Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Microsoft Secure Future Iniciative: Drum roll
Introduction
Many of our readers (at least those with some white hairs) will remember the famous email from Bill Gates to all Microsoft employees, back in 2002, prioritizing security over any other feature within the Seattle-based technology giant.
That email entitled “Trustworthy Computing” was a paradigm shift, prioritizing secure development throughout the company and changing the more or less widespread view among Microsoft users that its software contained many bugs and design problems that made it unstable..
It's been more than 20 years... but once again Microsoft has been forced to make a similar communication through CEO Satya Nadella following a series of high-profile incidents that have once again affected Microsoft's reputation and called into question its security culture and posture by many cyber security experts globally.
In this article we will review the incidents that have led to this new security drumbeat at Microsoft, how this may affect the maintenance of legacy systems (a policy deeply rooted in Microsoft's culture) and the key points, we believe, of this new statement.
What is the Microsoft SFI - Secure Future Initiative?
Microsoft launched the Secure Future Initiative in November 2023 to prepare for the growing scale and high impact of cyberattacks. SFI brings together all parts of Microsoft to advance cyber security protection across the company and its products. An article published this May details the acceleration and extension of SFI within the company following recommendations received by the U.S. State Department's cyber security committee. The image below is a brief summary of this new turn of the screw.
Secure Future Initiative Summary. Source: Microsoft.
The SFI plan is based on these three safety principles:
- Secure by design: Security comes first when designing any product or service.
- Secure by default: Security protections are enabled and enforced by default, require no additional effort, and are not optional.
- Secure operations: Security controls and monitoring will be continuously improved to address current and future threats.
Its impact is summed up in this powerful phrase that Nadella himself repeats in his email to his more than 200,000 employees:
We are making security our top priority at Microsoft, above anything else.
Response to recent attacks suffered by Microsoft
It is clear that this acceleration of the SFI plan is in response to several high-impact incidents suffered by Microsoft in the recent past.
- 2021: Several attackers targeted Microsoft Exchange servers with 0-day exploits in early 2021, allowing them to access email accounts and install malware on servers hosted by several companies.
- 2023: A group of Chinese attackers, known as Storm-0588, gained access to U.S. government emails thanks to an exploit in the Microsoft cloud.
- 2024: The same attackers behind the SolarWinds incident, known as Midnight Blizzard, were recently able to spy on the email accounts of some members of Microsoft's senior leadership team last year and even steal source code in early 2024.
Legacy systems support vs. security
In the interesting email from Microsoft's CEO (which we obviously recommend reading for those interested in delving deeper into this topic), we rescue a sentence that may lead to significant changes in Microsoft's culture and policy to date.
This will, in some cases, mean prioritizing security over other things we do, such as releasing new features or providing continuous support for legacy systems.
Microsoft's effort to support legacy systems is well known to the industry. Something that many of its competitors do not treat with such courtesy and often hinders, or at least slows down, Microsoft's ability to deliver software. We might be seeing a shift in that direction.
How to ensure the implementation of the SFI plan? - The wallet?
Among the action items to ensure proper implementation of the new security prioritization approach Nadella mentions catches the eye with this sentence:
We will also foster accountability by basing part of the senior leadership team's compensation on our progress toward meeting our security plans and milestones.
In other words, beyond the pillars of the plan described in his article, Microsoft is willing to make a strong bid to ensure its proper execution through a modulation of Microsoft leadership compensation based on the progress and milestones of the SFI plan.
We believe that this statement will undoubtedly generate internal interest in the company... "you can't play with your bread and butter”.
Conclusions
Microsoft is clear that trust is a fundamental pillar for its customers and with this new email to all its employees, "refreshes" its importance and focus after that famous email from Bill Gates at the beginning of the 21st century.
Trust is a very ungrateful characteristic, like muscle, it is gained ounce by ounce but lost in a pronounced rapid fashion if it is eroded or neglected.
That Microsoft has adopted security as a top priority again is great news for customers, as the move will drive competition among companies as to which one is more secure.
Will we see in the near future companies outright touting their security as an advantage in future earnings presentations? Perhaps it is too much to dream...
