Microsoft overhaul treats security as ‘top priority’ after a series of failures
Image: The VergeMicrosoft is making security its number one priority for every employee, following years of security issues and mounting criticisms. After a scathing report from the US Cyber Safety Review Board recently concluded that “Microsoft’s security culture was...
Microsoft is making security its number one priority for every employee, following years of security issues and mounting criticisms. After a scathing report from the US Cyber Safety Review Board recently concluded that “Microsoft’s security culture was inadequate and requires an overhaul,” it’s doing just that by outlining a set of security principles and goals that are tied to compensation packages for Microsoft’s senior leadership team.
Last November, Microsoft announced a Secure Future Initiative (SFI) in response to mounting pressure on the company to respond to attacks that allowed Chinese hackers to breach US government email accounts. Just days after announcing this initiative, Russian hackers managed to breach Microsoft’s defenses and spy on the email accounts of some members of Microsoft’s senior leadership team. Microsoft only discovered the attack nearly two months later in January, and the same group even went on to steal source code.
These recent attacks have been damaging, and the Cyber Safety Review Board report added fuel to Microsoft’s security fire recently by concluding that the company could have prevented the 2023 breach of US government email accounts and that a “cascade of security failures” led to that incident.
“We are making security our top priority at Microsoft, above all else – over all other features,” explains Charlie Bell, executive vice president for Microsoft security, in a blog post today. “We will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”
Microsoft now has three security principles that form a big part of these goals: secure by design; secure by default; secure operations. These principles are designed to put security first during the design phases of products and services, place a greater focus on protections that are enabled by default, and improve controls and monitoring for current and future threats.
The broader goals are underlined by “six prioritized security pillars,” which is corporate speak for stuff Microsoft needs to greatly improve:
All of these goals are tied to some of Microsoft’s leadership compensation and are a clear and direct response to the recent Russian hacker intrusions and the Cyber Safety Review Board recommendations.
Microsoft is now coordinating its engineering teams to complete this work in waves across the company. “These engineering waves involve teams across Azure Cloud, Windows, Microsoft 365 and Security, with additional product teams integrating into the process weekly,” says Bell.
Microsoft is already making progress toward its ambitious security goals. The company has implemented multifactor by default across more than 1 million of its own tenants within Microsoft, including ones used for development, testing, demos, and production. It has also removed 730,000 apps so far that “were out-of-lifecycle or not meeting current SFI standards.”
The software maker is also trying to improve its security culture after it was branded “inadequate” by the Cyber Safety Review Board. The engineering leads at Microsoft are now holding weekly and monthly operational meetings that include a variety of management and senior individuals, with a goal to improve Microsoft’s security thinking across the company.
Microsoft is also adding deputy chief information security officers (CISOs) to each product team and is moving its threat intelligence team to report directly to the CISO. That should mean there’s a clear responsibility for security in engineering teams.
I reported last month that inside Microsoft there is concern that the recent security attacks could seriously undermine trust in the company. “Ultimately, Microsoft runs on trust and this trust must be earned and maintained,” says Bell. “As a global provider of software, infrastructure and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job #1 for us.”