Microsoft has declared that security will now be the company's topmost priority "above all else," even taking precedence over shipping new product features and capabilities.
This commitment to making security job #1 comes on the heels of a string of incidents, including a major breach disclosed just two months ago, where Russian state-sponsored hackers tracked as Midnight Blizzard or Nobelium gained disturbing levels of access to Microsoft's internal systems and source code repositories.
The incident saw the attackers leverage stolen Microsoft corporate email credentials to infiltrate parts of the tech giant's networks and data stores containing closely guarded intellectual property and secrets. While Microsoft maintained at the time that customer-facing systems were uncompromised, cybersecurity experts warned that such a breach of source code and internal access requires extensive ongoing monitoring and remediation efforts.
It seems those warnings were heeded, as Microsoft is now taking dramatic organizational steps to overhaul its security priorities, practices, and culture as part of an expanded "Secure Future Initiative" (SFI) first launched last year. Among the major changes:
- Executive compensation for senior leadership will now be tied to meeting security goals and milestones.
- A new internal security governance framework helmed by Microsoft's CISO has been created.
- Engineering teams will partner with newly-formed deputy CISOs to enforce security pillars.
- Security standards dubbed "paved paths" will be mandatory, with adherence measured.
- Improvements to identity protection, system isolation, monitoring, and vulnerability response are planned.
In a candid blog post, Microsoft Corporate Vice President of Security Charlie Bell stated, "We are making security our top priority at Microsoft, above all else—over all other features" due to "the increasing scale and high stakes of cyberattacks." He cites the recent Midnight Blizzard incident and recommendations from the U.S. Department of Homeland Security's Cyber Safety Review Board as key drivers of the SFI expansion.
The six pillars now guiding Microsoft's security efforts are:
1. Protect identities and secrets
2. Protect tenants and isolate production systems
3. Protect networks
4. Protect engineering systems
5. Monitor and detect threats
6. Accelerate response and remediation
Bell acknowledged "there is much more to do," but stated that Microsoft has already taken some actions like enforcing multi-factor authentication across more than one million internal tenants and pruning 730,000 outdated applications that did not meet new security standards.
The blog post depicts these security overhauls as essential to maintaining trust, with Bell writing: "Microsoft runs on trust and this trust must be earned and maintained. As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure."
While Microsoft has previously focused on cybersecurity and invested heavily, this latest initiative shows how a particularly impactful breach like the one by Midnight Blizzard can catalyze an organization to completely reprioritize and restructure its security approach from the top down. Microsoft is clearly feeling the pressure to quickly regain ground it has lost due to these repeated compromises by sophisticated hackers.
Only time will tell if these new sweeping security programs and practices prove truly transformative in hardening Microsoft's defenses. But the company has drawn a clear line in the sand, committing to enhancing cybersecurity as its number one objective now to maintain global trust and protect customers from increasingly brazen nation-state attackers. For Microsoft's sake, let's hope it's not too little, too late.
Follow SecureWorld News for more stories related to cybersecurity.