2024-09-23
Microsoft Secure Future Initiative September 2024 Progress Report
Microsoft has published a report detailing the progress of their Secure Future Initiative (SFI). The initiative debuted in November 2023, several months before a scathing report from the US Cyber Safety Review Board regarding Microsoft's security failings that led to the compromise of US government officials' Microsoft email accounts, and deeming 'Microsoft's security culture É inadequate.' The SFI Progress Report describes steps the company has taken to improve their security culture, including tying senior leadership compensation to security performance.
Editor's Note
Microsoft is setting the standard (and in many ways the blueprint) for truly building a strong security culture. Remember, culture is the shared attitudes, perceptions and beliefs of your organization. In this case, how invested are people in cybersecurity; do they believe in and prioritize it? Unlike behavior, it takes years to change an organization's culture but it appears Microsoft is committed to making that journey. I highly recommend you take the time to read this report, or if nothing else the summary, as their SFI initiative will be the case studies other organizations will be using for years to come.
Lance Spitzner
Microsoft claims to have dedicated 34,000 full-time engineers to SFI. The report confirms security is a core priority in all employee performance reviews as well as senior executive compensation plans. With luck this prevents recurrence of issues which lead to successful attacks by Chinese and Russian spies.
Lee Neely
Many good initiatives, especially nice to see 'integrating cybersecurity performance into the senior leadership team's compensation plans.' Back in 2003 or so, having product managers' compensation impacted by security performance really seemed to put the walk behind the talk after Bill Gates's 2002 'Security is Job 1' all-company email. Don't be fooled, though, by all the big numbers in the report. For example, having the equivalent of 34,000 full time employees focused on security is still only 15% of Microsoft's headcount. Higher than average, but probably not that high for the world's second-largest software vendor who is obviously one of the top attacker targets.
John Pescatore
Culture is inculcated over decades. Like quality, it is difficult to patch on. Shipping early in hopes of patching in necessary quality later is fundamental to Microsoft's identity. Getting to doing it "right the first time" from there will be a stretch.
William Hugh Murray
Read more in
Microsoft: Securing our future: September 2024 progress update on MicrosoftÕs Secure Future Initiative (SFI)
Microsoft: Secure Future Initiative | September 2024 progress report (PDF)
Axios: Microsoft improves government account safety after China hack
The Register: So how's Microsoft's Secure Future Initiative going?
The Verge: MicrosoftÕs largest ever security transformation detailed in new report