Who better to protect your company's assets than a former FBI agent? Microsoft's chief security adviser tells Paul Fisher about life as a civilian.
Great. Another American coming over telling us what to do. Has this company gone mad? The words of Ed Gibson. He's recalling what people may have felt when, in July 2005, he was appointed chief security adviser to Microsoft UK. He used to be with the FBI.
“You know, I love that question,” beams the man across the table from me. In his deep Michigan drawl he responds to the criticism that his appointment had more to do with image than technology. “Yeah, probably,” he says. “Probably some of that is true.” Gibson repeats words to good effect. “But certainly no one inside this company, or outside, thought that this was the panacea, now everything would change.”
It quickly becomes apparent that Gibson is very aware of the charges most often levelled at Microsoft: the evil empire of yore, the monopolistic behaviour – specifically, its failure to properly address security holes in its products. He's been talking to customers. Lots of them. “I do see a change in the approach to Microsoft,” he insists. “I get: ‘By golly, you're serious about this thing called security. You have changed'”.
It's our second meeting. The first was at InfoSec Europe in April where, among other matters, we had briefly discussed the architectural merits of the US Embassy in London's Grosvenor Square. It was here that he spent five years as the FBI's assistant legal attaché, deep within Eero Saarinen's 1960 design. He didn't like the building, but he made good use of his time there.
He met all the chief constables of England and got to know senior figures in the Government. Evidently our most famous nick carries some weight. Gibson leans forward: “I'd walk into New Scotland Yard and get goosebumps – I grew up on Scotland Yard,” he says with relish. He also created a programme at the UK embassy, which was then adapted by the FBI at all 52 legal attaché's offices around the world.
All the time he was aware that something big was happening. “In the 12 to 18 months before I retired from the bureau [in June 2005], the level of criminal activity on the internet was increasing exponentially,” he says. “Now I get people who say: ‘I know why Microsoft hired you – because security is all about criminals, and you know about criminals and you know what's going on.'”
Gibson is not shy of saying what he thinks, and there is no doubt that he believes in this new post. Again and again, he threads the conversation with references to the threat posed by criminals. “Look, this is what we're up against in developing countries: when organised crime says to someone: ‘If you don't hack into that bank, if you don't attack Microsoft, you're not just going to be unable to feed your family, you're not to going to have a family...'”
“Can I say this?” he asks one of his two PR minders present during the interview. It doesn't matter – he says it anyway. He's off again with the zeal of a man who, finding himself with the resources of the world's biggest software company in his lap is going to make damned sure he uses them wisely.
“The feedback I get is excellent. I get inside companies because of my reputation, the credibility of my past role, my contacts in industry and government – people knew Ed the Fed. It's easier for me because I have an understanding of the problems they have been facing. The difficulty some companies had was that I was with Microsoft.”
A man with 20 years experience in the FBI undoubtedly knows the right people to call. When he says that he has access to certain discreet listservs, that he knows what's going on, there's absolutely no reason to doubt it. Microsoft knew that this kind of knowledge is not part of most CSO's make up.
But why come to Microsoft? Why take the flak that comes with an appointment like this, in an area that Microsoft is seen to be vulnerable. Why not settle for an easier life? “I'd already made a decision to go someplace else, but then I got this offer,” admits Gibson. “I couldn't have written a better job description. Now I've got a global platform to talk to people who are willing to listen. If I can use the FBI [background] to get in the door then I will, because it will help this company, and it will help other companies.
“Some might say I could be making more money elsewhere. Yeah, I could. But if I can make a difference, then this company makes a difference.”
Is there a difference? Gibson's arrival, at least in the UK, seems to coincide with a change in direction at Microsoft. The Microsoft of 2006 is different from the one that launched Windows 95 or even XP. It has matured. The market has changed. The web has moved on, too and Microsoft is just one part of the global fight against internet-borne threats. If that means some of the old arrogance, real or not, has gone, that's a plus.
One of Gibson early projects after joining Microsoft was driving the company's involvement with the UK's first national internet security awareness campaign for the general public and small businesses, a joint initiative between the Government, the Serious Organised Crime Agency and private-sector sponsors from the worlds of technology, retail and finance. The website – www.getsafeonline.org – provides independent advice based on the collaborative efforts of government, law enforcement agencies and the initiative's sponsors, for people to refer to and find out more about protecting themselves online.
During a tour of the Microsoft buildings I sense something else, too. As we enter the central atrium area of the campus I witness a buzzing, dynamic environment full of Microsoft employees and customers. Some are in suits, others in jeans, all focused on what looks like serious deal making. This is significant. It may be an outpost of a huge American corporation, but it's also very much Britain at work in the 21st century, at least part of it. Open, innovative and driven by the desire to create wealth.
Through all this walks Gibson, who freely admits that, after years in a very different environment, he found it difficult to adjust to the Microsoft way. He was not used to the lack of process: “I was looking for the paperclips,” as he puts it.
But he has brought his own, large personality to bear on this dynamic hub. As we walk around, Gibson has time for everyone. “How are you?” is uttered along with a gentle pat on the shoulder. He is said to have got to know everyone in the building in the year he's been here – impossible, some claim, given the size of the place, but not totally unbelievable when you see him with people. Some people can work a room; Gibson can work an entire company, with absolute ease. He knows their names; he probably knows their shoe sizes. Gibson may be the self-styled “farm boy from Michigan”, but he is also a gentleman.
He admits, however, that it hasn't all been plain sailing over the past 12 months. “I'm not sure if we can use that first year as a gauge, this is a monolithic company. I needed to shed some skin, but also discover exactly how much skin to shed.”
He admits to some frustrations with himself as he adapted to the Microsoft way. They had to get used to him and he to them. He wanted to remain agnostic to the company but still share what is, in his words, the stuff that makes it great.
“But I needed to understand what's going on. If I don't understand what's going on, how can I expect anyone else to understand what's going on? So I need to understand it from the ground up”. And that's exactly what he has been doing, meeting people, getting out there. He could be Microsoft's best salesperson yet.
Monolithic companies take time to change. Microsoft is still going to be the industry's whipping boy, its scale ensures that. But if it is to change perceptions, if it is to be seen as listening and sharing, Gibson makes clear that he wants to be part of that new direction. But he is also honest and realistic about the task ahead, as you would expect someone with a background in law enforcement to be.
“We've still got a long way to go. Absolutely, absolutely. [The criminals] are getting better, we've got to get better. People ask: ‘When are we going to stop the Tuesday updates?'”
Gibson leans forward one last time: “Here's when: when the guy standing outside the bank that is covered by CCTV, with money booby-trapped with dye, who still decides to rob it, gives up; that's the day we stop.” That day is still some way off.
Ed Gibson: The CV
1975-80 In-house lawyer for a multi-national company based in the USA.
1980-2000 Supervisory special agent with the Federal Bureau of Investigation (FBI).
February 2000-June 2005 FBI's assistant legal attache in the UK, responsible for all FBI cyber, hi-tech, cyber-terrorism and infrastructure investigations in the UK.
July 2005 to date Chief security adviser, Microsoft UK.
Gibson qualified as a solicitor under UK law in August 2003. He also serves as a member of the board of the John Grieve Centre for Policing and Community Safety in England. He's married with three grown-up children.
Ed's Top Five Security Tips
1. Challenge everything. Those who work in technology often lack the “big picture” view and forget to consider “how will this help the business?” when purchasing, implementing and building solutions. You need to ensure they understand “what threat am I trying to mitigate by taking this course of action?”
2. Clear communication is paramount. It's the people who use your information systems who need to make the important decisions over what information should be shared with whom. Empower everyone to both make security decisions and accept the responsibility that goes with them.
3. Few information security policies make any sense. Effective policies are clear, concise and are communicated to everyone they apply to. Policies should be reviewed frequently by a representative group of the people they apply to. Everyone should be empowered to challenge “stupid” policy statements.
4. Security is often viewed as the enclave of specialists. This is not true. Effective security requires everyone to buy in to accepting their responsibilities.
5. There are no easy answers. Security is not easy. Nor is it impossible. It's merely another risk decision. It requires a mandate from the top and must be positioned as enabling the business to do more with less risk.