On September 23, Microsoft released a report detailing the progress of the Secure Future Initiative, an enterprise-wide review that began in November 2023. The Secure Future Initiative exists to improve security in the wake of some significant vulnerabilities in 2023.
Among those vulnerabilities was a breach in Microsoft Exchange Online that allowed threat actors linked to the Chinese government to access US emails in 2023. In April 2024, the U.S. Cyber Safety Review Board released the “Summer 2023 Review of the Microsoft Exchange Online Intrusion,” which said the hack “was preventable and should never have happened.” The board found that Microsoft has “a corporate culture that prioritizes both investment in enterprise security and rigorous risk management.”
How Microsoft protects itself from cyber threats
Microsoft has made several changes to address cybersecurity concerns. As part of the initiative, CEO Satya Nadella and Executive Vice President of Security Charlie Bell have named 13 CISOs. Their role will be to oversee key security functions either within one of Microsoft’s engineering divisions or as part of the core security function overseen by the CISO.
“We have dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history,” Bell wrote.
Other steps Microsoft has taken include:
- Commitment and action on the six key pillars of security compliance.
- Creation of a new Cyber Security Governance Council responsible for cyber risk, defense and compliance, including new CISOs.
- Security is a critical part of every employee’s performance review.
- Linking safety performance to senior management team reward.
- Mandating senior management to review progress on the Secure Future Initiative weekly and provide quarterly updates to the Board of Directors.
- Implementation of safety training throughout the company.
SEE: Why Your Business Needs Cybersecurity Training (TechRepublic Premium)
The six key pillars of Microsoft’s security compliance include:
- Protection of identities and secrets. This includes updating Microsoft Entra ID and Microsoft Account (MSA) for public and US government clouds to make token signing keys more difficult to access. Last year, signing keys allowed China-linked threat actors to break into government email addresses. Microsoft expanded adoption of SDKs for standard identities, included measures to prevent password sharing, and more.
- Tenant protection and isolation of production systems, elimination of unused applications and inactive tenants.
- Isolation of certain virtual networks and enrichment of ownership and compliance with firmware of physical assets.
- Improving the management of engineering systems.
- Adopting standard libraries for security audit logs for better threat monitoring and detection.
- Accelerated time to mitigate critical cloud vulnerabilities.
What organizations can learn from the Secure Future Initiative
The SFI update serves as a timely reminder for security and engineering teams to adhere to strict standards and adhere to industry best practices.
Note that Microsoft has added security to the core of its performance reviews. Clear KPIs in line with the overall company culture can influence the direction of the organization.
It’s also important to recognize the value of quickly adapting to a data breach. Given the size and strategic importance of Microsoft’s US government contracts, processing the 2023 data was particularly important. Microsoft has carefully framed SFI as an improvement initiative, not an attempt to fix its known breaches — but the main unspoken goal of the project is to reassure the US government that there won’t be a major email hack. it won’t happen again.