Microsoft Says it’s Making Security its “Top Priority”

Microsoft is making security its “top priority” as the company and its customers are currently facing cyberattacks that are becoming increasingly sophisticated. Today, the company announced that it’s expanding the Secure Future Initiative (SFI) it launched in November to create a coordinated effort within the company to advance cybersecurity protection.

“Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust,” said Charlie Bell, Executive Vice President, Microsoft Security. “We must and will do more. We are making security our top priority at Microsoft, above all else—over all other features.”

The exec explained today that the expansion of the company’s Secure Future Initiative will take into account the recommendations from the Cyber Safety Review Board (CSRB), which recently pointed out that Microsoft’s response to the Storm-0558 cyberattack from July 2023 and the Midnight Blizzard attack that was reported in January were insufficient. Bell also emphasized that Microsoft’s expanded SFI approach will now be guided by 3 principles: Secure by design, Secure by default, and Secure operations.

Under these 3 security principles, Bell has also listed six security pillars that will drive how the company overhauls its security culture. Here they are:

Protect identities and secrets: Microsoft says that it’s committed to implementing best-in-class security standards to ensure that 100% of user accounts, applications, and identity tokens are protected.

Protect tenants and isolate production systems: Microsoft will be using best-in-class security practices and strict isolation to protect all Microsoft tenants.

Protect networks: Microsoft will be implementing network isolation of Microsoft and customer resources to better protect production networks and all systems connected to them.

Protect engineering systems: To protect Microsoft production environments, the company will be securing access to source code and engineering systems infrastructure through Zero Trust and least-privilege access policies.

Monitor and detect threats: Microsoft will retain 100% of security logs for at least two years and make six months of logs available to customers.

Accelerate response and remediation: Microsoft promises to reduce the time to mitigate for high-severity security cloud vulnerabilities by adopting the Common Weakness Enumeration (CWE), and Common Platform Enumeration (CPE) industry standards.

Overall, Microsoft wants to institute a security-first culture across the entirety of the company, and the software giant hopes to accomplish this with a new security governance framework led by its Chief Information Security Officer. “We will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones,” Bell also said today.

In an internal memo obtained by The Verge, Microsoft CEO Satya Nadella made it clear that security should now be the top priority of every Microsoft employee. “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” the exec said. “This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.