Microsoft’s largest ever security transformation detailed in new report
Image: The Verge Microsoft made security its No. 1 priority for every employee earlier this year, following years of security issues and a scathing report from the US Cyber Safety Review Board. Nearly six months after Microsoft CEO Satya Nadella told the entire company that security should be prioritized above all else, the software giant is providing a report on its progress. Microsoft first kicked off its Secure Future Initiative (SFI) in November 2023, just months before the US Cyber Safety Review Board concluded that “Microsoft’s security culture was inadequate and requires an overhaul.” That blistering review really kicked Microsoft into gear, and the company is revealing today that it now has the equivalent of 34,000 full-time engineers working toward its SFI, making it the biggest cybersecurity engineering effort ever inside of Microsoft. Every Microsoft employee is now being judged on their security work, after the company tied its security efforts to employee performance reviews last month. In recent months, Microsoft has also completed a series of improvements to its security processes as a result of the SFI. Microsoft has updated its Entra ID and Microsoft Account (MSA) systems to generate, store, and automatically rotate access token signing keys using Azure-managed hardware security module. 5.75 million inactive tenants have also been eliminated to reduce attack surfaces. Microsoft also now uses a new system for testing that has secure defaults to avoid legacy systems from causing security headaches in the future. Microsoft is now tracking over 99 percent of its physical network in a central inventory system that helps with firmware compliance and logging. Microsoft has improved its audit logs to retain logs for a minimum of two years, too. Engineering teams inside Microsoft have now had personal access tokens cut down to just seven days, SSH access disabled for all internal engineering repos, and the amount of groups with access to key engineering systems has been reduced. Microsoft has been criticized for the amount of time it takes to respond to security issues in the past, and the company is now publishing CVEs “even if no customer action is required, to improve transparency.” Transforming Microsoft’s engineering processes and security culture is no easy task, especially when the company has 100,000 engineers, designers, and project managers working on more than 500,000 work items every day and 5 million builds each month. Microsoft is implementing new standards by using a “Start Right, Stay Right, and Get Right” approach. “Start Right” ensures projects adhere to security standards using templates, policies, and self-service tools. “Stay Right” then makes sure there’s monitoring on projects and relevant policy enforcement. The final part is “Get Right,” which is designed for Microsoft to monitor its state of compliance. The software giant has also created a new Cybersecurity Governance Council and appointed 13 deputy CISOs, four of whom are new Microsoft hires: Damon Becknel, vice president and deputy CISO, regulated industries: Becknel joined Microsoft in July, after serving as CISO at ID.me and Horizon Blue Cross Blue Shield. Geoff Belknap, corporate vice president and deputy CISO, core and mergers and acquisitions: Belknap previously served as CISO at Microsoft-owned LinkedIn and was also previously CISO at Slack and CSO at Palantir. Shawn Bowen, vice president and deputy CISO, gaming: Bowen has spent 27 years in engineering and security roles, including serving as CISO at World Kinect and the United States Marine Corps Intelligence. Timothy Langan, corporate vice president and deputy CISO, government: Langan spent more than 26 years at the FBI before joining Microsoft in July, covering cyber, criminal investigate, and other operations at the US agency. The other nine deputy CISOs are a variety of veteran Microsoft executives that have decades of experience at the company, including technical fellow Mark Russinovich, who has been named deputy CISO for Azure alongside his current Azure CTO role. Microsoft’s senior leadership team is now reviewing SFI progress weekly and providing updates to Microsoft’s board of directors quarterly on the progress. Finally, Microsoft launched a security skilling academy in July, which includes training for all employees to reinforce “the importance of security in daily operations.” This ongoing training, performance reviews, and the oversight of Microsoft’s senior leadership team certainly puts pressure on employees to focus more on security than ever before, but Microsoft is still on a long path to winning back trust and putting the headlines about its security record in the rearview mirror. “Our commitment to transparency and industry collaboration remains unwavering,” says Charlie Bell, head of Microsoft security. “By fostering this culture of continuous learning and improvement, we are building a future where security is
Microsoft made security its No. 1 priority for every employee earlier this year, following years of security issues and a scathing report from the US Cyber Safety Review Board. Nearly six months after Microsoft CEO Satya Nadella told the entire company that security should be prioritized above all else, the software giant is providing a report on its progress.
Microsoft first kicked off its Secure Future Initiative (SFI) in November 2023, just months before the US Cyber Safety Review Board concluded that “Microsoft’s security culture was inadequate and requires an overhaul.” That blistering review really kicked Microsoft into gear, and the company is revealing today that it now has the equivalent of 34,000 full-time engineers working toward its SFI, making it the biggest cybersecurity engineering effort ever inside of Microsoft.
Every Microsoft employee is now being judged on their security work, after the company tied its security efforts to employee performance reviews last month. In recent months, Microsoft has also completed a series of improvements to its security processes as a result of the SFI.
Microsoft has updated its Entra ID and Microsoft Account (MSA) systems to generate, store, and automatically rotate access token signing keys using Azure-managed hardware security module. 5.75 million inactive tenants have also been eliminated to reduce attack surfaces. Microsoft also now uses a new system for testing that has secure defaults to avoid legacy systems from causing security headaches in the future.
Microsoft is now tracking over 99 percent of its physical network in a central inventory system that helps with firmware compliance and logging. Microsoft has improved its audit logs to retain logs for a minimum of two years, too.
Engineering teams inside Microsoft have now had personal access tokens cut down to just seven days, SSH access disabled for all internal engineering repos, and the amount of groups with access to key engineering systems has been reduced.
Microsoft has been criticized for the amount of time it takes to respond to security issues in the past, and the company is now publishing CVEs “even if no customer action is required, to improve transparency.”
Transforming Microsoft’s engineering processes and security culture is no easy task, especially when the company has 100,000 engineers, designers, and project managers working on more than 500,000 work items every day and 5 million builds each month.
Microsoft is implementing new standards by using a “Start Right, Stay Right, and Get Right” approach. “Start Right” ensures projects adhere to security standards using templates, policies, and self-service tools. “Stay Right” then makes sure there’s monitoring on projects and relevant policy enforcement. The final part is “Get Right,” which is designed for Microsoft to monitor its state of compliance.
The software giant has also created a new Cybersecurity Governance Council and appointed 13 deputy CISOs, four of whom are new Microsoft hires:
- Damon Becknel, vice president and deputy CISO, regulated industries: Becknel joined Microsoft in July, after serving as CISO at ID.me and Horizon Blue Cross Blue Shield.
- Geoff Belknap, corporate vice president and deputy CISO, core and mergers and acquisitions: Belknap previously served as CISO at Microsoft-owned LinkedIn and was also previously CISO at Slack and CSO at Palantir.
- Shawn Bowen, vice president and deputy CISO, gaming: Bowen has spent 27 years in engineering and security roles, including serving as CISO at World Kinect and the United States Marine Corps Intelligence.
- Timothy Langan, corporate vice president and deputy CISO, government: Langan spent more than 26 years at the FBI before joining Microsoft in July, covering cyber, criminal investigate, and other operations at the US agency.
The other nine deputy CISOs are a variety of veteran Microsoft executives that have decades of experience at the company, including technical fellow Mark Russinovich, who has been named deputy CISO for Azure alongside his current Azure CTO role. Microsoft’s senior leadership team is now reviewing SFI progress weekly and providing updates to Microsoft’s board of directors quarterly on the progress.
Finally, Microsoft launched a security skilling academy in July, which includes training for all employees to reinforce “the importance of security in daily operations.” This ongoing training, performance reviews, and the oversight of Microsoft’s senior leadership team certainly puts pressure on employees to focus more on security than ever before, but Microsoft is still on a long path to winning back trust and putting the headlines about its security record in the rearview mirror.
“Our commitment to transparency and industry collaboration remains unwavering,” says Charlie Bell, head of Microsoft security. “By fostering this culture of continuous learning and improvement, we are building a future where security is not just a feature, but a foundation.”