Dive Brief:
- Microsoft on Friday unveiled plans to expand a comprehensive security makeover by accelerating its Secure Future Initiative and making changes to governance and how it compensates key executives.
- Microsoft is restructuring part of its upper management to elevate cybersecurity governance. Engineering and a group of deputy CISOs will partner to oversee SFI, manage risks and report to senior leadership, Charlie Bell, EVP, Microsoft Security, said in a blog post. The company will partially base compensation on how much progress is made towards certain security milestones.
- Microsoft said it will review SFI progress weekly with the senior leadership team and discuss quarterly with its board of directors.
Dive Insight:
The company is also rolling out a series of changes by creating six security pillars designed to better detect threats, strengthen authentication and better secure cloud environments.
- Protect identities and secrets
- Protect tenants and isolate production systems
- Protect networks
- Protect engineering systems
- Monitor and detect threats
- Accelerate response and remediation
Microsoft has come under withering criticism by security industry executives and federal officials over its security culture leading up to the recent state-linked hacks.
Among the key changes, Ann Johnson, a long time corporate VP at the company, is adding the title of deputy CISO, customer outreach and regulated industries, according to a Microsoft spokesperson. Johnson will be tasked with scaling customer engagement and communications about Microsoft’s own security. Bloomberg first reported the changes regarding security chiefs.
Microsoft is also bringing nation-state actor and threat hunting under CISO Igor Tsyganskiy’s purview.
The renewed scrutiny on Microsoft followed findings from a Cyber Safety Review Board report in early April where the company was heavily criticized for its response to the summer 2023 hack of Microsoft Exchange Online.
The board said the attack — which led to the theft of 60,000 State Department emails and the hack of Commerce Secretary Gina Raimondo — was entirely avoidable and blasted Microsoft for creating a culture that emphasizes product development and features over customer security.
A separate attack by Russia-linked threat group Midnight Blizzard forced the Cybersecurity and Infrastructure Security Agency to issue mitigation guidance to key federal agencies after credentials and source code were stolen by the hackers.
Jess Burn, principal analyst at Forrester, said the Microsoft announcements were necessary steps and compared them to recent changes at other companies which have appointed business information security officers.
“They must secure what they sell,” Burn said via email.
Jake Williams, faculty member at IANS Research, said goals outlined by Microsoft are ambitious and represent somewhat of a transformation in the corporate culture at Microsoft.
“Most organizations have neither the will nor the technical ability to achieve these goals, but any organization that does will be in a prime position to repel most intrusions,” Williams said via email. “Microsoft certainly has the technical ability to implement these, but that's always been the case. It appears they now have the political will to do so as well.”