Nadella's company-wide memo emphasized a clear directive to prioritize security above all else, even if it means sacrificing other objectives. The Verge It was reported on Friday. He emphasized the need to prioritize protection against cyber threats over initiatives such as rolling out new features or maintaining old systems.
The directive comes at the same time as Microsoft announced a series of proactive measures aimed at strengthening its defenses against hacking. These efforts include tying a portion of senior leaders' compensation to achieving cybersecurity goals and integrating cyber experts into product development teams.
Microsoft's cybersecurity efforts have come under increased scrutiny following its involvement in several high-profile security breaches. A government committee recently characterized the company's security practices as inadequate and in need of urgent reform. In response, Microsoft announced the Secure Future Initiative in November, its most significant security strategy since co-founder Bill Gates prioritized product safety over new features in 2002. announced.
Read the full memo here:
“Today, I want to talk about something important to our future: putting security above all else.
Microsoft operates on trust, and our success depends on earning and maintaining trust. We have a unique opportunity and responsibility to build the most secure and trusted platform on which the world innovates.
Recent findings by the Department of Homeland Security Cyber Security Review Board (CSRB) regarding Storm-0558 cyberattacks since summer 2023 highlight the seriousness of the threats facing us and our customers and the increasing We emphasize our responsibility to protect against these threats. Sophisticated attacker.
Last November, we launched the Secure Future Initiative (SFI) with this responsibility in mind, bringing together all departments within the company to advance cybersecurity protections across both new products and traditional infrastructure. I am proud of this initiative and appreciate the hard work that went into making it happen. But we must and will do more than that.
Going forward, we will commit our entire organization to SFI and further strengthen this commitment with an approach based on three core principles:
• Secure by design: Security is a top priority when designing products and services.
• Secure by default: Security protections are enabled and enforced by default, require no special effort, and are not optional.
• Secure operations: Security controls and monitoring are continually improved to address current and future threats.
These principles govern all aspects of the SFI pillars: protecting identities and secrets, protecting tenants and separating operational systems, securing networks, securing engineering systems, monitoring and detecting threats, and accelerating response and remediation. Masu. We have shared specific company-wide actions associated with each of these pillars, including those recommended in the CSRB report. You can read more about this here. Microsoft brings together the entire company to implement and enforce these standards, guidelines, and requirements, which serve as an additional factor in hiring and compensation decisions. Additionally, ensure accountability by basing your senior leadership team's compensation in part on security plans and progress towards meeting milestones.
We must approach this challenge with both technical and operational rigor and a focus on continuous improvement. Every task we undertake, from the line of code to the processes of our customers and partners, is an opportunity to strengthen the security of ourselves and our entire ecosystem. This includes learning from your enemies and their abilities becoming increasingly sophisticated, like we did in Midnight Blizzard. And we learn from the trillions of unique signals we constantly monitor to strengthen our overall posture. This also includes stronger and more structured collaboration across the public and private sectors.
Security is a team sport, and accelerating SFI is not just the security team's top job, it's everyone's top priority and our customers' top needs.
When faced with a trade-off between security and another priority, the answer is clear. It's about running security. In some cases, this means prioritizing security over other duties, such as releasing new features or providing continued support for legacy systems. This is key to improving both the quality and functionality of our platform, protecting our customers' digital assets, and building a safer world for everyone.
Satya.
Microsoft recent issues
In recent years, Microsoft has grappled with a series of security challenges. In early 2021, Chinese government hackers exploited a zero-day vulnerability in Microsoft Exchange servers to compromise email accounts and install malware on servers used by many companies.
Additionally, Chinese hackers broke into US government email last year through a Microsoft Cloud exploit.
More recently, Russian state-sponsored hackers known as Nobelium or Midnight Blizzard breached the email accounts and even stole source code of certain senior Microsoft executives earlier this year following their involvement in the SolarWinds incident. Ta.
