Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

CISO Strategy

Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report

Microsoft security chief Charlie Bell pledges significant reforms and a strategic shift to prioritize security above all other product features.

Microsoft

In the wake of a scathing US government report that condemned Microsoft’s weak cybersecurity practices and lax corporate culture, security chief Charlie Bell is pledging significant reforms and a strategic shift to prioritize security above all other product features.

“This is job number one for us,” Bell said in his first public comments since the Cyber Safety Review Board (CSRB) called public attention to “a cascade of avoidable Microsoft  errors” that led to one of the most daring APT attacks in history. 

“We must and will do more. We are making security our top priority at Microsoft, above all else — over all other features,” Bell declared, announcing plans to add Deputy CISOs into each product team and link a portion of senior leaders’ paychecks to progress on security milestones and goals.

In addition, engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have begun what Bell refers to as “engineering waves” to prioritize security enhancements and remediation within an expanded Secure Future Initiative (SFI).

The initiative, first announced in November 2023 ahead of the CSRB investigation, promises faster cloud patches, better management of identity signing keys and products with a higher default security bar.

Bell, who took control of security at Microsoft in 2021 after a stint running security at AWS, said Redmond will expand the scope of the security-themed initiative to adopt recommendations from the CSRB report and will add technical controls to reduce unauthorized access and lock down its corporate infrastructure. 

Bell said Microsoft will implement state-of-the-art standards for identity and secrets management, including hardware-protected key rotations and phishing-resistant multi-factor authentication for all user accounts.

Microsoft also committed to beefing up the protection of its network and tenant environments; removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants. The new strategy will also place an emphasis on protecting Microsoft’s production networks and systems by improving isolation, monitoring, inventory, and secure operations.

Advertisement. Scroll to continue reading.

In addition, Bell said Microsoft plans to build and maintain inventory of software assets used to deploy and operate Microsoft products and services and ensure access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.

Related: Microsoft’s Security Chickens Have Come Home to Roost

Related: US Gov Rips Microsoft for Shoddy Security, Poor Response to Chinese Hack

Related: After Major Cloud Hacks, Microsoft Unveils ‘Secure Future Initiative’

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Hires New CISO in Major Security Shakeup

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights