Microsoft is changing its security practices, organizational structure, and executive compensation in an attempt to address a series of major security breaches, under growing pressure from government leaders and big customers.
The company said Friday morning that it will base a portion of senior executive compensation on progress toward security goals, install deputy chief information security officers (CISOs) in each product group, and bring together teams from its major platforms and product teams in “engineering waves” to overhaul security.
“We will take our learnings from security incidents, feed them back into our security standards, and operationalize these learnings as ‘paved paths’ that can enable secure design and operations at scale,” wrote Charlie Bell, the Microsoft Security executive vice president, in a blog post outlining the changes.
Bell said the changes build on the Secure Future Initiative (SFI), introduced last fall.
“Ultimately, Microsoft runs on trust and this trust must be earned and maintained,” he wrote. “As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure.”
The changes follow a critical report by the Cyber Safety Review Board (CSRB) that described Microsoft’s security culture as “inadequate” and called on the company to make security its top priority, effectively reviving the spirit of the Trustworthy Computing initiative that Microsoft co-founder Bill Gates instituted in 2002.
The report called for security initiatives to be “overseen directly and closely” by Microsoft’s CEO and board, and said “all senior leaders should be held accountable for implementing all necessary changes with utmost urgency.”
After the CSRB report’s release, Sen. Ron Wyden of Oregon introduced legislation designed in part to reduce the U.S. government’s reliance on Microsoft software, citing the company’s “shambolic cybersecurity practices.”
Bell wrote that Microsoft is “integrating the recent recommendations from the CSRB” as part of the changes announced Friday, in addition to lessons learned from high-profile cyberattacks.
The compensation changes announced Friday will apply to Microsoft’s senior leadership team, the top executives who report to CEO Satya Nadella. The company did not say how much of their compensation will be based on security.
Nadella hinted at these changes last week on the company’s quarterly earnings call when he said the company would be “putting security above all else — before all other features and investments.”
In an internal memo Friday morning, obtained by GeekWire, Nadella delivered a mandate to employees, expanding on the themes outlined in Bell’s public blog post.
“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” the Microsoft CEO told employees. “In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.”
Bell wrote in his post that the company’s new “security governance framework” will be overseen by Microsoft’s Chief Information Security Office, which is led by Igor Tsyganskiy as Microsoft’s CISO following an executive shakeup in December.
The deputy CISOs in product teams will report directly to Tsyganskiy, according to the company. This change in organizational and reporting structure was first reported by Bloomberg News on Thursday.
“This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing SFI, managing risks and reporting progress directly to the Senior Leadership Team,” Bell wrote. “Progress will be reviewed weekly with this executive forum and quarterly with our Board of Directors.”
Microsoft revealed in January of this year that a Russian state-sponsored actor known as Nobelium or Midnight Blizzard accessed its internal systems and executive email accounts. More recently, the company said the same attackers were able to access some of its source code repositories and internal systems.
In another high-profile incident, in May and June 2023, the Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.