Read Microsoft’s memo on security first
Microsoft Security Principes, Goals, and Compensation for the Senior Leadership Team: A Key Account of the Cyber Security Culture and Efficacy of Microsoft
Microsoft has been beset by security issues and mounting criticisms, so it has made security its number one priority. After a scathing report from the US Cyber Safety Review Board recently concluded that “Microsoft’s security culture was inadequate and requires an overhaul,” it’s doing just that by outlining a set of security principles and goals that are tied to compensation packages for Microsoft’s senior leadership team.
Microsoft is also adding deputy chief information security officers (CISOs) to each product team and is moving its threat intelligence team to report directly to the CISO. That should mean there’s a clear responsibility for security in engineering teams.
Microsoft is making progress towards its goals. The company has implemented multifactor by default across more than 1 million of its own tenants within Microsoft, including ones used for development, testing, demos, and production. It has also removed 730,000 apps so far that “were out-of-lifecycle or not meeting current SFI standards.”
This work will be completed by Microsoft in waves across the company. “These engineering waves involve teams across Azure Cloud, Windows, Microsoft 365 and Security, with additional product teams integrating into the process weekly,” says Bell.
Microsoft has put a lot of emphasis on its leadership compensation, so the goals are a direct response to the recent hacker intrusions and the Cyber Safety Review Board recommendations.
Microsoft now has three security principles that form a big part of these goals: secure by design; secure by default; secure operations. The design of products and services is put first by the principles and the protections that are enabled by default are improved.
Do It Safer? Do It Everytime, Don’t Worry: Defying Adversaries with a Global Security Plan for the Next SFI
Our customers are the most important to us, and we want to ensure that they get the fastest SFI possible.
If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, it will mean releasing new features or providing continuing support for legacy systems in order to be prioritized over security. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.
We need to approach this challenge with a focus on continuous improvement. Every task we take on is an opportunity to bolster our own security as well as that of our entire community. This includes learning from our adversaries and the increasing sophistication of their capabilities, as we did with Midnight Blizzard. And learning from the trillions of unique signals we’re constantly monitoring to strengthen our overall posture. It includes stronger collaboration between the government and the private sector.
Going forward, we will commit the entirety of our organization to SFI, as we double down on this initiative with an approach grounded in three core principles: