Microsoft Reports on Progress of Revamping Security Efforts

On Sept. 23, Microsoft released a report detailing the progress of the Secure Future Initiative, the company-wide overhaul put in place in November 2023. The Secure Future Initiative exists to improve security in the wake of some high-profile vulnerabilities in 2023.

These vulnerabilities included a breach in Microsoft Exchange Online that allowed threat actors associated with the Chinese government to access U.S. government emails in 2023. In April 2024, the U.S. Cyber Safety Review Board published “Review of the Summer 2023 Microsoft Exchange Online Intrusion,” which said the hack “was preventable and should never have occurred.” The board found Microsoft had “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

How Microsoft is guarding against cyber threats

In light of the cybersecurity issues, Microsoft has implemented several changes. As part of the initiative, CEO Satya Nadella and Executive Vice President of Security Charlie Bell appointed 13 deputy CISOs. Their jobs will be to oversee key security functions either inside one of Microsoft’s engineering divisions or as part of a foundational security function overseen by the CISO.

“We’ve dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history,” Bell wrote.

Other steps Microsoft has taken include:

• Deploying and acting on six key pillars of security compliance.
• Creating a new Cybersecurity Governance Council responsible for cyber risk, defense, and compliance, comprising the new CISOs.
• Making security a critical part of every employee’s performance review.
• Linking security performance to the senior leadership team’s compensation.
• Mandating senior leadership to assess progress on the Secure Future Initiative every week and to provide updates to the board of directors every quarter.
• Rolling out security training company-wide.

SEE: Why Your Business Needs Cybersecurity Awareness Training (TechRepublic Premium)

Microsoft’s six key pillars of security compliance include:

• Protecting identities and secrets. This includes Updating Microsoft Entra ID and Microsoft Account (MSA) for public and U.S. government clouds to make it more difficult to access token signing keys. Signing keys allowed the China-affiliated threat actors to breach government email addresses last year. Microsoft expanded adoption of standard identity SDKs, included measures to prevent password sharing, and more.
• Protecting tenants and isolating production systems, eliminating unused apps and inactive tenants.
• Isolating certain virtual networks and enriching ownership and firmware compliance tracking of physical assets.
• Improving governance of engineering systems.
• Adopting standard libraries for security audit logs to better monitor and detect threats.
• Accelerated Time to Mitigate for critical cloud vulnerabilities.

What organizations can learn from the Secure Future Initiative

The update on the SFI serves as a timely reminder for security and engineering teams to uphold rigorous standards and adhere to industry best practices.

Note that Microsoft added security to the core of its performance reviews. Clear KPIs aligned with overall company culture can influence the direction of the organization.

It’s also important to recognize the value of adapting quickly to a data breach. The size and strategic importance of Microsoft’s U.S. government contracts made addressing the 2023 data particularly critical. Microsoft has been careful to frame SFI as an initiative for the sake of improvement, not an attempt to make up for its high-profile breaches — but a major unspoken goal of the project is to reassure the U.S. government that a major email hack won’t happen again.