On September 23, Microsoft published a report detailing the progress of the Secure Future Initiative, the company-wide overhaul that will be implemented in November 2023. The Secure Future Initiative exists to improve security in the wake of some high-profile vulnerabilities in 2023.
These vulnerabilities included a Microsoft Exchange Online breach that allowed threat actors associated with the Chinese government to access U.S. government emails in 2023. In April 2024, the U.S. Cybersecurity Review Board published the “Microsoft Exchange Online Intrusion Review Summer 2023,” stating that the attack “was preventable and should never have occurred.” The board concluded that Microsoft had “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
How Microsoft protects itself from cyber threats
In light of cybersecurity concerns, Microsoft has implemented several changes. As part of the initiative, CEO Satya Nadella and executive vice president of security Charlie Bell appointed 13 deputy CISOs. Their jobs will be to oversee key security functions, either within one of Microsoft's engineering divisions or as part of a core security function overseen by the CISO.
“We have dedicated the equivalent of 34,000 full-time engineers to SFI, making it the largest cybersecurity engineering effort in history,” Bell wrote.
Other measures Microsoft has taken include:
- Implement and act on six key pillars of security compliance.
- Creation of a new Cybersecurity Governance Council responsible for cyber risk, defense and compliance, comprised of the new CISOs.
- Make safety a fundamental part of each employee's performance evaluation.
- Link safety performance to senior leadership team compensation.
- Require senior management to assess the progress of the Secure Future Initiative weekly and provide updates to the board every quarter.
- Implement company-wide safety training.
SEE: Why your company needs cybersecurity awareness training (TechRepublic Premium)
The six key pillars of Microsoft security compliance include:
- Protecting identities and secrets. This includes updating Microsoft Sign In ID and Microsoft Account (MSA) for public and U.S. government clouds to make it harder to access token signing keys. Signing keys allowed China-affiliated threat actors to breach government email addresses last year. Microsoft expanded adoption of standard identity SDKs, included measures to prevent password sharing, and more.
- Protect tenants and isolate production systems by eliminating unused applications and inactive tenants.
- Isolate certain virtual networks and enrich ownership tracking and firmware compliance of physical assets.
- Improving the governance of engineering systems.
- Adoption of standard libraries for security audit logs to better monitor and detect threats.
- Accelerated time to mitigate critical cloud vulnerabilities.
What organizations can learn from the Secure Future Initiative
The SFI update serves as a timely reminder for security and engineering teams to maintain rigorous standards and adhere to industry best practices.
It is worth noting that Microsoft has added security to the core of its performance evaluations. Clear key performance indicators aligned with the company's overall culture can influence the direction of the organization.
It’s also important to recognize the value of adapting quickly to a data breach. The size and strategic importance of Microsoft’s contracts with the U.S. government made addressing 2023 data particularly critical. Microsoft has been careful to frame SFI as an initiative for the sake of improvement, not an attempt to make up for its high-profile breaches, but an important unspoken goal of the project is to reassure the U.S. government that a major email attack won’t happen again.
