In response to recent cybersecurity breaches, Microsoft is prioritizing security with its Secure Future Initiative (SFI).
The tech giant’s new measures include tying executive compensation to security performance, launching a security skills academy to train employees, strengthening privacy protections, and improving threat detection.
The aim is to fundamentally change our approach to user data and system protection, ensuring a safer digital environment for all users.
Was that a long read? Let me explain it more simply…
Next article Microsoft ties executive pay to security performance
What is the story
Microsoft has publicly acknowledged its shortcomings in the area of cybersecurity and announced that it will make the necessary changes to fix them. The tech giant’s admission comes after a series of significant security breaches involving some of the company’s most important and widely used products. In one high-profile incident, Russian government-backed hackers broke into Microsoft corporate email accounts and accessed classified U.S. government emails.
Microsoft’s Secure Future initiative: Addressing security gaps
In a separate breach, a Chinese government-backed group compromised Microsoft Exchange Online mailboxes, including those of prominent figures such as U.S. Secretary of Commerce Gina Raimondo, U.S. Ambassador to China R. Nicholas Burns, and Congressman Don Bacon. In response to these security flaws, Microsoft announced that security is a top priority and provided an update on its Secure Future Initiative (SFI).
SFI Progress Report Outlines New Security Measures
The SFI progress report details the steps Microsoft is taking to “prioritize security above all else,” including major updates to governance, new programs for employee upskilling, and rigorous security reviews. The company’s focus on core pillars of cybersecurity signals a determination to fundamentally change its approach to protecting users’ data and systems.
Executive compensation linked to security performance
Microsoft strengthened its governance framework last year by establishing a Cybersecurity Governance Council. Comprised of deputy chief information security officers (CISOs), the council regularly reviews all cybersecurity issues. To ensure accountability, Microsoft links executive compensation to security performance, providing powerful incentives for leaders to focus on preventing errors and improving security outcomes.
Security Skills Academy for Employee Training
In addition to the governance changes, Microsoft launched its Security Skills Academy, an initiative aimed at equipping employees with the latest cybersecurity skills and knowledge. The academy launched in July and includes training for all employees that emphasizes the importance of security in their daily work.
The company strengthens protection of personal information and secrets
Microsoft is focused on six key pillars of cybersecurity, including better protecting identities and secrets by improving token management and phishing resistance within our access management solution, Microsoft Entra ID, and streamlining app lifecycle management by removing inactive tenants, reducing the attack surface and providing better protection for tenants and operations.
Microsoft strengthens network security and introduces stricter management rules
Network security has been improved by isolating some virtual networks with back-end connectivity, reducing the potential for lateral movement by attackers. Microsoft has also implemented stricter management rules for Azure Storage, SQL, Cosmos DB, and Key Vault to help protect customer data. Through the Secure Future Initiative, 85% of Microsoft’s production build pipeline for commercial cloud services is now under centralized management.
Enhanced Threat Detection and Monitoring
To improve threat detection and monitoring, Microsoft introduced standardized security audit logs and centralized log management, which now covers 99% of network devices. The company is also working to increase transparency across its cloud infrastructure and reduce the time it takes to address Common Vulnerabilities and Exposures (CVEs). This includes updating processes and establishing a Customer Security Management Office to improve communication with customers during security incidents.
