Microsoft has announced that it’s linking the fulfilment of security goals with executive compensation in a significant overhaul.
In an expansion of its Secure Future Initiative (SFI), first announced last November, the Redmond-based tech giant insists it is “making security (its) top priority at Microsoft, above all else”.
Last month, the US Cyber Safety Review Board (CSRB) claimed that Microsoft should have been better prepared for Chinese hackers breaching US government emails via its Microsoft Exchange Online software in July 2023 in the Storm-0558 cyberattack.
Microsoft confirms it is incorporating the CSRB’s recommendations and has outlined a precise series of security principles and goals. Tying leadership compensation to its success in meeting these metrics illustrates the seriousness with which Microsoft is bolstering its security.
Charlie Bell, Executive Vice President at Microsoft Security, wrote in an accompanying blog post:
We are making security our top priority at Microsoft, above all else—over all other features(…) We will mobilize the expanded SFI pillars and goals across Microsoft and this will be a dimension in our hiring decisions. In addition, we will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”
Microsoft has been criticised in recent years for its perceived lax security infrastructure. In October, compromised Skype accounts were hacked to spread the DarkGate malware, while Microsoft Teams was also targeted.
In November, Russian hackers breached Microsoft’s defences and gained access to the email accounts of several members of Microsoft’s senior leadership team and stole source code. The attack went undetected by Microsoft for nearly two months, with the breach only discovered in January.
More Details On The SFI
Microsoft has established three core security principles tied to the SFI: secure by design, secure by default, and secure operations. These principles intend to prioritise security during the design stages of products and services, emphasise default protections, and enhance controls and monitoring to address present and future threats effectively.
Bell also highlighted that Microsoft is focusing on six prioritised security pillars, the first of which is “Protect identities and secrets.”
To reduce the risk of unauthorised access, Microsoft is implementing and enforcing advanced standards across all identity and secrets infrastructure, as well as user and application authentication and authorisation. For example, they want to protect 100 percent of user accounts with securely managed, phishing-resistant multifactor authentication.
The second pillar is to “Protect tenants and isolate production systems.” Microsoft says it’s committed to safeguarding all Microsoft tenants and production environments by implementing consistent, best-in-class security practices and strict isolation measures to minimise the breadth of impact.
The third is “Protect networks,” prioritising the protection of Microsoft production networks and implementing network isolation to safeguard both Microsoft and customer resources. Another pillar is “Protect engineering systems.” This means prioritising the protection of software assets and continually enhancing code security by overseeing the software supply chain and engineering systems infrastructure.
A fifth pillar is “Monitor and detect threats,” which encompasses comprehensive coverage and automatic detection of threats to Microsoft’s production infrastructure and services. Lastly, there is “Accelerate response and remediation”. Microsoft’s goal is to prevent the exploitation of vulnerabilities identified by both external and internal sources by implementing comprehensive and timely remediation measures.
Security Copilot
Last month, Microsoft launched Copilot for Security, bringing its flagship AI’s capabilities to cybersecurity.
Microsoft introduced Copilot for Security as “the industry’s first generative solution” designed to assist security and IT professionals in identifying previously overlooked threats, accelerating response times, and enhancing team proficiency. Serving as a chatbot for security admins, Copilot for Security analyses crucial information like threat summaries and security incidents.
The new capabilities of Copilot for Security encompass usage reporting, Microsoft Entra audit and diagnostic logs, seamless integration with third-party tools, and the ability to access an organisation’s curated external attack surface through Microsoft Defender External Attack Surface Management.