SAN FRANCISCO — Microsoft is no stranger to cybersecurity overhauls and the outside pressures that push the enterprise giant to improve security throughout its internal operations and systems it sells to customers.
The company kicked off its secure future initiative in November and last week expanded the effort with plans to restructure its cybersecurity governnance model.
The plan echoes Microsoft’s previous — and similarly described — security efforts from 22 years ago. Bill Gates, Microsoft’s co-founder and former CEO, mandated employees prioritize security over new features in a 2002 memo establishing a trustworthy computing initiative.
Microsoft executives insist this companywide security revamp is different from previous efforts. Federal cyber officials and cybersecurity experts are hopeful and point to key measures of the overhaul, including a direct link between security and executive compensation, as a potential difference maker this time around.
“One of the most important levers that I’ve seen recently, not coming from government but coming from the corporate sector … is the letter from [Microsoft CEO] Satya Nadella that linked security to compensation at the senior executive level,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said during a Tuesday keynote at the RSA Conference.
“Having spent time in the private sector before I came to this job, that is a symbol of what you really prioritize, it’s where you put your pay and compensation,” Easterly said. “That really, really matters — board decisions, hiring decisions and the specific guidance says if it’s a choice between security and some other priority, do security.”
These are all advances in the ecosystem, Easterly said.
Chris Krebs, the former CISA director and now chief intelligence and public policy officer at SentinelOne, said Microsoft’s secure future initiative signals an important realization within the company.
“There’s an awakening of ‘wait a second, this is really going to start driving customers away because they don’t have confidence in our products,’” Krebs said on stage in a discussion with Easterly.
Executive accountability and compensation-linked pressures are central to Microsoft’s plan.
“Every team has a person that will be held accountable to make sure that you did everything right,” Bret Arsenault, corporate VP and chief cybersecurity advisor, told Cybersecurity Dive on Tuesday at the RSA Conference. “The way you incentivize people to do things is important.”
Arsenault, who was leading the secure future initiative before he shifted out of a longtime role as CISO into a chief cybersecurity advisor position, said Microsoft has embraced a security-first approach throughout the company.
“It’s not the security team — I just need all the developers to really fall into the pit of success when they go build something,” Arsenault said. “We need to develop software differently.”
The company is under significant pressure to hit the mark on its security reset following a pair of high profile and in some cases expanding attacks against Microsoft and its customers.
The Cyber Safety Review Board released a damning report last month about a “cascade of security failures at Microsoft” that allowed a China-affiliated threat group to compromise Microsoft Exchange accounts in May 2023.
That attack by a nation-state group Microsoft identifies as Storm-0558 compromised emails of 22 organizations and more than 500 individuals, including senior U.S. officials. Microsoft has yet to determine the root cause of that intrusion, the CSRB said in the report.