Satya Nadella has made a habit of touting the revenue growth in the company’s security technology business on Microsoft’s earnings calls. But not this time.
Microsoft’s CEO took a different approach, talking instead about the Secure Future Initiative that the company launched last fall, and then making a pledge.
“We are doubling down on this very important work, putting security above all else — before all other features and investments,” Nadella said Thursday afternoon, after the company’s fiscal third-quarter earnings report.
It was a brief diversion from the bigger topic of the day. Nadella and CFO Amy Hood spent much of the call fielding questions about the AI demand fueling the company’s growth, and the capital expenditures needed to keep up.
But it was a notable change in tone about security, and a sign of the growing pressure on the company amid a series of high-profile hacks and a growing chorus of concern from governmental agencies and big customers.
Nadella’s vow to put security “above all else” follows a report by the Cyber Safety Review Board (CSRB) that described Microsoft’s security culture as “inadequate” and called on the company to make security its top priority.
The group, created by the U.S. Secretary of Homeland Security in 2021 to review major cybersecurity incidents, said Microsoft’s approach “requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The CSRB report referenced Nadella directly, saying the company’s security overhaul should “be overseen directly and closely by Microsoft’s CEO and its Board of Directors, and that all senior leaders should be held accountable for implementing all necessary changes with utmost urgency.”
The report focused on a high-profile incident in May and June 2023, when the Chinese hacking group known as Storm-0558 is believed to have compromised the Microsoft Exchange Online mailboxes of more than 500 people and 22 organizations worldwide, including senior U.S. government officials.
Among other breaches, Microsoft revealed in January of this year that a Russian state-sponsored actor known as Nobelium accessed its internal systems and executive email accounts. More recently, the company said the same attackers were able to access some of its source code repositories and internal systems.
Microsoft’s engineering and security teams “have been scrambling” to respond to the attacks from the group and shore up its defenses, reported Tom Warren of The Verge on Thursday, citing unnamed sources.
The company has been here before, more than two decades ago. Microsoft halted its internal software development temporarily and made security its top priority under the “Trustworthy Computing” initiative that Bill Gates instituted in 2002.
“In a perfect world, Microsoft would take security seriously again,” wrote Mary Jo Foley of Directions on Microsoft this week in a piece about the issue. “It would be transparent about breaches. Its execs would stop gloating about increasing security service revenue at a time when Microsoft can’t secure its own employees, let alone customers, against incidents that are happening with increasing frequency. And Microsoft would include must-have security capabilities as part of existing subscriptions instead of selling them as add-ons.”
Nadella’s new approach seems to be a partial response to these larger calls for change. Here’s the rest of what he said on the topic during the earnings call, referencing the Secure Future Initiative.
“We are focused on making continuous progress across the six pillars of this initiative as we protect tenants and isolate production systems, protect identities and secrets, protect networks, protect engineering systems, monitor and detect threats, and accelerate response and remediation.
“We remain committed to sharing our learnings, tools, and innovation with customers. A great example is Copilot for Security, which we made generally available earlier this month, bringing together LLMs with domain-specific skills informed by our threat intelligence and 78 trillion daily security signals, to provide security teams with actionable insights.”
None of the participating Wall Street analysts asked about security during the call.