Microsoft is making security its number one priority for every employee, following years of security issues and mounting criticisms. After a scathing report from the US Cyber Safety Review Board recently concluded that “Microsoft’s security culture was inadequate and requires an overhaul,” it’s doing just that by outlining a set of security principles and goals that are tied to compensation packages for Microsoft’s senior leadership team.
Last November, Microsoft announced a Secure Future Initiative (SFI) in response to mounting pressure on the company to respond to attacks that allowed Chinese hackers to breach US government email accounts. Just days after announcing this initiative, Russian hackers managed to breach Microsoft’s defenses and spy on the email accounts of some members of Microsoft’s senior leadership team. Microsoft only discovered the attack nearly two months later in January, and the same group even went on to steal source code.
These recent attacks have been damaging, and the Cyber Safety Review Board report added fuel to Microsoft’s security fire recently by concluding that the company could have prevented the 2023 breach of US government email accounts and that a “cascade of security failures” led to that incident.
“We are making security our top priority at Microsoft, above all else – over all other features,” explains Charlie Bell, executive vice president for Microsoft security, in a blog post. “We will instil accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”
Microsoft now has three security principles that form a big part of these goals: secure by design; secure by default; secure operations. These principles are designed to put security first during the design phases of products and services, place a greater focus on protections that are enabled by default, and improve controls and monitoring for current and future threats.
The broader goals are underlined by “six prioritized security pillars,” which is corporate speak for stuff Microsoft needs to greatly improve:
All of these goals are tied to some of Microsoft’s leadership compensation and are a clear and direct response to the recent Russian hacker intrusions and the Cyber Safety Review Board recommendations.
Microsoft is now coordinating its engineering teams to complete this work in waves across the company. “These engineering waves involve teams across Azure Cloud, Windows, Microsoft 365 and Security, with additional product teams integrating into the process weekly,” says Bell.
Microsoft is already making progress toward its ambitious security goals. The company has implemented multifactor by default across more than 1 million of its own tenants within Microsoft, including ones used for development, testing, demos, and production. It has also removed 730,000 apps so far that “were out-of-lifecycle or not meeting current SFI standards.”
The software maker is also trying to improve its security culture after it was branded “inadequate” by the Cyber Safety Review Board. The engineering leads at Microsoft are now holding weekly and monthly operational meetings that include a variety of management and senior individuals, with a goal to improve Microsoft’s security thinking across the company.
Microsoft is also adding deputy chief information security officers (CISOs) to each product team and is moving its threat intelligence team to report directly to the CISO. That should mean there’s a clear responsibility for security in engineering teams.
Microsoft are concerned that the recent security attacks could seriously undermine trust in the company. “Ultimately, Microsoft runs on trust and this trust must be earned and maintained,” says Bell. “As a global provider of software, infrastructure and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job #1 for us.”
The Verge
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!