Microsoft is making significant changes to its security practices, organizational structure, and executive compensation following a series of major security breaches. The company announced that a portion of senior executive compensation will be based on progress toward security goals, deputy chief information security officers (CISOs) will be installed in each product group, and teams from major platforms and product teams will work together in “engineering waves” to overhaul security. These changes are part of the Secure Future Initiative introduced by executive vice president of Microsoft Security, Charlie Bell.
A report by the Cyber Safety Review Board (CSRB) described Microsoft’s security culture as “inadequate” and urged the company to prioritize security. The report called for security initiatives to be overseen by Microsoft’s CEO and board, with all senior leaders being held accountable for implementing necessary changes urgently. Following the report’s release, Senator Ron Wyden introduced legislation to decrease the U.S. government’s reliance on Microsoft software due to concerns about the company’s cybersecurity practices.
Microsoft’s new security governance framework will be overseen by Chief Information Security Officer Igor Tsyganskiy, and deputy CISOs in product teams will report directly to him. These changes in organizational and reporting structure aim to enhance oversight, manage risks, and report progress directly to the Senior Leadership Team. Microsoft’s senior leadership team, who report to CEO Satya Nadella, will have a portion of their compensation based on security, although the exact percentage was not specified.
The company suffered security breaches in January, which involved a Russian state-sponsored actor accessing internal systems and executive email accounts. The same actors were able to access source code repositories and internal systems. In May and June of the same year, the Chinese hacking group, Storm-0558, compromised Microsoft Exchange Online mailboxes of over 500 individuals and 22 organizations worldwide, including senior U.S. government officials. These incidents prompted the company to reevaluate its security practices and make significant changes to prevent future breaches.
Microsoft is integrating recommendations from the CSRB into its security changes, as well as lessons learned from recent cyberattacks. The company plans to focus on secure design and operations at scale by implementing paved paths based on security incidents. This approach aims to standardize security practices, mitigate risks, and improve overall security across all product groups and platforms. Progress on security initiatives will be reviewed weekly by an executive forum and quarterly with the Board of Directors to ensure accountability at all levels of the organization.
CEO Satya Nadella has emphasized that security will be a top priority moving forward, with all other features and investments taking a back seat. The company’s executive team is committed to implementing these changes, with a focus on risk management, progress tracking, and accountability. With the ever-growing threat of cyberattacks and increasing pressure from government leaders and customers, Microsoft is taking proactive steps to strengthen its security posture and protect its systems, data, and customers from future breaches.