Microsoft Will Hold Execs Accountable for Cybersecurity

Microsoft will make organizational changes and hold senior leadership directly accountable for cybersecurity as part of an expanded initiative to bolster security across its products and services.

Microsoft’s executive vice president of security, Charlie Bell, announced the plans in a blog post last week that appeared designed to reassure customers and the US government of the company’s commitment to advancing cybersecurity in the face of a rapidly evolving threat landscape.

Instilling Accountability

“We will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones,” Bell said. “We are also taking major steps to elevate security governance, including several organizational changes and additional oversight, controls, and reporting.”

The new measures include adding a deputy CISO to each product team, having the company’s threat intelligence team report directly to the enterprise CISO, and having engineering teams from across Microsoft Azure, Windows, Microsoft 365, and security groups work together on security.

Bell’s comments came roughly a month after the US Department of Homeland Security’s Cyber Safety Review Board (CSRB) identified Microsoft as needing to do more at a strategic and cultural level to improve its overall cybersecurity practices. The CSRB found Microsoft could have prevented a high-profile cyber incident last year when Chinese cyber-espionage group Storm-0558 breached the company’s Exchange Online environment and accessed user emails from some 25 organizations, including government agencies. A subsequent Microsoft investigation showed the breach had stemmed from a series of avoidable missteps.

In November 2023, Microsoft announced an enterprisewide Secure Future Initiative (SFI) to implement measures for protecting against similar and emerging threats. Under the initiative, Microsoft said it would harness automation, AI, and threat modeling to continuously integrate security during code development, testing, deployment, and in production. Microsoft also promised that it would integrate more secure default settings across its product portfolio so customers would be better protected right out of the box. In addition, Microsoft said it would implement stronger identity protection and improve cloud vulnerability response and mitigation times by half.

A Six-Pillar Approach

Bell’s update last week added more specifics around some of these proposals. At a high level, Microsoft’s effort is to ensure its products and platforms are secure by design, secure by default, and secure during operations. The requirements for meeting these goals have been categorized under six broad pillars: protecting identities and secrets; protecting tenants and production systems in the cloud; protecting networks; protecting engineering systems; monitoring and detecting threats; and accelerated response and remediation.

Microsoft will implement a series of measures to meet each of these goals. As part of its effort to better protect identities and secrets, for instance, Microsoft will implement rapid and automatic rotation of signing and platform keys and use industry standard SDKs across all its platforms. Similarly, to protect tenants, Microsoft will remove all unused, legacy, and aged systems; enforce continuous least privileged access to all cloud-hosted applications; and remove potential pivot points between tenants that would give attackers a way to move laterally.

Microsoft’s plans to protect its networks include 100% network isolation and segmentation, while its efforts to secure engineering systems will focus on — among other things — building and maintaining an inventory of all software assets involved in deploying and operating Microsoft products and services and implementing zero-trust access to source code and infrastructure.

“The engineering EVPs, in close coordination with SFI pillar leaders, are holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors,” Bell noted. “These meetings work on detailed execution and continuous improvement of security in context with what we collectively deliver to customers.”

The full effect of these proposed changes will likely take time to materialize. Meanwhile, the company has continued to be a major target for attackers. In January, for instance, Microsoft disclosed an intrusion into its systems by Russian threat group Midnight Blizzard that had remained undiscovered since last November — months into its SFI effort.

Tom Corn, chief product officer at Ontinue, says the scope of Microsoft’s Secure Future Initiative is impressive. “And Microsoft’s position, both as a dominant security and infrastructure player, puts them in a unique position to make this simple to operationalize — which should benefit everyone,” Corn says.