Microsoft vows to overhaul security, tie executive pay to performance after string of breaches
'We are making security our top priority at Microsoft'
Microsoft is undergoing a major security overhaul following a series of high-profile breaches and harsh criticism for its handling of past incidents.
The company has pledged to make security its top priority, even if it comes at the expense of new features or legacy system support.
"We are making security our top priority at Microsoft, above all else—over all other features," wrote Microsoft Security executive vice president Charlie Bell in a blog post.
The move follows a scathing report by the US Cyber Safety Review Board (CSRB) that found Microsoft's security culture "inadequate" and urged a complete overhaul.
In November last year, the company announced a Secure Future Initiative (SFI) to strengthen cybersecurity across its products and services.
Microsoft's new security approach focuses on three core principles:
• Secure by Design
• Secure by Default
• Secure Operations
The company has planned several key changes. Bell said a portion of senior executive compensation would now be tied to achieving security goals in order to incentivise leadership to prioritise security alongside traditional business objectives.
"We will instil accountability by basing part of the compensation of the company's Senior Leadership Team on our progress in meeting our security plans and milestones," Bell said.
Additionally, Microsoft says it will deploy deputy Chief Information Security Officers (CISOs) within each product group. These dedicated security specialists will work alongside engineers throughout the development process to ensure security is built into every product from the start.
The company aims to secure all user accounts with strong, phishing-resistant multi-factor authentication by default. The change, it expects, will significantly reduce the risk of unauthorised access even if passwords are compromised.
Microsoft also plans to enforce stricter access controls, ensuring users only have the minimum level of access needed to perform their tasks, minimising the potential damage if an account is breached.
Microsoft has already begun implementing some of these changes.
Millions of Microsoft Entra ID tenants now have mandatory multi-factor authentication by default, and hundreds of thousands of outdated or insecure applications have been removed.
Internally, CEO Satya Nadella emphasised the new focus on security in a memo to employees.
"The recent findings by the Department of Homeland Security's Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack, from summer 2023, underscore the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors," Nadella wrote in the memo.
In March, Microsoft said that Russian hacking group known as Nobelium (also APT, Cozy Bear) and referred to internally by Microsoft as Midnight Blizzard, had successfully infiltrated some of its critical source code repositories and internal systems.
Earlier in January, the company disclosed that Russian hackers successfully infiltrated Microsoft's corporate email system, gaining unauthorised access to the accounts of senior company leaders.
"Microsoft runs on trust and this trust must be earned and maintained," Bell said.
"As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job number one for us."