Microsoft Will Hold Execs Accountable for Cybersecurity – Dark Reading
At least a portion of executive compensation going forward will be tied to meeting security goals and metrics.
May 8, 2024
Microsoft will make organizational changes and hold senior leadership directly accountable for cybersecurity as part of an expanded initiative to bolster security across its products and services.
Microsoft's executive vice president of security, Charlie Bell, announced the plans in a blog post last week that appeared designed to reassure customers and the US government of the company’s commitment to advancing cybersecurity in the face of a rapidly evolving threat landscape.
"We will instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones," Bell said. "We are also taking major steps to elevate security governance, including several organizational changes and additional oversight, controls, and reporting."
The new measures include adding a deputy CISO to each product team, having the company's threat intelligence team report directly to the enterprise CISO, and having engineering teams from across Microsoft Azure, Windows, Microsoft 365, and security groups work together on security.
Bell's comments came roughly a month after the US Department of Homeland Security's Cyber Safety Review Board (CSRB) identified Microsoft as needing to do more at a strategic and cultural level to improve its overall cybersecurity practices. The CSRB found Microsoft could have prevented a high-profile cyber incident last year when Chinese cyber-espionage group Storm-0558 breached the company's Exchange Online environment and accessed user emails from some 25 organizations, including government agencies. A subsequent Microsoft investigation showed the breach had stemmed from a series of avoidable missteps.
In November 2023, Microsoft announced an enterprisewide Secure Future Initiative (SFI) to implement measures for protecting against similar and emerging threats. Under the initiative, Microsoft said it would harness automation, AI, and threat modeling to continuously integrate security during code development, testing, deployment, and in production. Microsoft also promised that it would integrate more secure default settings across its product portfolio so customers would be better protected right out of the box. In addition, Microsoft said it would implement stronger identity protection and improve cloud vulnerability response and mitigation times by half.
Bell's update last week added more specifics around some of these proposals. At a high level, Microsoft's effort is to ensure its products and platforms are secure by design, secure by default, and secure during operations. The requirements for meeting these goals have been categorized under six broad pillars: protecting identities and secrets; protecting tenants and production systems in the cloud; protecting networks; protecting engineering systems; monitoring and detecting threats; and accelerated response and remediation.
Microsoft will implement a series of measures to meet each of these goals. As part of its effort to better protect identities and secrets, for instance, Microsoft will implement rapid and automatic rotation of signing and platform keys and use industry standard SDKs across all its platforms. Similarly, to protect tenants, Microsoft will remove all unused, legacy, and aged systems; enforce continuous least privileged access to all cloud-hosted applications; and remove potential pivot points between tenants that would give attackers a way to move laterally.
Microsoft's plans to protect its networks include 100% network isolation and segmentation, while its efforts to secure engineering systems will focus on — among other things — building and maintaining an inventory of all software assets involved in deploying and operating Microsoft products and services and implementing zero-trust access to source code and infrastructure.
"The engineering EVPs, in close coordination with SFI pillar leaders, are holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors," Bell noted. "These meetings work on detailed execution and continuous improvement of security in context with what we collectively deliver to customers."
The full effect of these proposed changes will likely take time to materialize. Meanwhile, the company has continued to be a major target for attackers. In January, for instance, Microsoft disclosed an intrusion into its systems by Russian threat group Midnight Blizzard that had remained undiscovered since last November — months into its SFI effort.
Tom Corn, chief product officer at Ontinue, says the scope of Microsoft's Secure Future Initiative is impressive. "And Microsoft's position, both as a dominant security and infrastructure player, puts them in a unique position to make this simple to operationalize — which should benefit everyone," Corn says.
Jai Vijayan, Contributing Writer
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Is AI Identifying Threats to Your Network?
Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
Why Effective Asset Management is Critical to Enterprise Cybersecurity
Finding Your Way on the Path to Zero Trust
Black Hat USA – August 3-8 – Learn More
Cybersecurity’s Hottest New Technologies: What You Need To Know
2023 Global Threat Report
EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Leveling Up Cyber-Threat Intelligence Maturity for More Value and Better Insights
Generative AI Gifts
SecOps Checklist
The Cloud Threat Landscape: Security learnings from analyzing 500+ cloud environments
The Future of Cloud Security: Attack Paths & Graph-based Technology
Black Hat USA – August 3-8 – Learn More
Cybersecurity’s Hottest New Technologies: What You Need To Know
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
May 8, 2024
Microsoft will make organizational changes and hold senior leadership directly accountable for cybersecurity as part of an expanded initiative to bolster security across its products and services.
Microsoft's executive vice president of security, Charlie Bell, announced the plans in a blog post last week that appeared designed to reassure customers and the US government of the company’s commitment to advancing cybersecurity in the face of a rapidly evolving threat landscape.
"We will instill accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones," Bell said. "We are also taking major steps to elevate security governance, including several organizational changes and additional oversight, controls, and reporting."
The new measures include adding a deputy CISO to each product team, having the company's threat intelligence team report directly to the enterprise CISO, and having engineering teams from across Microsoft Azure, Windows, Microsoft 365, and security groups work together on security.
Bell's comments came roughly a month after the US Department of Homeland Security's Cyber Safety Review Board (CSRB) identified Microsoft as needing to do more at a strategic and cultural level to improve its overall cybersecurity practices. The CSRB found Microsoft could have prevented a high-profile cyber incident last year when Chinese cyber-espionage group Storm-0558 breached the company's Exchange Online environment and accessed user emails from some 25 organizations, including government agencies. A subsequent Microsoft investigation showed the breach had stemmed from a series of avoidable missteps.
In November 2023, Microsoft announced an enterprisewide Secure Future Initiative (SFI) to implement measures for protecting against similar and emerging threats. Under the initiative, Microsoft said it would harness automation, AI, and threat modeling to continuously integrate security during code development, testing, deployment, and in production. Microsoft also promised that it would integrate more secure default settings across its product portfolio so customers would be better protected right out of the box. In addition, Microsoft said it would implement stronger identity protection and improve cloud vulnerability response and mitigation times by half.
Bell's update last week added more specifics around some of these proposals. At a high level, Microsoft's effort is to ensure its products and platforms are secure by design, secure by default, and secure during operations. The requirements for meeting these goals have been categorized under six broad pillars: protecting identities and secrets; protecting tenants and production systems in the cloud; protecting networks; protecting engineering systems; monitoring and detecting threats; and accelerated response and remediation.
Microsoft will implement a series of measures to meet each of these goals. As part of its effort to better protect identities and secrets, for instance, Microsoft will implement rapid and automatic rotation of signing and platform keys and use industry standard SDKs across all its platforms. Similarly, to protect tenants, Microsoft will remove all unused, legacy, and aged systems; enforce continuous least privileged access to all cloud-hosted applications; and remove potential pivot points between tenants that would give attackers a way to move laterally.
Microsoft's plans to protect its networks include 100% network isolation and segmentation, while its efforts to secure engineering systems will focus on — among other things — building and maintaining an inventory of all software assets involved in deploying and operating Microsoft products and services and implementing zero-trust access to source code and infrastructure.
"The engineering EVPs, in close coordination with SFI pillar leaders, are holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors," Bell noted. "These meetings work on detailed execution and continuous improvement of security in context with what we collectively deliver to customers."
The full effect of these proposed changes will likely take time to materialize. Meanwhile, the company has continued to be a major target for attackers. In January, for instance, Microsoft disclosed an intrusion into its systems by Russian threat group Midnight Blizzard that had remained undiscovered since last November — months into its SFI effort.
Tom Corn, chief product officer at Ontinue, says the scope of Microsoft's Secure Future Initiative is impressive. "And Microsoft's position, both as a dominant security and infrastructure player, puts them in a unique position to make this simple to operationalize — which should benefit everyone," Corn says.
Jai Vijayan, Contributing Writer
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Is AI Identifying Threats to Your Network?
Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
Why Effective Asset Management is Critical to Enterprise Cybersecurity
Finding Your Way on the Path to Zero Trust
Black Hat USA – August 3-8 – Learn More
Cybersecurity’s Hottest New Technologies: What You Need To Know
2023 Global Threat Report
EMA: AI at your fingertips: How Elastic AI Assistant simplifies cybersecurity
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Leveling Up Cyber-Threat Intelligence Maturity for More Value and Better Insights
Generative AI Gifts
SecOps Checklist
The Cloud Threat Landscape: Security learnings from analyzing 500+ cloud environments
The Future of Cloud Security: Attack Paths & Graph-based Technology
Black Hat USA – August 3-8 – Learn More
Cybersecurity’s Hottest New Technologies: What You Need To Know
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
