Microsoft is overhauling its security processes after a series of high-profile attacks in recent years. Security is now Microsoft’s “top priority,” the company outlined today in response to ongoing questions about its security practices and the US Cyber Safety Review Board’s labeling of Microsoft’s security culture as “inadequate.”
Microsoft CEO Satya Nadella is now making it clear to every employee that security should be prioritized above all else. The Verge has obtained a memo from Nadella to Microsoft’s more than 200,000 employees, where he discusses the new security overhaul and how the company is learning from attackers to improve its security processes.
Nadella also makes it explicitly clear that employees should not make security tradeoffs:
If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.
Nadella wants Microsoft employees to approach the challenge of overhauling security “with both technical and operational rigor,” even looking at every line of code as an opportunity to improve Microsoft’s security. “It’s everyone’s top priority and our customers’ greatest need,” says Nadella.
Interestingly, Nadella also mentions prioritizing security over supporting legacy systems. Microsoft has a long history of supporting its software products for many years past the norm, sometimes even extending this to decades of support or compatibility. Nadella drops a small hint here that the company may need to alter this approach for a secure future.
Microsoft has faced a series of security issues in recent years. Chinese government hackers targeted Microsoft Exchange servers with zero-day exploits in early 2021, enabling them to access email accounts and install malware on servers hosted by businesses. Last year, Chinese hackers breached US government emails thanks to a Microsoft Cloud exploit. Recently, the same Russian state-sponsored hackers that were behind the SolarWinds incident, known as Nobelium or Midnight Blizzard, were able to spy on the email accounts of some members of Microsoft’s senior leadership team last year and even steal source code earlier this year.
You can read more about Microsoft’s big overhaul and the security challenges the company has faced in recent years. Nadella’s full memo is also below.
Today, I want to talk about something critical to our company’s future: prioritizing security above all else.
Microsoft runs on trust, and our success depends on earning and maintaining it. We have a unique opportunity and responsibility to build the most secure and trusted platform that the world innovates upon.
The recent findings by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack, from summer 2023, underscore the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors.
Last November, we launched our Secure Future Initiative (SFI) with this responsibility in mind, bringing together every part of the company to advance cybersecurity protection across both new products and legacy infrastructure. I’m proud of this initiative, and grateful for the work that has gone into implementing it. But we must and will do more.
Going forward, we will commit the entirety of our organization to SFI, as we double down on this initiative with an approach grounded in three core principles:
• Secure by Design: Security comes first when designing any product or service.
• Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
• Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats.
These principles will govern every facet of our SFI pillars as we: Protect Identities and Secrets, Protect Tenants and Isolate Production Systems, Protect Networks, Protect Engineering Systems, Monitor and Detect Threats, and Accelerate Response and Remediation. We’ve shared specific, company-wide actions each of these pillars will entail – including those recommended in the CSRB’s report which you can learn about here. Across Microsoft, we will mobilize to implement and operationalize these standards, guidelines, and requirements and this will be an added dimension of our hiring and rewards decisions. In addition, we will instill accountability by basing part of the compensation of the senior leadership team on our progress towards meeting our security plans and milestones.
We must approach this challenge with both technical and operational rigor, and with a focus on continuous improvement. Every task we take on – from a line of code, to a customer or partner process – is an opportunity to help bolster our own security and that of our entire ecosystem. This includes learning from our adversaries and the increasing sophistication of their capabilities, as we did with Midnight Blizzard. And learning from the trillions of unique signals we’re constantly monitoring to strengthen our overall posture. It also includes stronger, more structured collaboration across the public and private sector.
Security is a team sport, and accelerating SFI isn’t just job number one for our security teams — it’s everyone’s top priority and our customers’ greatest need.
If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.
Satya