Microsoft security boss Charlie Bell has quietly executed a major shakeup of the software giant’s security hierarchy, removing the CISO and Deputy CISO and handing the reins to Igor Tsyganskiy, a recent hire who previously served as CTO and President at asset management giant Bridgewater Associates.
Tsyganskiy, who joined Redmond just four months ago, will take over the CISO responsibilities from Bret Arsenault and help guide the company through a new ‘Secure Future Initiative’ that promises faster cloud patches, better management of identity signing keys and a commitment to ship software with a higher default security bar.
Arsenault, who held the CISO title at Microsoft for 14 years, has been reassigned to a security advisory role. His deputy, Aanchal Gupta, was also removed and will exit Microsoft’s security organization.
In an LinkedIn post, Bell described Tsyganskiy as “a technologist and dynamic leader with a storied career in high-scale/high-security, demanding environments,” noting that he brings “deep knowledge and experience from his previous role outside of Microsoft.”
Tsyganskiy spent seven years at Bridgewater, managing the tech stack for the world’s largest hedge fund and is credited with overhauling the firm’s trading and back-office system. Prior to Bridgewater, Tsyganskiy did stints as SVP of product management at Salesforce and SVP Engineering at WideOrbit.
The changes come as Microsoft scrambles to contain the fallout from a spate of embarrassing hacks, zero-day exposures and patching problems on its flagship OS and cloud computing platforms.
Earlier this year, Chinese government-backed hackers broke into Microsoft’s M365 cloud platform and stole U.S. government emails, an incident that prompted a U.S. senator to accuse Microsoft of “cybersecurity negligence.”
The M365 hack, caused by a mismanagement of signing keys, is being investigated by the Department of Homeland Security’s Cyber Safety Review Board (CSRB).
Bell, who spent 23 years at Amazon before joining Microsoft in 2021 to lead the entire security organization, referenced the “speed, sophistication, and scale of cyber-attacks” in the shakeup decision. “This requires a new focus,” Bell declared.
Bell is betting heavily on the promise of AI to help Microsoft with its cybersecurity problems and there are plans to use AI to help automate threat modeling and adopt memory safe languages like Rust to build security at the language level and eliminate entire classes of traditional software vulnerabilities.
Microsoft has faced intense criticism for its approach to third-party vulnerability research of its cloud products and continues to struggle with faulty and incomplete patches and a surge in Windows zero-day attacks.
The company recently announced plans to expand logging defaults for lower-tier M365 customers and increase the duration of retention for threat-hunting data.
Microsoft says it rakes in about $20 billion a year in cybersecurity-related revenue.
Related: Crash Dump Error: How Chinese Hackers Exploited Microsoft’s Mistakes
Related: US Senator Accuses Microsoft of ‘Cybersecurity Negligence’
Related: Microsoft Cloud Hack Exposed More Than Emails
Related: Chinese APT Use Stolen Microsoft Key to Hack Gov Emails
Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs
