Microsoft organizational changes seek to address security failures
Microsoft said it will tie compensation for some senior executives to hitting security targets and that it will prioritize security in its products over shipping new features, in what is the company’s latest bid to address a string of recent breaches that have raised concerns that its software has become an easy target for hackers.
The changes announced Friday are the latest update to what Microsoft calls its “Secure the Future Initiative,” which seeks to shift engineering resources toward security. In a blog post, Charlie Bell, Microsoft’s executive vice president for security, said that “Microsoft plays a central role in the world’s digital ecosystem” and that the company “must and will do more” to secure its products. “We are making security our top priority at Microsoft, above all else,” he wrote.
In an email to staff Friday, Microsoft CEO Satya Nadella said that security is every employee’s top responsibility and that going forward the company will prioritize security ahead of shipping new features for products, according to a source at the company.
Friday’s announcement comes on the heels of a scathing report by the Cyber Safety Review Board examining a breach of the company by Chinese hackers. That report blamed the incident on a series of “operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”
Since that incident, in which Chinese hackers stole a highly sensitive signing key and used it to spy on senior U.S. government officials, Microsoft has disclosed another embarrassing incident, this time involving Russian hackers that accessed company source code and emails belonging to senior executives. Last month, CyberScoop reported that the pilfered emails included messages between Microsoft and U.S. federal agencies.
Microsoft has said it faces ever-more sophisticated threats and that well-resourced attackers sponsored by nation states have made attacking the company a priority. While these groups are difficult to defend against, repeated breaches by Russian and Chinese hackers have caused concern in Washington that Microsoft, which is a crucial provider of IT services to the federal government, is failing to adequately invest in security measures and that the company has become a threat to national security.
Friday’s organizational overhauls appear aimed at addressing this criticism. According to the Microsoft blog post, the company is putting in place a series of governance changes to elevate the importance of security at the company, including partnering deputy chief information security officers with engineering teams.
The company has identified six security priorities to guide its work going forward, including better protecting identities and secrets and better protecting tenant accounts and isolating production systems. Microsoft executives will be meeting weekly to assess the execution of these priorities, according to Bell.
“Microsoft runs on trust and this trust must be earned and maintained,” Bell wrote. “This is job #1 for us.”
