Advertisement

Voting is open for the 2024 CyberScoop 50 awards! 

Click here!

Microsoft’s security culture reboot includes cyber governance council, all-staff trainings

The tech giant launched its Secure Future Initiative after a string of major security breakdowns.

By

General view of the Microsoft store on Fifth Avenue on July 19, 2024 in New York City. Businesses and transport worldwide were affected by a global technology outage that was attributed to a software update issued by CrowdStrike, a cybersecurity firm whose software is used by many industries around the world. (Photo by Adam Gray/Getty Images)

The tech giant with the figurative and often literal keys to everyone’s kingdom released a progress report Monday on the cyber overhaul it has undertaken following a spree of major security failures.

Microsoft — which is branding the effort as a “Secure Future Initiative” — first launched the cultural shift in November 2023 amid increasing criticism for multiple cybersecurity incidents

That scrutiny continued in April, after the Cyber Safety Review Board found lax security controls and a company culture that did not prioritize safety. The CSRB report focused on a June 2023 operation where Chinese-linked hackers spied on the emails of Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns shortly before significant diplomatic talks.

In response to those issues, Microsoft said in a blog post touting the progress it has made in its security initiative that it will implement a new “Cybersecurity Governance Council” and appoint 13 deputy chief information security officers in engineering divisions and to other “key security functions.” Additionally, Microsoft has added a “security” section in performance reviews for all employees with senior leadership teams, tying security performance directly to compensation. 

Advertisement

The initiative is reviewed weekly by senior leadership teams and quarterly by Microsoft’s board of directors, per the blog post. There is also new “security-specific, curated training” for all employees.

Microsoft also said it has updated management protocols around access token signing keys and extended security token logging in several services ahead of those changes to support threat detection. The company said it has “completed a full iteration of app lifecycle management for all of our production and productivity tenants.”

Logging retainment and shortening the time it takes for vulnerabilities to be mitigated is another focus, the company noted. Microsoft is also establishing a Customer Security Management Office for “public messaging and customer engagement for security incidents.”

Christian Vasquez

Written by Christian Vasquez

Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out:  christian.vasquez at cyberscoop dot com

In This Story

Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

OAKLAND, CALIFORNIA – MARCH 20: In an aerial view, pools of water are visible at the East Bay Municipal Utility District Wastewater Treatment Plant on March 20, 2024 in Oakland, California. The Biden administration and the Environmental Protection Agency (EPA) are warning states of possible cyberattacks on water systems after recents attacks including one by the Cyber Av3ngers, a group linked to the Iran’s Islamic Revolutionary Guard Corps, that targeted internet-facing programmable logic controllers at Pennsylvania’s Municipal Water Authority of Aliquippa. (Photo by Justin Sullivan/Getty Images)

EPA ‘urgently’ needs to step up cybersecurity assistance for the water sector, GAO says

By Christian Vasquez

Latest Podcasts

How organizations are handling AI security

We’re back! RunSafe CEO Joe Saunders on secure-by-design in IoT devices

Ted Schlein on the cybersecurity industry and the latest twist in the Trump-Iran hacking saga

Hack-and-leak op targets Trump; a technical deep dive with John Hammond on the CrowdStrike outage

Government

Technology

Threats

Geopolitics