Microsoft will hold senior leadership directly responsible for cybersecurity as part of a broader initiative to enhance security across its products and services.
The bold move is part of the company’s comprehensive strategy to tackle major cybersecurity issues that have recently affected the company, such as China’s Storm-0558 attack that allowed Chinese hackers to breach US government email accounts.
The initiative, dubbed the Secure Future Initiative (SFI), kicked off last November and has now expanded to impact executive compensation.
“We are making security our top priority at Microsoft, above all else – over all other features,” explains Charlie Bell, executive vice president for Microsoft security, in a blog post. “We will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”
Microsoft is also appointing deputy chief information security officers (CISOs) to each product team and moving its threat intelligence team to report directly to the CISO.
The expansion of Microsoft’s SFI takes into account recommendations provided by the Department of Homeland Security’s Cyber Safety Review Board (CSRB). The March report criticized Microsoft for a series of “avoidable errors” and concluded “Microsoft’s security culture was inadequate.”
Microsoft has adopted 3 core security principles that are central to its goals: secure by design, secure by default, and secure operations. These principles aim to prioritize security from the outset of product and service design, emphasize default-enabled protections, and enhance controls and monitoring against ongoing and emerging threats.
The broader objectives are outlined in what Microsoft calls “six prioritized security pillars,” which are key areas the company aims to significantly improve in its cybersecurity efforts.
The plan involves strengthening the protection of user identities and sensitive information by requiring multifactor authentication and using secure credentials like certificates; ensuring that only devices that are verified and managed can access its network services; and reinforcing the security of its production networks through comprehensive isolation and detailed segmentation strategies.
Moreover, Microsoft is committing to securing its source code by adhering to Zero Trust, a principle that assumes no device or user is trusted by default, and applying minimal access rights necessary to perform tasks. The company will also preserve security logs for 2 years, and reduce the current time it takes to address serious “high-severity” cloud security vulnerabilities.