Microsoft is placing security as its top priority for all employees, in response to years of security challenges and increasing criticisms.
Following a damning report from the US Cyber Safety Review Board, which highlighted inadequacies in Microsoft’s security culture, the company is taking proactive measures.
This includes outlining a set of security principles and goals linked to compensation packages for Microsoft’s senior leadership team.
Last November, Microsoft introduced the Secure Future Initiative (SFI) in reaction to mounting pressure to address security breaches, notably allowing Chinese hackers to breach US government email accounts.
Shortly after this announcement, Russian hackers infiltrated Microsoft’s defenses, accessing the email accounts of some senior leadership members. The subsequent discovery of this breach, nearly two months later, underscored the severity of the security challenges faced by Microsoft.
Charlie Bell, executive vice president for Microsoft security, emphasized the company’s commitment to security, stating, “We are making security our top priority at Microsoft, above all else – over all other features.”
To enforce accountability, part of the compensation for the Senior Leadership Team will be based on progress in meeting security plans and milestones.
Microsoft has identified three core security principles: secure by design, secure by default, and secure operations. These principles prioritize security in product and service design, focus on default security configurations, and enhance controls and monitoring for current and future threats.
These goals are directly tied to leadership compensation, reflecting a clear response to recent security breaches and recommendations from the Cyber Safety Review Board.
Microsoft is coordinating its engineering teams to implement these measures across the company, with waves of work involving teams across Azure Cloud, Windows, Microsoft 365, and Security divisions.
Progress is evident, with multifactor authentication implemented by default across over 1 million Microsoft tenants and the removal of 730,000 non-compliant apps.
To improve its security culture, Microsoft is holding regular operational meetings involving management and senior individuals.
Additionally, deputy chief information security officers (CISOs) are being added to each product team, and the threat intelligence team will now report directly to the CISO.
Recognizing the importance of trust, Bell reaffirmed Microsoft’s commitment to cybersecurity. “Ultimately, Microsoft runs on trust,” he said, emphasizing the company’s responsibility to maintain safety and security in its software, infrastructure, and cloud services. “This is job #1 for us.”
