Microsoft to Prioritize Company Focus on Cyber Threats With Security Initiative Revision

by | May 10, 2024

With an announcement reminiscent of a 2002 address to the company by Bill Gates on a similar theme, Microsoft has formally placed cyber threats ahead of all other concerns with its expansion of a security initiative first announced in November 2023.

At the time, the security initiative was a direct response to the summer embarrassment of having Chinese state-sponsored hackers access high-level government Outlook email addresses. Since then, there has been another state-sponsored threat actor breach (this time by a Russian group) and a scathing report issued by the Cyber Safety Review Board (CSRB) chastising the company for its loss of focus and using the incidents to issue new guidance for all cloud service providers.

Company promises cyber threats will be addressed ahead of features and legacy support

The conclusion of the recent CSRB report blasted Microsoft for losing sight of that original Gates vision and making security a low priority. The security initiative update seems to be a direct response to that criticism, formally announcing that addressing cyber threats is now the company’s #1 item, potentially at the expense of other business concerns.

The company announcement includes a sprawling list of security and customer notification improvements, at least some seemingly directly prompted by the compromises by cyber threats in 2023 and 2024. But CEO Satya Nadella also specifically noted that the security initiative must always come ahead of any other concern, including feature additions and improvement and support for legacy products.

Describing the plan as “ambitious” is definitely accurate, and asking whether all of these goals are attainable is certainly fair. The plan will  likely hinge on whether or not Microsoft can actually change its internal culture in such a drastic way, something that at minimum will probably take significant time to iron out.

Security initiative proposes tying cyber incidents to executive bonuses

Microsoft was essentially forced to do something on this scale when questions about its competency began to surface in government. But the first version of the security initiative focused mostly on the company’s adoption of AI to improve defenses and shoring up software development against cyber threats.

The company onboarded nearly all of the recommendations made by the CSRB report, but the security initiative goes even farther. Possibly the most attention-grabbing bit is a proposal to slash executive bonuses if cyber threats manage to pull off another caper. Management and some critical skilled employees can now also expect monthly cybersecurity meetings, if not weekly.

Among the more standard but ambitious proposals in the security initiative are the isolation of both production and customer resources, the implementation of Zero Trust in engineering and other sensitive areas, and “quantum ready” security methods (which are still under development). The plan also makes clear Microsoft is switching to a mandatory model under which these security measures will always be enabled automatically and will not allow for opt-out, though it remains to be seen exactly how this will manifest at the customer end.

Recent Posts

How can we help?

1 + 8 =

× How can I help you?