Microsoft Overhauls Cybersecurity Strategy After Scathing CSRB Report

In the wake of a scathing US government report that condemned Microsoft’s weak cybersecurity practices and lax corporate culture, security chief Charlie Bell is pledging significant reforms and a strategic shift to prioritize security above all other product features.

“This is job number one for us,” Bell said in his first public comments since the Cyber Safety Review Board (CSRB) called public attention to “a cascade of avoidable Microsoft errors” that led to one of the most daring APT attacks in history.

“We must and will do more. We are making security our top priority at Microsoft, above all else — over all other features,” Bell declared, announcing plans to add Deputy CISOs into each product team and link a portion of senior leaders’ paychecks to progress on security milestones and goals.

In addition, engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have begun what Bell refers to as “engineering waves” to prioritize security enhancements and remediation within an expanded Secure Future Initiative (SFI).

The initiative, first announced in November 2023 ahead of the CSRB investigation, promises faster cloud patches, better management of identity signing keys and products with a higher default security bar.

Bell, who took control of security at Microsoft in 2021 after a stint running security at AWS, said Redmond will expand the scope of the security-themed initiative to adopt recommendations from the CSRB report and will add technical controls to reduce unauthorized access and lock down its corporate infrastructure.

Bell said Microsoft will implement state-of-the-art standards for identity and secrets management, including hardware-protected key rotations and phishing-resistant multi-factor authentication for all user accounts.

Microsoft also committed to beefing up the protection of its network and tenant environments; removing all entity lateral movement pivots between tenants, environments, and clouds; and ensuring only secure, managed, healthy devices are granted access to Microsoft tenants. The new strategy will also place an emphasis on protecting Microsoft’s production networks and systems by improving isolation, monitoring, inventory, and secure operations.

Advertisement. Scroll to continue reading.

In addition, Bell said Microsoft plans to build and maintain inventory of software assets used to deploy and operate Microsoft products and services and ensure access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.

Related: Microsoft’s Security Chickens Have Come Home to Roost

Related: US Gov Rips Microsoft for Shoddy Security, Poor Response to Chinese Hack

Related: After Major Cloud Hacks, Microsoft Unveils ‘Secure Future Initiative’

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Related: Microsoft Hires New CISO in Major Security Shakeup