A new role to play for Mr Microsoft

Stuart Okin is a very animated man. He talks, eats and gesticulates at speed, but he chooses his words carefully. He refuses to be backed into corners. In spite of this he is a very entertaining interviewee. He has plenty to say.

But then he should have – four years as the face of Microsoft's security program is truly the school of hard knocks. Now he's an associate partner at Accenture, Okin is the equivalent of a car dealer who has packed away his suit, slipped on some overalls and become a mechanic. Which isn't that odd, considering he was once a systems engineer for EDS.

"Quite a lot of my Microsoft role has mapped across to Accenture," Okin says. "My main function was helping the product groups understand what was needed and being its [Microsoft's] public face in the UK and Europe. Amongst other things I now help build Accenture's relationship with Microsoft."

Since February 2002 Okin has been a veteran of conferences and trade shows. At Microsoft he often received vitriolic abuse for daring to suggest the company had any interest in security.

"It was always Stuart Okin's fault," he says. "People seemed to hold me personally responsible for their systems not working. I think one of the highlights of my career was being booed at InfoSec."

Okin then recalls a time when a CSO sat him down in a room and told him not to say anything while dozens of staff members came in and complained about their computers. The exercise was intended to make him understand how difficult it was working with vulnerable Microsoft systems. After a several hours listening to complaints in absolute silence, he got the message.

Despite the negative abuse he received in the offices of CSOs and at Europe's most popular security trade show, Okin says he enjoyed his years at Microsoft.

"I liked... taking the negative things and turning it around. It was a challenge," he says. "There was a lot of apologising. [But] I found it fun even when I was having a hard time."

Now he works for Accenture, his job is very different. Instead of being a security evangelist, Okin now works face-to-face with the end users.

"I'm finding myself exposed to business people like never before. I used to talk to medium-level operations managers, now its much higher relationships," he says. "If you can't talk to a CEO about how they are going to use security change to make a business advantage, they're going to switch off."

According to Okin, securing budget for security initiatives is the biggest problem facing CSOs today. The successful CSOs, he says, are the ones who explain security in a way the chief financial and chief executive officers will understand. He tells a story about the executive that put him straight on the facts of business.

"He sat me down and told me he sold baked beans," Okin says. "His job was to get those beans on the shelf and sell them as quickly as possible. He wanted me to talk to him in only those terms. How was my security thing going to help him sell baked beans?"

Okin seems well versed in business speak, but that has only come through being thrown in at the deep end.

"I've been forced to change my language so that the rest of Accenture can understand me. Security is a relatively small part of the company. But you rehearse what you've got to say, work through it with your colleagues."

CSOs have to do the same, he insists, because the man holding the purse strings doesn't have a lot of time and you often only get one chance to get it right.

Okin's position at Accenture gives him the privilege of having seen security from both angles – that of the vendor and that of the purchaser. He says the jump was a challenge, especially learning about other people's technology.

"I know Microsoft's products inside out. It's coming up to speed on the other products that has been testing. But you learn a lot as you work with clients."

Okin has been surprised at how difficult information security can be for the staff who keep systems running.

"Intellectually, you know it's hard," he says. "But when you're out there it really hits home. Even something as simple as finding a unique identifier for a company with a couple of hundred staff is tough. Being at the sharp end scales problems in a way you can never really appreciate working for a vendor."

One major industry concern Okin is having to deal with is the zero day attack. He says the whole concept is being turned on its head.

"I think it's true to say the zero day attack is pointless for an enterprise client," he says. "Everything is zero day now. For an enterprise client it might take a month to complete a patch cycle, at best. If a virus comes out in that time it might as well be zero day."

The only answer, Okin says, is layered defence, the old onion diagram.

"You have to really understand your business in a way you never did before," he says. "What exactly are you trying to protect? What is your most valuable asset? Find that out and secure it."

Okin believes the key to good security is assuming the worst. Assume you are going to lose your most valuable data and figure out what you're going to do when that happens.

"Seven years ago there was a tendency to architecture systems in a distributed way, and that was business continuity," he says. "Having all these servers at different branches that can run independently if one goes down isn't enough now. Blaster and Sasser have completely changed the game. Now all branches are connected, if there's a vulnerability they can all go."

These days, Okin finds himself on the front line, figuring out what's best for systems rather than pushing a single vendor. He argues the job he left behind got easier as people realised Microsoft and other vendors were making an effort to improve security. His new role offers a chance to see those improvements through, and make them actually work rather than let someone else go through implementation. That gives a certain level of satisfaction. But although he finds the change refreshing, Okin still misses some of the quirkier aspects of his old job.

"I once did a TV slot for a major broadcast company's news slot when Sasser or some other worm came out," he says. "Normally they only give you 15 seconds, at best. But I was given a three-minute live television interview, which is unheard of. They cut to the weather and I asked the presenter why it went on for so long. Eventually he told me: 'I got the bloody virus and so did the producer.'" One imagines Okin had a ready answer. He's that sort of guy.