as avenues for virus or worm activity," Roberts said.

CNET News.com's Joris Evers contributed to this report.